DotNetOpenAuth/doc/specs/OpenID Connect Core.htm at develop · DotNetOpenAuth/DotNetOpenAuth

This repository was archived by the owner on Mar 20, 2019. It is now read-only.

History

2240 lines (2160 loc) · 115 KB

Raw

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

780

781

782

783

784

785

786

787

788

789

790

791

792

793

794

795

796

797

798

799

800

801

802

803

804

805

806

807

808

809

810

811

812

813

814

815

816

817

818

819

820

821

822

823

824

825

826

827

828

829

830

831

832

833

834

835

836

837

838

839

840

841

842

843

844

845

846

847

848

849

850

851

852

853

854

855

856

857

858

859

860

861

862

863

864

865

866

867

868

869

870

871

872

873

874

875

876

877

878

879

880

881

882

883

884

885

886

887

888

889

890

891

892

893

894

895

896

897

898

899

900

901

902

903

904

905

906

907

908

909

910

911

912

913

914

915

916

917

918

919

920

921

922

923

924

925

926

927

928

929

930

931

932

933

934

935

936

937

938

939

940

941

942

943

944

945

946

947

948

949

950

951

952

953

954

955

956

957

958

959

960

961

962

963

964

965

966

967

968

969

970

971

972

973

974

975

976

977

978

979

980

981

982

983

984

985

986

987

988

989

990

991

992

993

994

995

996

997

998

999

1000

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><HTML

lang="en"><HEAD><TITLE>Draft: OpenID Connect Core 1.0 - draft 04</TITLE>

<STYLE type="text/css"><!--

body {

font-family: verdana, charcoal, helvetica, arial, sans-serif;

font-size: small; color: #000; background-color: #FFF;

margin: 2em;

}

h1, h2, h3, h4, h5, h6 {

font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;

font-weight: bold; font-style: normal;

}

h1 { color: #900; background-color: transparent; text-align: right; }

h3 { color: #333; background-color: transparent; }

td.RFCbug {

font-size: x-small; text-decoration: none;

width: 30px; height: 30px; padding-top: 2px;

text-align: justify; vertical-align: middle;

background-color: #000;

}

td.RFCbug span.RFC {

font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;

font-weight: bold; color: #666;

}

td.RFCbug span.hotText {

font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;

font-weight: normal; text-align: center; color: #FFF;

}

table.TOCbug { width: 30px; height: 15px; }

td.TOCbug {

text-align: center; width: 30px; height: 15px;

color: #FFF; background-color: #900;

}

td.TOCbug a {

font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;

font-weight: bold; font-size: x-small; text-decoration: none;

color: #FFF; background-color: transparent;

}

td.header {

font-family: arial, helvetica, sans-serif; font-size: x-small;

vertical-align: top; width: 33%;

color: #FFF; background-color: #666;

}

td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }

td.author-text { font-size: x-small; }

/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */

a.info {

/* This is the key. */

position: relative;

z-index: 24;

text-decoration: none;

}

a.info:hover {

z-index: 25;

color: #FFF; background-color: #900;

}

a.info span { display: none; }

a.info:hover span.info {

/* The span will display just on :hover state. */

display: block;

position: absolute;

font-size: smaller;

top: 2em; left: -5em; width: 15em;

padding: 2px; border: 1px solid #333;

color: #900; background-color: #EEE;

text-align: left;

}

a { font-weight: bold; }

a:link { color: #900; background-color: transparent; }

a:visited { color: #633; background-color: transparent; }

a:active { color: #633; background-color: transparent; }

p { margin-left: 2em; margin-right: 2em; }

p.copyright { font-size: x-small; }

p.toc { font-size: small; font-weight: bold; margin-left: 3em; }

table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }

td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }

ol.text { margin-left: 2em; margin-right: 2em; }

ul.text { margin-left: 2em; margin-right: 2em; }

li { margin-left: 3em; }

/* RFC-2629 <spanx>s and <artwork>s. */

em { font-style: italic; }

strong { font-weight: bold; }

dfn { font-weight: bold; font-style: normal; }

cite { font-weight: normal; font-style: normal; }

tt { color: #036; }

tt, pre, pre dfn, pre em, pre cite, pre span {

font-family: "Courier New", Courier, monospace; font-size: small;

}

pre {

text-align: left; padding: 4px;

color: #000; background-color: #CCC;

}

pre dfn { color: #900; }

pre em { color: #66F; background-color: #FFC; font-weight: normal; }

pre .key { color: #33C; font-weight: bold; }

pre .id { color: #900; }

pre .str { color: #000; background-color: #CFF; }

pre .val { color: #066; }

pre .rep { color: #909; }

pre .oth { color: #000; background-color: #FCF; }

pre .err { background-color: #FCC; }

/* RFC-2629 <texttable>s. */

table.all, table.full, table.headers, table.none {

font-size: small; text-align: center; border-width: 2px;

vertical-align: top; border-collapse: collapse;

}

table.all, table.full { border-style: solid; border-color: black; }

table.headers, table.none { border-style: none; }

th {

font-weight: bold; border-color: black;

border-width: 2px 2px 3px 2px;

}

table.all th, table.full th { border-style: solid; }

table.headers th { border-style: none none solid none; }

table.none th { border-style: none; }

table.all td {

border-style: solid; border-color: #333;

border-width: 1px 2px;

}

table.full td, table.headers td, table.none td { border-style: none; }

hr { height: 1px; }

hr.insert {

width: 80%; border-style: none; border-width: 0;

color: #CCC; background-color: #CCC;

}

--></STYLE>

</HEAD>

<BODY>

<TBODY>

<TR>

<TABLE border="0" cellSpacing="0" summary="layout" cellPadding="0"

width="66%"><TBODY>

<TR>

<TD>

<TBODY>

<TR>

<TD class="header">Draft</TD>

<TD class="header">N. Sakimura, Ed.</TD></TR>

<TR>

<TR>

<TD class="header">D. Recordon</TD></TR>

<TR>

<TD class="header">Facebook</TD></TR>

<TR>

<TD class="header">J. Bradeley</TD></TR>

<TR>

<TD class="header">Protiviti Government Services</TD></TR>

<TR>

<TD class="header">B. de Madeiros</TD></TR>

<TR>

<TD class="header">Google</TD></TR>

<TR>

<TD class="header">M. Jones</TD></TR>

<TR>

<TD class="header">Microsoft</TD></TR>

<TR>

<TR>

<TR>

</TBODY></TABLE></TD></TR></TBODY></TABLE>

<H1><BR>OpenID Connect Core 1.0 - draft 04</H1>

<H3>Abstract</H3>

<P>OpenID Connect is an identity framework that provides authentication,

authorization, and attribute transmition capability. It allows third party

attested claims from distributed sources. The specification suite consists

of Building Blocks (Core, JSON Web Token, JSON Web Signatures, JSON WEB

Encryption, JSON Web Keys, Simple Web Discovery), Protocol Bindings (e.g,

Artifact Binding, Web App Binding, User Agent Binding) and Extensions. This

specification is the "Core" of the suite that defines the messages used and

abstract flow which will be further constrained or extended in the

companion specifications in the suite.</P><A name="toc"></A><BR>

<HR>

<H3>Table of Contents</H3>

Requirements Notation and Conventions<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#terminology">2.</A> 

Terminology<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor1">3.</A> 

Overview<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor2">4.</A> 

Messages<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor3">4.1.</A> 

Authorization Endpoint<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor7">4.2.</A> 

Token Endpoint<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor11">4.3.</A> 

UserInfo Endpoint<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor15">4.4.</A> 

Session Management Endpoints<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#serializations">5.</A> 

serializations<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#qss">5.1.</A> 

Query String serialization<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#js">5.2.</A> 

JSON Serialization<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor19">5.3.</A> 

Conversions of OpenID 2.0 encodings<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#sigs">6.</A> 

Signatures<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#encryption">7.</A> 

Encryption<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor23">8.</A> 

Requests and Responses<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor24">9.</A> 

Verification<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor25">9.1.</A> 

Authorization Request Verification<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor26">9.2.</A> 

Authorization Response Verification<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor27">9.3.</A> 

UserInfo Request Verification<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor28">9.4.</A> 

UserInfo Response Verification<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#extensions">10.</A> 

Extensions<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#security_considerations">11.</A> 

Security Considerations<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#assertion_manufacture">11.1.</A> 

Assertion manufacture/modification<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#assertion_disclosure">11.2.</A> 

Assertion disclosure<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#assertion_repudiation">11.3.</A> 

Assertion repudiation<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#assertion_redirect">11.4.</A> 

Assertion redirect<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#assertion_reuse">11.5.</A> 

Assertion reuse<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#artifact_manufacture">11.6.</A> 

Secondary authenticator manufacture<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#artifact_capture">11.7.</A> 

Secondary authenticator capture<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#assertion_substitution">11.8.</A> 

Assertion substitution<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#auth_req_disclosure">11.9.</A> 

Authentication Request Disclosure<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor29">11.10.</A> 

Timing Attack<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#authn_proc_threats">11.11.</A> 

Authentication Process Threats<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#iana">12.</A> 

IANA Considerations<BR>    <A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#oauth_params">12.1.</A> 

OAuth Parameters Registry<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor30">13.</A> 

Open Issues and Things To Be Done (TBD)<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor31">Appendix A.</A> 

Acknowledgements<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#anchor32">Appendix B.</A> 

Document History<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#rfc.references1">14.</A> 

Normative References<BR><A href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#rfc.authors">§</A> 

Authors' Addresses<BR></P><BR clear="all"><A name="rnc"></A><BR>

<HR>

<TBODY>

<TR>

<H3>1.  Requirements Notation and Conventions</H3>

<P>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

document are to be interpreted as described in <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#RFC2119">[RFC2119]<SPAN>

(</SPAN><SPAN class="info">Bradner, S., “Key words for use in RFCs to Indicate

Requirement Levels,” March 1997.</SPAN><SPAN>)</SPAN></A> .</P>

<P>Throughout this document, values are quoted to indicate that they are to

be taken literally. When using these values in protocol messages, the

quotes MUST NOT be used as part of the value.</P><A name="terminology"></A><BR>

<HR>

<TBODY>

<TR>

<H3>2.  Terminology</H3>

<P></P>

<DL>

<DT>Protected Resource</DT>

<DD>An access-restricted resource which can be obtained using an

OAuth-authenticated request.</DD>

<DT>Resource Server</DT>

<DD>A server capable of accepting and responding to protected

resource requests.</DD>

<DT>Client</DT>

<DD>An application obtaining authorization and making protected

resource requests on behalf of the resource owner and with its

authorization.</DD>

<DT>Resource Owner</DT>

<DD>An entity capable of granting access to a protected resource.

When the resource owner is a person, it is referred to as an

End-user.</DD>

<DD>A human resource owner.</DD>

<DT>Authentication</DT>

<DD>An act of verifying End-User's identity through the

verification of the credential.</DD>

<DT>Access Token</DT>

<DD>A string representing an access authorization issued to the

client. The string is usually opaque to the client. Tokens

represent specific scopes and durations of access, granted by the

resource owner, and enforced by the resource server and

authorization servers.</DD>

<DT>Refresh Token</DT>

<DD>A token used by the client to obtain a new access token without

having to involve the resource owner.</DD>

<DT>Authorization Code</DT>

<DD>A short-lived token representing the authorization provided by

the end-user. The authorization code is used to obtain an access

token and a refresh token.</DD>

<DT>Authorization Grant</DT>

<DD>A general term used to describe the intermediate credentials

(such as an end-user password or authorization code) representing

the resource owner authorization. Access grants are used by the

client to obtain an access token. By exchanging access grants of

different types for an access token, the resource server is only

required to support a single authentication scheme.</DD>

<DT>Authorization Server</DT>

<DD>A server capable of authenticating the resource owner and

issuing tokens after obtaining authorization from the authenticated

Resource Owner. The authorization server may be the same server as

Resource Server or a separate entity. A single authorization server

may issue tokens for multiple resource servers.</DD>

<DT>OpenID Provider (OP)</DT>

<DD>Authorization Servers that are able to support OpenID Connect

Messages.</DD>

<DT>Relying Party (RP)</DT>

<DD>Client and Resource Servers.</DD>

<DT>Authorization Endpoint</DT>

<DD>The Authorization Server's endpoint capable of authenticating

the End-User and obtaining authorization.</DD>

<DT>Client Identifier</DT>

<DD>An unique identifier that the client to identify itself to the

OP.</DD>

<DT>Client Secret</DT>

<DD>A shared secret established between the OP and client.</DD>

<DT>Token Endpoint</DT>

<DD>The Authorization Server's HTTP endpoint capable of issuing

tokens.</DD>

<DT>OP Endpoints</DT>

<DD>End-User Authentication, Authorization, and Token Endpoint.

</DD>

<DT>RP Endpoints</DT>

<DD>The endpoint to which the OP responses are returned through

redirect.</DD>

<DT>UserInfo Endpoint</DT>

<DD>A protected resource that when presented with a token by the

client returns authorized information about the current user.</DD>

<DT>Claims</DT>

<DD>A statement that something is true or factual.</DD>

<DT>Assertion</DT>

<DD>A set of Claims about the End-User which is attested by the OP

and Resource Servers.</DD>

<DT>Compact Serialization</DT>

<DD>Compact Serialization defined in <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#jwt">JSON

Web Token<SPAN> (</SPAN><SPAN class="info">Jones, M., Belfanz, D., Bradeley,

J., Goland, Y., Panzer, J., Sakimura, N., and P. Tarjan, “JSON Web Token,”

January 2011.</SPAN><SPAN>)</SPAN></A> [jwt].</DD>

<DD>Base 64 Encoding <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#RFC3548">[RFC3548]<SPAN>

(</SPAN><SPAN class="info">Josefsson, S., “The Base16, Base32, and Base64

Data Encodings,” July 2003.</SPAN><SPAN>)</SPAN></A> with URL

and Filename Safe Alphabet without padding.</DD></DL></BLOCKQUOTE>

<HR>

<TBODY>

<TR>

<H3>3.  Overview</H3>

<P>OpenID Connect protocol in abstract follows the following steps.</P>

<P></P>

<LI>The Client sends a request to the Server's End-User Authorization

Endpoint.</LI>

<LI>The Server authenticates the user and obtains appropriate

authorization.</LI>

<LI>The Server responds with access_token and a few other variables.

</LI>

<LI>The Client sends a request with the access_token to the Userinfo

Endpoint.</LI>

<LI>Userinfo Endpoint returns the additional user information

supported by the Server.</LI></OL>

<P>Each message may be signed and encrypted. When the message is encrypted,

it MUST be signed first then encrypted. This specification only defines the

abstract messsage flow and message formats. The actual use MUST base on one

of the companion protocol bindings specifications such as <A class="info"

href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#OpenID.AB">OpenID

Connect Artifact Binding 1.0<SPAN> (</SPAN><SPAN class="info">Sakimura, N.,

Ed., Bradley, J., de Madeiros, B., Ito, R., and M. Jones, “OpenID Connect

Artifact Binding 1.0,” January 2011.</SPAN><SPAN>)</SPAN></A> [OpenID.AB]

or <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#OpenID.AC">OpenID

Connect Authorization Code Binding 1.0<SPAN> (</SPAN><SPAN

class="info">Mortimore, C., Ed., Sakimura, N., Bradley, J., de Madeiros, B.,

Ito, R., and M. Jones, “OpenID Connect Authorization Code Binding 1.0,”

January 2011.</SPAN><SPAN>)</SPAN></A> [OpenID.AC].</P><A

name="anchor2"></A><BR>

<HR>

<TBODY>

<TR>

<H3>4.  Messages</H3>

<P></P>

<P>In OpenID Connect protocols in abstract, the process proceeds by the

Client interacting with Endpoints. There are number of Endpoints involved.

</P>

<P></P>

<LI>Authorization Endpoint: The Client sends a request to the Server

at the Authorization endpoint. The Server then authenticate the

End-User to find out if he is eligible to make the authorization.

Then, upon the authorization action of the End-User, the Server

returns an Authorization Response that includes Authorization Code,

<TT>code</TT>. For some Clients, Implicit Grant may be used to obtain

<TT>access_token</TT> without using <TT>code</TT>. In this case,

<TT>response_type</TT> MUST be set to <TT>token</TT>.</LI>

<LI>Token Endpoint: The Client sends the Access Token Request to the

Token Endpoint to obtain Access Token Response which includes

<TT>access_token</TT>. </LI>

<LI>UserInfo Endpoint: The <TT>access_token</TT> MAY be used as a

query parameter to obtain user information/assertion/claims about the

user by sending a request to the userinfo endpoint.</LI>

<LI>Session Management Endpoints: The <TT>openid</TT> token MAY be sent to

these endpoints to manage the session. </LI></OL>

<P>Both Request and Response may either be serialized into <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#qss">Query

String serialization<SPAN> (</SPAN><SPAN class="info">Query String

serialization</SPAN><SPAN>)</SPAN></A> or <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#RFC4627">JSON<SPAN>

(</SPAN><SPAN class="info">Crockford, D., “The application/json Media Type for

JavaScript Object Notation (JSON),” July 2006.</SPAN><SPAN>)</SPAN></A>

[RFC4627]. </P>

<HR>

<TBODY>

<TR>

<H3>4.1.  Authorization Endpoint</H3>

<P>Autorization Code Request / Response interacts with Authorization

Endpoint.</P><A name="auth_req"></A><BR>

<HR>

<TBODY>

<TR>

<H3>4.1.1.  Authorization Request</H3>

<P>Following is the list of variables to be sent as the top level keys:

</P>

<P></P>

<DL>

<DT>response_type</DT>

<DD>REQUIRED. The parameter value MUST be set to <TT>code</TT>

for requesting an Authorization Code, <TT>token</TT> for

requesting an Access Token. The Authorization Server MAY decline

to provide one or more of these response types.</DD>

<DT>client_id </DT>

<DD>REQUIRED. The client identifier recognized by the

Authorization Server.</DD>

<DT>redirect_uri</DT>

<DD>REQUIRED unless a redirection URI has been established

between the client and authorization server via other means. An

absolute URI to which the authorization server will redirect

the user-agent to when the End-User authorization step is

completed. The authorization server SHOULD require the client

to pre-register their redirection URI.</DD>

<DT>scope</DT>

<DD>OPTIONAL. The scope of the access request expressed as a

list of space-delimited strings. The value of the scope

parameter is defined by the authorization server. If the value

contains multiple space-delimited strings, their order does not

matter, and each string adds an additional access range to the

requested scope. It MUST include <TT>openid</TT> as one of the string.

[[ToDo: Maybe we do not need it, as openid param is required.]]

</DD>

<DT>state</DT>

<DD>OPTIONAL. An opaque value used by the client to maintain

state between the request and callback. The authorization

server includes this value when redirecting the user-agent back

to the client.</DD>

<DT>openid</DT>

<DD>REQUIRED. A JSON object that holds OpenID request

variables.</DD>

<DD>REQUIRED. A type identifier that identifies the message

type. A URI <TT>http://openid.net/specs/cc/1.0#env</TT> .</DD></DL></BLOCKQUOTE>

<P></P>

<P>Following is the list of <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#OpenID.authentication-2.0">OpenID

Authentication 2.0<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID

Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> [OpenID.authentication‑2.0]

variables are to be sent under the key <TT>"openid"</TT>: when OpenID

2.0 identifier compatibility is sought.</P>

<P></P>

<DL>

<DD>REQUIRED. A type identifier that identifies the message

type. Set to <TT>"http://openid.net/specs/cc/1.0/#req"</TT>.</DD>

<DT>immediate</DT>

<DD>OPTIONAL. indicates if the authorization server should

display the authorization user interface. <TT>"True"</TT> if it should not

display the user interface or <TT>"False"</TT> to display.

Default is <TT>"False"</TT>.</DD>

<DT>claimed_id</DT>

<DD>OPTIONAL. The claimed_id as in <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#OpenID.authentication-2.0">OpenID

2.0<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID

Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A>

[OpenID.authentication‑2.0]</DD>

<DT>identity</DT>

<DD>OPTIONAL. The local identifier as in <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#OpenID.authentication-2.0">OpenID

Authentication 2.0<SPAN> (</SPAN><SPAN

class="info">specs@openid.net, “OpenID Authentication 2.0,”

2007.</SPAN><SPAN>)</SPAN></A> [OpenID.authentication‑2.0].</DD>

<DT>realm</DT>

<DD>REQUIRED if PPID were used in previous authentications. URL

pattern the OP SHOULD ask the end user to trust. See Section

9.2 of <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#OpenID.authentication-2.0">OpenID

Authentication 2.0<SPAN> (</SPAN><SPAN

class="info">specs@openid.net, “OpenID Authentication 2.0,”

2007.</SPAN><SPAN>)</SPAN></A> [OpenID.authentication‑2.0].</DD>

<DT>server_id</DT>

<DD>OPTIONAL. The intended recipient of this request.</DD>

<DT>pubkey</DT>

<DD>OPTIONAL. The base64url encoded DER format X.509

certificate of the RP.</DD>

<DT>atype</DT>

<DD>OPTIONAL. Type of assertion to be returned at the end.

Values are one of the following:

<LI>openid2json : (Default) OpenID Artifact Binding's default

assertion format, which is JSON.</LI>

<LI>openid2jsonp : openid2json wrapped in "openidjsonp();" so

that it will be a JSONP format.</LI>

<LI>openid2json+sig: openid2json assertion signed.</LI>

<LI>openid2json+sig+enc: openid2json assertion signed and

encrypted.</LI>

<LI>saml2: SAML ver.2 assertion.</LI>

<LI>wss : WS-Security assertion.</LI></UL></DD></DL></BLOCKQUOTE>

<P></P>

<P>These variables are sent from the client to the end-user

authorization endpoint according to the protocol bindings of this

specification. There are two serialization of the above variables:

Query Parameters serialization and JSON serialization.</P>

<P>Following is a non-normative example when they are sent in the

query parameters serialization.</P>

<DIV style="width: 0px; margin-right: auto; margin-left: 3em; display: table;"><PRE>GET /authorize?scope=openid&response_type=code

&openid.type=http%3A%2F%2Fopenid.net%2Fspecs%2Fcc%2F1.0%2F%23req

&client_id=s6BhdRkqt3&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

Host: server.example.com</PRE></DIV>

<P></P>

<P>Following is a non-normative example when they are sent as a JSON

object serialization.</P>

<DIV style="width: 0px; margin-right: auto; margin-left: 3em; display: table;"><PRE>{

"type": "http://openid.net/specs/cc/1.0#env,

"openid": {

"type": "http://openid.net/specs/cc/1.0#req",

"server_id": "http://example.com/op/",

"immediate": "true",

"claimed_id":"http://specs.openid.net/auth/2.0/identifier_select",

"identity": "http://specs.openid.net/auth/2.0/identifier_select",

"ns.pape": "http://specs.openid.net/extensions/pape/1.0",

"pape.auth_level.ns.nist": "http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf",

"pape.preferred_auth_level_types": "nist"

"redirect_uri": "https://example.com/rp/endpoint_url",

"response_type":"code",

"client_id": "http://example.com/rp/",

"scope": "openid",

"state": "af0ifjsldkj"

}</PRE></DIV>

<HR>

<TBODY>

<TR>

<H3>4.1.2.  Authorization Response</H3>

<P>If the End-User grants the access request, the Authorization Server

issues an Authorization Code or an Access Token and delivers them to

the Client. Following are the list of the parameter included in the

Response message when the <TT>response_type</TT> in the request was

<TT>code</TT>. Note that if the <TT>response_type</TT> in the request was

<TT>token</TT>, the <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#access_token_response">Access

Token Response<SPAN> (</SPAN><SPAN class="info">Access Token

Response</SPAN><SPAN>)</SPAN></A> defined later MUST be returned

instead.</P>

<P></P>

<DL>

<DD>REQUIRED. The authorization code generated by the

authorization server. The authorization code SHOULD expire

shortly after it is issued to minimize the risk of leaks. The

client MUST NOT reuse the authorization code. If an

authorization code is used more than once, the authorization

server MAY revoke all tokens previously issued based on that

authorization code. The authorization code is bound to the

client identifier and redirection URI.</DD>

<DT>state</DT>

<DD>REQUIRED if the state parameter was present in the client

authorization request. Set to the exact value received from the

client.</DD></DL></BLOCKQUOTE>

<P></P>

<P>For example, the Authorization Server redirects the End-User's

user-agent by sending the following HTTP response:</P>

<DIV style="width: 0px; margin-right: auto; margin-left: 3em; display: table;"><PRE>HTTP/1.1 302 Found

Location: https://client.example.com/cb?code=i1WsRn1uB1</PRE></DIV>

<P></P>

<P>Clients SHOULD ignore unrecognized response parameters. The sizes of

tokens and other values received from the authorization server, are

left undefined by this specification. Clients should avoid making

assumptions about value sizes. Servers should document the expected

size of any value they issue.</P><A name="anchor5"></A><BR>

<HR>

<TBODY>

<TR>

<H3>4.1.3.  Authorization Error Response</H3>

<P>If the end-user denies the access request or if the request fails

for reasons other than a missing or invalid redirection URI, the

authorization server informs the client by adding the following

parameters to the redirection URI query component using the

<TT>application/x-www-form-urlencoded</TT> format as defined by <A

class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#html401">W3C.REC&nbhy;html401&nbhy;19991224<SPAN>

(</SPAN><SPAN class="info">Ragget, D., “HTML 4.01 Specification,”

December 1999.</SPAN><SPAN>)</SPAN></A> [html401]:</P>

<P></P>

<DL>

<DT>error</DT>

<DD>REQUIRED. A single error code as described below.</DD>

<DT>error_description</DT>

<DD>OPTIONAL. A human-readable text providing additional

information, used to assist in the understanding and resolution

of the error occurred.</DD>

<DT>error_uri</DT>

<DD>OPTIONAL. A URI identifying a human-readable web page with

information about the error, used to provide the end-user with

additional information about the error.</DD>

<DT>state</DT>

<DD>REQUIRED if the state parameter was present in the client

authorization request. Set to the exact value received from the

client.</DD></DL></BLOCKQUOTE>

<HR>

<TBODY>

<TR>

<H3>4.1.3.1.  Error Codes</H3>

<P>The Authorization Server includes one of the following error codes

with the error response:</P>

<P></P>

<DL>

<DT>invalid_request </DT>

<DD>The request is missing a required parameter, includes an

unsupported parameter or parameter value, repeats a

parameter, includes multiple credentials, utilizes more than

one mechanism for authenticating the client, or is otherwise

malformed.</DD>

<DT>invalid_client</DT>

<DD>The client identifier provided is invalid, the client

failed to authenticate, the client did not include its

credentials, provided multiple client credentials, or used

unsupported credentials type.</DD>

<DT>unauthorized_client </DT>

<DD>The authenticated client is not authorized to use the

access grant type provided.</DD>

<DT>invalid_grant</DT>

<DD>The provided access grant is invalid, expired, or revoked

(e.g. invalid assertion, expired authorization token, bad

end-user password credentials, or mismatching authorization

code and redirection URI).</DD>

<DT>unsupported_grant_type</DT>

<DD>The access grant included - its type or another attribute

- is not supported by the authorization server.</DD>

<DT>invalid_scope</DT>

<DD>The requested scope is invalid, unknown, malformed, or

exceeds the previously granted scope.</DD>

<DT>invalid_request_response_type</DT>

<DD>The requested response type is unsupported or is missing.

</DD>

<DT>invalid_request_type</DT>

<DD>The request type is unsupported.</DD>

<DT>invalid_request_openid_type</DT>

<DD>The openid type in the the request is not supported.</DD>

<DT>invalid_request_redirect_uri</DT>

<DD>The redirect_uri in the request is missing or malformed.

</DD>

<DT>invalid_request_signature</DT>

<DD>The request has an invalid signature.</DD>

<DT>invalid_request_realm</DT>

<DD>The openid request realm is missing or malformed.</DD>

<DT>invalid_request_atype</DT>

<DD>The request contains an unsupported response assertion

type.</DD>

<DT>invalid_request_recipient</DT>

<DD>The recipient of the request is invalid or does not

match.</DD></DL></BLOCKQUOTE>

<P></P>

<P>The error codes can be extended by the string prefixed by

<TT>x_</TT>. If custome error code are used, <TT>error_uri</TT> MUST

be provided.</P>

<HR>

<TBODY>

<TR>

<H3>4.2.  Token Endpoint</H3>

<P>Access Token Request / Response interacts with an OpenID Token

Endpoint. Upon the successful request, the OpenID returns two tokens,

Access Token and OpenID Token.</P><A name="access_token_request"></A><BR>

<HR>

<TBODY>

<TR>

<H3>4.2.1.  Access Token Request</H3>

<P>The client obtains an access token by authenticating with the

authorization server and presenting its access grant (in the form of an

authorization code, resource owner credentials, an assertion, or a

refresh token).</P>

<P>To make the Access Token Request, the Client sends the following

parameters to the Token Endpoint:</P>

<P></P>

<DL>

<DT>grant_type</DT>

<DD>REQUIRED. The access grant type included in the request.

Value MUST be one of <TT>authorization_code</TT>, <TT>refresh_token</TT>, or

an absolute URI identifying an assertion format supported by

the authorization server.</DD>

<DT>client_id</DT>

<DD>REQUIRED. The client identifier.</DD>

<DT>client_secret</DT>

<DD>REQUIRED. Client Secret. If the secret_type is

<TT>"shared"</TT>, send the pre-shared secret. If the

secret_type is <TT>"jwt"</TT>, send the compact serealization of

the <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#jwt">JWT<SPAN>

(</SPAN><SPAN class="info">Jones, M., Belfanz, D., Bradeley, J., Goland, Y.,

Panzer, J., Sakimura, N., and P. Tarjan, “JSON Web Token,”

January 2011.</SPAN><SPAN>)</SPAN></A> [jwt] Signature over the 'code'.

</DD>

<DT>secret_type</DT>

<DD>OPTIONAL. Type of the <TT>client_secret</TT>. <TT>"shared"</TT> or

<TT>"jwt"</TT>. Defaults to <TT>"shared"</TT>.</DD></DL></BLOCKQUOTE>

<P>In addition, the client MUST include the appropriate parameters

specified in the bindings used.</P><A name="access_token_response"></A><BR>

<HR>

<TBODY>

<TR>

<H3>4.2.2.  Access Token Response</H3>

<P>After receiving and verifying a valid and authorized access token

request from the client, the Authorization Server returns a Positive

Assertion that includes an Access Token.</P>

<P>The token response contains the following parameters which are

serialized into a JSON structure by adding each parameter at the

highest structure level. Parameter names and string values are included

as JSON strings. Numerical values are included as JSON numbers.</P>

<P></P>

<DL>

<DT>access_token</DT>

<DD>REQUIRED if the response type is <TT>token</TT> or

<TT>code_and_token</TT>, otherwise MUST NOT be included. The

Access Token issued by the Authorization Server.</DD>

<DT>token_type</DT>

<DD>REQUIRED. The type of the token issued. Value is case

insensitive.</DD>

<DT>refresh_token</DT>

<DD>OPTIONAL. The Refresh Token used to obtain new Access

Tokens using the same End-User authorization. The authorization

server SHOULD NOT issue a Refresh Token when the access grant

type is set to none.</DD>

<DT>expires_in</DT>

<DD>OPTIONAL. The duration in seconds of the access token

lifetime if an access token is included. For example, the value

3600 denotes that the access token will expire in one hour from

the time the response was generated by the authorization

server.</DD>

<DT>scope</DT>

<DD>OPTIONAL. The scope of the access token as a list of

space-delimited strings. The value of the scope parameter is

defined by the authorization server. If the value contains

multiple space-delimited strings, their order does not matter,

and each string adds an additional access range to the

requested scope. The authorization server SHOULD include the

parameter if the requested scope is different from the one

requested by the client.</DD>

<DT>openid</DT>

<DD>REQUIRED if it was requested in the request. An OpenID

Token. It is a <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#jws">JWS<SPAN>

(</SPAN><SPAN class="info">Jones, M., Belfanz, D., Bradeley, J., Goland, Y.,

Panzer, J., Sakimura, N., and P. Tarjan, “JSON Web Signatures,”

March 2011.</SPAN><SPAN>)</SPAN></A> [jws] signed claim

described below.</DD></DL></BLOCKQUOTE>

<P></P>

<P>It MAY include any other extension parameters.</P>

<P></P>

<P>Following is a non-normative example.</P>

<DIV style="width: 0px; margin-right: auto; margin-left: 3em; display: table;"><PRE>{

"access_token": "SlAV32hkKG",

"token_type": "jwt",

"refresh_token": "8xLOxBtZp8",

"user_id": "http://op.example.com/alice#1234",

"domain": "op.example.com",

"expires_in": 3600,

"openid":"jwtheader.jwtpayload.jwtcrypto"

}</PRE></DIV>

<P></P>

<P>Clients SHOULD ignore unrecognized response parameters. The sizes of

tokens and other values received from the authorization server, are

left undefined by this specification. Clients should avoid making

assumptions about value sizes. Servers should document the expected

size of any value they issue.</P><A name="anchor8"></A><BR>

<HR>

<TBODY>

<TR>

<H3>4.2.2.1.  OpenID Token</H3>

<P>The OpenID Token is a JWS signed claim that attests the following:

</P>

<P></P>

<DL>

<DT>server_id</DT>

<DD>REQUIRED. The unique identifier of the authorization

server such that when paired with the user_id creates a

globally unique and never reassigned identifier.</DD>

<DD>REQUIRED. A locally unique and never reassigned

identifier for the user, which is intended to be consumed by

the Client. e.g. "24400320" or

"AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4". It MUST NOT exceed

255 ASCII characters in length.</DD>

<DT>client_id</DT>

<DD>REQUIRED. The client identifier recognized by the

authorization server.</DD>

<DD>REQUIRED. The <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#jwt">JWT<SPAN>

(</SPAN><SPAN class="info">Jones, M., Belfanz, D., Bradeley, J., Goland, Y.,

Panzer, J., Sakimura, N., and P. Tarjan, “JSON Web Token,”

January 2011.</SPAN><SPAN>)</SPAN></A> [jwt]aud (audience) claim.</DD>

<DD>REQUIRED. The <A class="info" href="http://openid4.us/specs/ab/openid-connect-core-1_0.html#jwt">JWT<SPAN>

(</SPAN><SPAN class="info">Jones, M., Belfanz, D., Bradeley, J., Goland, Y.,

Panzer, J., Sakimura, N., and P. Tarjan, “JSON Web Token,”

January 2011.</SPAN><SPAN>)</SPAN></A> [jwt] exp

(expiration time) claim.</DD>

<DD>OPTIONAL. (TBD) If we want this token to be short, we

probably want to define a shorter equivalent of PAPE. </DD>

</DL></BLOCKQUOTE>

<P></P>

<HR>

<TBODY>

<TR>

<H3>4.2.3.  Token Error Response</H3>

<P>If the assertion request is invalid or unauthorized, the

authorization server constructs the response by adding the following

parameter to the entity body of the HTTP response using the

"application/json" media type:</P>

<P></P>

<DL>

<DT>error</DT>

<DD>REQUIRED. A single error code as described below.</DD>

<DT>error_description</DT>

<DD>OPTIONAL. A human-readable text providing additional

information, used to assist in the understanding and resolution

of the error occurred.</DD>

<DT>error_uri</DT>

<DD>OPTIONAL. A URI identifying a human-readable web page with

information about the error, used to provide the end-user with

additional information about the error.</DD></DL></BLOCKQUOTE>

<P></P>

<HR>

<TBODY>

<TR>

<H3>4.2.3.1.  Error Codes</H3>

<P>The Authorization Server includes one of the following error codes

with the error response:</P>

<P></P>

<DL>

<DT>invalid_request </DT>

<DD>The request is missing a required parameter, includes an

unsupported parameter or parameter value, repeats a

parameter, includes multiple credentials, utilizes more than

one mechanism for authenticating the client, or is otherwise

malformed.</DD>

<DT>invalid_client</DT>

<DD>The client identifier provided is invalid, the client

failed to authenticate, the client did not include its

credentials, provided multiple client credentials, or used

unsupported credentials type.</DD>

<DT>unauthorized_client </DT>

<DD>The authenticated client is not authorized to use the

access grant type provided.</DD>

<DT>invalid_grant</DT>

<DD>The provided access grant is invalid, expired, or revoked

(e.g. invalid assertion, expired authorization token, bad

end-user password credentials, or mismatching authorization

code and redirection URI).</DD>

<DT>unsupported_grant_type</DT>

<DD>The access grant included - its type or another attribute

- is not supported by the authorization server.</DD>

<DT>invalid_scope</DT>

<DD>The requested scope is invalid, unknown, malformed, or

exceeds the previously granted scope.</DD>

<DT>invalid_client_secret</DT>

<DD>The client secret does not matched pre-shared secret

code, is of a different type, or has an invalid signature.

</DD>

<DT>invalid_secret_type</DT>

<DD>The specified secret type is unsupported.</DD>

<DT>invalid_request_signature</DT>

<DD>The request has an invalid signature.</DD>

<DT>invalid_request_code</DT>

<DD>The authorization code is missing, malformed, or invalid.

</DD>

<DT>invalid_request_openid_type</DT>

<DD>The openid type in the the request is not supported.</DD>

</DL></BLOCKQUOTE>

<P>The error codes can be extended by the string prefixed by

<TT>x_</TT>. If custome error code are used, <TT>error_uri</TT> MUST

be provided.</P><A name="anchor11"></A><BR>

<HR>

<TBODY>

<TR>

<H3>4.3.  UserInfo Endpoint</H3>

<P>UserInfo Request/Response interacts with UserInfo Endpoint.</P><A name="anchor12"></A><BR>

<HR>

<TBODY>

<TR>

<H3>4.3.1.  UserInfo Request</H3>

<P>Client MAY send request with following parameters to the UserInfo

Endpoint to obtain further information about the user.</P>

<P>[[TBD: How to ask the attributes the Client is requesting?]]</P>

<P></P>

<DL>

<DT>access_token</DT>

<DD>REQUIRED. The access_token obtained above.</DD>

<DD>REQUIRED. A locally unique and never reassigned identifier

for the user. e.g. "24400320" or

"AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4". It MUST NOT exceed

255 ASCII characters in length. It could be a pairwise private

identifier of the enduser between the Client and the Server.</DD>

<DT>client_id</DT>

<DD>REQUIRED. The client identifier recognized by the

authorization server.</DD></DL></BLOCKQUOTE>

<HR>

View remainder of file in raw view

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FilesExpand file tree

OpenID Connect Core.htm

Latest commit

History

OpenID Connect Core.htm

File metadata and controls