SIOP requirements from ID-Token

There are a several requirements that SIOP places on the ID Token, which has led to a number of PRs and Issues that are currently unresolved. The purpose of this issue it to clarify what these requirements are, in the belief that once we have done this, it should be much easier to resolve several outstanding issues and PRs including: issue 1400, PR 120, issue 1430, issue 1429, issue 1426 and issue 1412 (at least).

Here is the initial list of mandatory requirements

1. the SIOP must indicate that the id-token is from a SIOP
2. the id-token must carry SIOP’s public key (or a reference to it)

Here is the initial list of optional/nice to have requirements:

(3) SIOPv2 should not diverge from the Core specification

(4) SIOP should communicate “the identity of SIOP/AS“ in the ID Token.

Please update the above lists if any requirements are missing.

Currently there are several alternatives for solving requirements (1) and (2). In no particular order, these are:

1. The sub claim is set to https://self-issued.me and the iss claim is set to the JWK URI
2. The sub claim is set to https://self-issued.me and the iss claim is set to the JWK Thumbprint URI and the id-token contains the JWK
3. The sub == iss == JWK Thumbprint URI and the id-token contain the JWK
4. The sub == iss == JWK URI

Alternatives a. and b. also address requirement (3).

Requirement (4) is not addressed by any of the above.

Please add any alternative solutions that are missing.