OpenID Connect Simple Web Discovery 1.0 - draft 01

Abstract

OpenID Connect is an identity framework that provides authentication, authorization, and attribute transmition capability. It allows third party attested claims from distributed sources. The specification suite consists of Core, Protocol Bindings, Dynamic Registration, Discovery, and Extensions. This specification is the "Discovery" part of the suite that defines how user and server endpoints are discovered.

Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].

Table of Contents

1.  Introduction
2.  Terminology
3.  Discovery
    3.1.  Identifier Normalization
    3.2.  Non-Normative Examples
    3.3.  Redirection
4.  Other Items for Consideration
5.  IANA Considerations
6.  Security Considerations
7.  Acknowledgements
8.  Normative References
§  Authors' Addresses

1.  Introduction

In order for an OpenID client to utilize OpenID services for a user, the client needs to know where the OpenID providers and authorization servers are located. OpenID Connect uses Simple Web Discovery (Jones, M., Ed. and Y. Goland, “Simple Web Discovery,” October 2010.) [SWD] to locate the service endpoints for a end-user. This document describes the OpenID Connect specific parts related to Simple Web Discovery (Jones, M., Ed. and Y. Goland, “Simple Web Discovery,” October 2010.) [SWD].

2.  Terminology

Client

An application obtaining authorization and making protected resource requests.

End-user

A human resource owner.

Principal

A human resource owner that is the target of a request in Simple Web Discovery.

OpenID Provider (OP)

Authorization Servers that are able to support OpenID Connect Messages.

Relying Party (RP)

Client and Resource Servers.

End-User Authorization Endpoint

The Authorization Server's endpoint capable of authenticating the End-User and obtaining authorization.

Client Identifier

An unique identifier that the client uses to identify itself to the OP.

Token Endpoint

The Authorization Server's HTTP endpoint capable of issuing tokens.

OP Endpoints

End-User Authentication, Authorization, and Token Endpoint.

RP Endpoints

The endpoint to which the OP responses are returned through redirect.

UserInfo Endpoint

A protected resource that when presented with a token by the client returns authorized information about the current user.

Identifier

An Identifier is either a "http" or "https" URI, (commonly referred to as a "URL" within this document), or an account URI. This document defines various kinds of Identifiers, designed for use in different contexts.

3.  Discovery

Simple Web Discovery requires the following information to make a discovery request:

• principal - identifier of the target end user who is the subject of the discovery request
• host - server where a Simple Web Discovery service is hosted
• service - URI of the service whose location is requested

OpendID Connect has the following discoverable services:

To start discovery of OpenID end points, the end-user supplies an identifier to the client or relying party. The client performs normalization rules to the identifier to extract the principal and host. Then it makes a HTTPS request the host's Simple Web Discovery endpoint with the principal and service parameters to obtain the location of the requested service.

3.1.  Identifier Normalization

The user identifier can be one of the following:

• Hostname
• Email address
• URL

Identifiers starting with the XRI (Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” November 2005.) [XRI_Syntax_2.0] characters ('=','@', and '!') are reserved. Any identifier that contains the character '@' in any other position other than the first position must be treated as an email address.

3.1.1.  Hostname

If the identifier is the hostname, then the hostname is used as both the principal and host in Simple Web Discovery request. This results in a directed identity request.

3.1.2.  Email Address

If the identifier is an email address, the principal is the email address and the host is the portion to the right of the '@' character.

3.1.3.  URL

A URL identifier is normalized according to the following rules:

• If the URL does not have a "http" or "https" scheme, the string "https://" is prefixed to the URL.
• If the URL contains a fragment part, it MUST be stripped off together with the fragment delimiter character "#".
• The resulting URL is used as the principal and the host is extracted from it according to URI (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) [RFC3986] syntax rules.

3.2.  Non-Normative Examples

3.2.1.  Hostname

To find the authorization endpoint for the given hostname, "example.com", the SWD parameters are as follows:

Following the SWD specification, the client would make the following request to get the discovery information:

GET /.well-known/simple-web-discovery?principal=example.com&service=http://openid.net/specs/cc/1.0/auth HTTP/1.1
Host: example.com

HTTP/1.1 200 O.K.
Content-Type: application/json

{
 "locations":["https://example.com/auth"]
}

3.2.2.  Email Address

To find the authorization endpoint for the given email address, "joe@example.com", the SWD parameters are as follows:

Following the SWD specification, the client would make the following request to get the discovery information:

GET /.well-known/simple-web-discovery?principal=joe@example.com&service=http://openid.net/specs/cc/1.0/auth HTTP/1.1
Host: example.com

HTTP/1.1 200 O.K.
Content-Type: application/json

{
 "locations":["https://example.com/auth"]
}

3.2.3.  URL

To find the authorization endpoint for the given URL, 'https://example.com/joe", the SWD parameters are as follows:

Following the SWD specification, the client would make the following request to get the discovery information:

GET /.well-known/simple-web-discovery?principal=https://example.com/joe&service=http://openid.net/specs/cc/1.0/auth HTTP/1.1
Host: example.com

HTTP/1.1 200 O.K.
Content-Type: application/json

{
 "locations":["https://example.com/auth"]
}

3.3.  Redirection

In cases where the SWD request is handled at a host or location other than the one derived from the end-user's identifier, the host will return a JSON object containing the new location.

GET /.well-known/simple-web-discovery?principal=joe@example.com&service=http://openid.net/specs/cc/1.0/auth HTTP/1.1
Host: example.com

HTTP/1.1 200 O.K.
Content-Type: application/json

{
 "SWD_service_redirect":
  {
   "location":"https://example.net/swd_server"
  }
}

GET /swd_server?principal=joe@example.com&service=http://openid.net/specs/cc/1.0/auth HTTP/1.1
Host: example.net

HTTP/1.1 200 O.K.
Content-Type: application/json

{
 "locations":["https://example.net/auth"]
}

4.  Other Items for Consideration

1. Add other discoverable service types:
   • End-User Authorization Server Endpoint
   • Token Endpoint
   • RP Endpoint
   • Authorization server
   • Request Registration Endpoint
   • UserInfo Endpoint
2. Delegation
3. Authenticated Discovery
4. Multiple endpoint discovery in a single SWD request.
5. HTTP/HTTPS requirement

5.  IANA Considerations

This document makes no request of IANA.

Note to RFC Editor: this section may be removed on publication as an RFC.

6.  Security Considerations

7.  Acknowledgements

8. Normative References

Authors' Addresses