Wiki
Clone wikiconnect / MTIs
WG Decisions
- Servers must understand the request object.
- Servers must understand signed request objects.
- It's optional for servers to understand encrypted request objects.
- It's optional for clients to understand aggregated and distributed claims.
Messages Proposals
State the following in the MTI section of the Messages:
Endpoints
- Servers MUST implement the following endpoints.
- Authorization Endpoint
- Token Endpoint
- Userinfo Endpoint
Authorization Endpoint
- The Authorization Endpoint MUST support the following request parameters:
- response_type, scope, client_id, redirect_uri, state, nonce, display, prompt, request, id_token
- id_token returned from this endpoint MUST be JWS or JWS+JWE.
- Followings are the requirements for the request parameters:
scope
- The Authorization Endpoint MUST support the following scopes.
- openid
response_type
- The Authorization Endpoint MUST support the following response_types.
- "code"
- If the Authorization Endpoint supports response_type=token, then it MUST support the following response types as well:
- "token id_token", "id_token"
display
- The Authorization Endpoint MUST understand the following display parameter values:
- page/popup/touch/wap, among which only page is mandatory in the response.
- When displaying the consent dialogue, the Authorization Endpoint MUST show the policy_url.
request
- The Authorization server MUST support the following members:
- userinfo, id_token
- If the Authorization server is a self-issued server, then it also MUST support the following member:
- registration
- The Authorization server MUST support the JWS request object with the following algorithms:
- None, HS256, RS256
- The Authorization server MAY support the JWE request object.
- If JWE is supported, then the following alg MUST be supported:
- RSA1_5
- If JWE is supported, then the following alg MUST be supported:
userinfo member
- The authorization endpoint MUST understand the following members:
- claims, preferred_locals
- The Authorization Endpoint MUST understand the following members in "claims":
- All the claims in table 1 Userinfo Claims.
id_token member
- The Authorization endpoint MUST understand the following members:
- claims, max_age
- The Authorization endpoint MUST understand the following members in "claims":
- user_id, auth_time, acr, max_age (Authentication Claims)
Token Endpoint
- Token Endpoint MUSTS support the client_secret_basic client authentication method.
- id_token returned from this endpoint MUST be JWS or JWS+JWE.
Userinfo Endpoint
- Multi script syntax MUST be used where appropriate.
- Response MAY be signed or signed+encrypted.
Updated