1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect

Wiki

Clone wiki

connect / MTIs

View History

WG Decisions

  • Servers must understand the request object.
  • Servers must understand signed request objects.
  • It's optional for servers to understand encrypted request objects.
  • It's optional for clients to understand aggregated and distributed claims.

Messages Proposals

State the following in the MTI section of the Messages:

Endpoints

  • Servers MUST implement the following endpoints.
    • Authorization Endpoint
    • Token Endpoint
    • Userinfo Endpoint

Authorization Endpoint

  • The Authorization Endpoint MUST support the following request parameters:
    • response_type, scope, client_id, redirect_uri, state, nonce, display, prompt, request, id_token
  • id_token returned from this endpoint MUST be JWS or JWS+JWE.
  • Followings are the requirements for the request parameters:

scope

  • The Authorization Endpoint MUST support the following scopes.
    • openid

response_type

  • The Authorization Endpoint MUST support the following response_types.
    • "code"
  • If the Authorization Endpoint supports response_type=token, then it MUST support the following response types as well:
    • "token id_token", "id_token"

display

  • The Authorization Endpoint MUST understand the following display parameter values:
    • page/popup/touch/wap, among which only page is mandatory in the response.
    • When displaying the consent dialogue, the Authorization Endpoint MUST show the policy_url.

request

  • The Authorization server MUST support the following members:
    • userinfo, id_token
  • If the Authorization server is a self-issued server, then it also MUST support the following member:
    • registration
  • The Authorization server MUST support the JWS request object with the following algorithms:
    • None, HS256, RS256
  • The Authorization server MAY support the JWE request object.
    • If JWE is supported, then the following alg MUST be supported:
      • RSA1_5

userinfo member

  • The authorization endpoint MUST understand the following members:
    • claims, preferred_locals
  • The Authorization Endpoint MUST understand the following members in "claims":
    • All the claims in table 1 Userinfo Claims.

id_token member

  • The Authorization endpoint MUST understand the following members:
    • claims, max_age
  • The Authorization endpoint MUST understand the following members in "claims":
    • user_id, auth_time, acr, max_age (Authentication Claims)

Token Endpoint

  • Token Endpoint MUSTS support the client_secret_basic client authentication method.
  • id_token returned from this endpoint MUST be JWS or JWS+JWE.

Userinfo Endpoint

  • Multi script syntax MUST be used where appropriate.
  • Response MAY be signed or signed+encrypted.

Updated