-
Notifications
You must be signed in to change notification settings - Fork 0
/
openid-connect-rp-metadata-choices-1_0.xml
860 lines (771 loc) · 30.6 KB
/
openid-connect-rp-metadata-choices-1_0.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type='text/xsl' href='http://xml2rfc.tools.ietf.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc PUBLIC "-//IETF//DTD RFC 2629//EN"
"http://xml2rfc.tools.ietf.org/authoring/rfc2629.dtd">
<!--
NOTE: This XML file is input used to produce the authoritative copy of an
OpenID Foundation specification. The authoritative copy is the HTML output.
This XML source file is not authoritative. The statement ipr="none" is
present only to satisfy the document compilation tool and is not indicative
of the IPR status of this specification. The IPR for this specification is
described in the "Notices" section. This is a public OpenID Foundation
document and not a private document, as the private="..." declaration could
be taken to indicate.
-->
<rfc category="std" docName="openid-connect-rp-metadata-choices-1_0" ipr="none"
xmlns:xi="http://www.w3.org/2001/XInclude">
<?rfc toc="yes" ?>
<?rfc tocdepth="5" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc strict="yes" ?>
<?rfc iprnotified="no" ?>
<?rfc private="Draft" ?>
<front>
<title abbrev="OpenID Connect RP Metadata Choices">OpenID Connect
Relying Party Metadata Choices 1.0 - draft 01</title>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Self-Issued Consulting">Self-Issued Consulting</organization>
<address>
<email>[email protected]</email>
<uri>https://self-issued.info/</uri>
</address>
</author>
<author fullname="Roland Hedberg" initials="R." surname="Hedberg">
<organization>independent</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization abbrev="Yubico">Yubico</organization>
<address>
<email>[email protected]</email>
<uri>http://www.thread-safe.com/</uri>
</address>
</author>
<date day="25" month="November" year="2024" />
<workgroup>OpenID Connect Working Group</workgroup>
<abstract>
<t>OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
protocol. It enables Clients to verify the identity of the End-User based
on the authentication performed by an Authorization Server, as well as to
obtain basic profile information about the End-User in an interoperable and
REST-like manner.</t>
<t>
This specification extends the OpenID Connect Dynamic Client Registration 1.0
specification to enable RPs to express a set of supported values
for some RP metadata parameters, rather than just single values.
This functionality is particularly useful when Automatic Registration,
as defined in OpenID Federation 1.0,
is used, since there is no registration response from the OP
to tell the RP what choices were made by the OP.
This gives the OP the information that it needs to make choices about
how to interact with the RP in ways that work for both parties.
</t>
</abstract>
</front>
<middle>
<section anchor="Introduction" title="Introduction">
<t>
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
<xref target="RFC6749"/>
protocol. It enables Clients to verify the identity of the End-User based
on the authentication performed by an Authorization Server, as well as to
obtain basic profile information about the End-User in an interoperable and
REST-like manner.
</t>
<t>
In order for an OpenID Connect Relying Party to utilize OpenID Connect services for
an End-User, the RP needs to register with the OpenID Provider
to provide the OP information about itself.
This specification extends the OpenID Connect Dynamic Client Registration 1.0
specification <xref target="OpenID.Registration"/>
to enable RPs to express a set of supported values
for some RP metadata parameters, rather than just single values.
This extension enables expression of multiple choices for parameters
including supported algorithms and token endpoint authentication methods.
This functionality is particularly useful when Automatic Registration
<xref target="OpenID.Federation"/>
is used, since there is no registration response from the OP
to tell the RP what choices were made by the OP.
This gives the OP the information that it needs to make choices about
how to interact with the RP in ways that work for both parties.
</t>
<section anchor="rnc" title="Requirements Notation and Conventions">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>.
</t>
<t>
All uses of <xref target="JWS">JSON Web Signature (JWS)</xref>
and <xref target="JWE">JSON Web Encryption (JWE)</xref>
data structures in this specification utilize
the JWS Compact Serialization or the JWE Compact Serialization;
the JWS JSON Serialization and the JWE JSON Serialization are not used.
</t>
</section>
<section anchor="Terminology" title="Terminology">
<t>
This specification uses the terms
"Authorization Server",
"Client", "Client Authentication", "Client Identifier",
and "Token Endpoint"
defined by <xref target="RFC6749">OAuth 2.0</xref>,
the term "JSON Web Token (JWT)"
defined by <xref target="JWT">JSON Web Token (JWT)</xref>,
and the terms defined by
<xref target="OpenID.Core">OpenID Connect Core 1.0</xref> and
<xref target="OpenID.Registration">OpenID Connect Dynamic Client Registration 1.0</xref>.
</t>
</section>
</section>
<section anchor="ClientMetadata" title="Client Metadata">
<t>Clients have metadata associated with their
unique Client Identifier at the Authorization Server. These can range
from human-facing display strings, such as a Client name, to items that
impact the security of the protocol, such as the set of supported algorithms.
</t>
<t>The Client Metadata values are used in two ways:</t>
<t>
<list style="symbols">
<t>
as input values to registration requests, and
</t>
<t>
as output values in registration responses and read responses.
</t>
</list>
</t>
<t>
Enabling the RP to express all the choices that it supports
for metadata parameters is particularly important when using
Automatic Registration, as defined in
Section 12.1 of OpenID Federation 1.0 <xref target="OpenID.Federation"/>,
since it gives the OP the best opportunity to make good choices
of what parameters to use when interacting with the RP.
This specification is intended to faciliate such interactions.
</t>
<t>
The Client Metadata values defined below MUST only be used
as input values to registration requests,
and not
as output values in registration responses and read responses.
Any output values used related to these multi-valued input parameters
MUST be the associated corresponding single-valued metadata parameter.
</t>
<t>
These Client Metadata values are defined by this specification:
<list style="hanging">
<t hangText="subject_types_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
<spanx style="verb">subject_type</spanx>
values supported by the RP.
If a <spanx style="verb">subject_type</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="id_token_signing_alg_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
<xref target="JWS">JWS</xref> <spanx style="verb">alg</spanx> values
supported by the RP when validating the ID Token signature.
If a <spanx style="verb">id_token_signed_response_alg</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="id_token_encryption_alg_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
<xref target="JWE">JWE</xref> <spanx style="verb">alg</spanx> values
supported by the RP when decrypting the ID Token.
If a <spanx style="verb">id_token_encrypted_response_alg</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="id_token_encryption_enc_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
JWE <spanx style="verb">enc</spanx> values
supported by the RP when decrypting the ID Token.
If a <spanx style="verb">id_token_encrypted_response_enc</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="userinfo_signing_alg_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
JWS <spanx style="verb">alg</spanx> values
supported by the RP when validating the UserInfo Response signature.
If a <spanx style="verb">userinfo_signed_response_alg</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="userinfo_encryption_alg_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
JWE <spanx style="verb">alg</spanx> values
supported by the RP when decrypting the UserInfo Response.
If a <spanx style="verb">userinfo_encrypted_response_alg</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="userinfo_encryption_enc_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
JWE <spanx style="verb">enc</spanx> values
supported by the RP when decrypting the UserInfo Response.
If a <spanx style="verb">userinfo_encrypted_response_enc</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="request_object_signing_alg_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
JWS <spanx style="verb">alg</spanx> values
supported by the Client when signing Request Objects.
If a <spanx style="verb">request_object_signing_alg</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="request_object_encryption_alg_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
JWE <spanx style="verb">alg</spanx> values
supported by the Client when encrypting Request Objects.
If a <spanx style="verb">request_object_encryption_alg</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="request_object_encryption_enc_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
JWE <spanx style="verb">enc</spanx> values
supported by the Client when encrypting Request Objects.
If a <spanx style="verb">request_object_encryption_enc</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="token_endpoint_auth_methods_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
Client Authentication methods supported by the Client.
If a <spanx style="verb">token_endpoint_auth_method</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
<t hangText="token_endpoint_auth_signing_alg_values_supported">
<vspace/>
OPTIONAL.
JSON array containing a list of the
JWS <spanx style="verb">alg</spanx> values
supported by the Client when signing the JWT
used to authenticate the Client at the Token Endpoint
for the <spanx style="verb">private_key_jwt</spanx>
and <spanx style="verb">client_secret_jwt</spanx> authentication methods.
If a <spanx style="verb">token_endpoint_auth_signing_alg</spanx>
metadata parameter is also present, its value MUST be in the list.
</t>
</list>
</t>
<t>
Additional Client Metadata parameters MAY be defined and used,
as described in <xref target="RFC7591"/>.
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
The security considerations when using these metadata parameters
are the same as those when using the correspoding metadata parameters in
<xref target="OpenID.Registration"/> and <xref target="OpenID.Discovery"/>.
</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<section anchor="DynRegRegistrations" title="OAuth Dynamic Client Registration Metadata Registry">
<t>
This specification registers the following client metadata definitions
in the IANA "OAuth Dynamic Client Registration Metadata" registry
<xref target="IANA.OAuth.Parameters"/>
established by <xref target="RFC7591"/>.
</t>
<section anchor="DynRegContents" title="Registry Contents">
<t> <?rfc subcompact="yes"?>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">subject_types_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
<spanx style="verb">subject_type</spanx>
values supported by the RP
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">id_token_signing_alg_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
<xref target="JWS">JWS</xref> <spanx style="verb">alg</spanx> values
supported by the RP when validating the ID Token signature
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">id_token_encryption_alg_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
<xref target="JWE">JWE</xref> <spanx style="verb">alg</spanx> values
supported by the RP when decrypting the ID Token
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">id_token_encryption_enc_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
JWE <spanx style="verb">enc</spanx> values
supported by the RP when decrypting the ID Token
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">userinfo_signing_alg_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
JWS <spanx style="verb">alg</spanx> values
supported by the RP when validating the UserInfo Response signature
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">userinfo_encryption_alg_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
JWE <spanx style="verb">alg</spanx> values
supported by the RP when decrypting the UserInfo Response
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">userinfo_encryption_enc_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
JWE <spanx style="verb">enc</spanx> values
supported by the RP when decrypting the UserInfo Response
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">request_object_signing_alg_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
JWS <spanx style="verb">alg</spanx> values
supported by the Client when signing Request Objects
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">request_object_encryption_alg_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
JWE <spanx style="verb">alg</spanx> values
supported by the Client when encrypting Request Objects
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">request_object_encryption_enc_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
JWE <spanx style="verb">enc</spanx> values
supported by the Client when encrypting Request Objects
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">token_endpoint_auth_methods_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
Client Authentication methods supported by the Client
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Client Metadata Name: <spanx style="verb">token_endpoint_auth_signing_alg_values_supported</spanx>
</t>
<t>
Client Metadata Description:
JSON array containing a list of the
JWS <spanx style="verb">alg</spanx> values
supported by the Client when signing the JWT
used to authenticate the Client at the Token Endpoint
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="ClientMetadata"/> of this specification
</t>
</list>
</t>
</section>
<?rfc subcompact="no"?>
</section>
</section>
</middle>
<back>
<references title="Normative References">
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<reference anchor="OpenID.Core" target="https://openid.net/specs/openid-connect-core-1_0.html">
<front>
<title>OpenID Connect Core 1.0</title>
<author fullname="Nat Sakimura" initials="N." surname="Sakimura">
<organization abbrev="NAT.Consulting (was at NRI)">NAT.Consulting</organization>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization abbrev="Yubico (was at Ping Identity)">Yubico</organization>
</author>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Self-Issued Consulting (was at Microsoft)">Self-Issued Consulting</organization>
</author>
<author fullname="Breno de Medeiros" initials="B." surname="de Medeiros">
<organization abbrev="Google">Google</organization>
</author>
<author fullname="Chuck Mortimore" initials="C." surname="Mortimore">
<organization abbrev="Disney (was at Salesforce)">Disney</organization>
</author>
<date day="15" month="December" year="2023"/>
</front>
</reference>
<reference anchor="OpenID.Discovery" target="https://openid.net/specs/openid-connect-discovery-1_0.html">
<front>
<title>OpenID Connect Discovery 1.0</title>
<author fullname="Nat Sakimura" initials="N." surname="Sakimura">
<organization abbrev="NAT.Consulting (was at NRI)">NAT.Consulting</organization>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization abbrev="Yubico (was at Ping Identity)">Yubico</organization>
</author>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Self-Issued Consulting (was at Microsoft)">Self-Issued Consulting</organization>
</author>
<author fullname="Edmund Jay" initials="E." surname="Jay">
<organization abbrev="Illumila">Illumila</organization>
</author>
<date day="15" month="December" year="2023"/>
</front>
</reference>
<reference anchor="OpenID.Registration" target="https://openid.net/specs/openid-connect-registration-1_0.html">
<front>
<title>OpenID Connect Dynamic Client Registration 1.0</title>
<author fullname="Nat Sakimura" initials="N." surname="Sakimura">
<organization abbrev="NAT.Consulting (was at NRI)">NAT.Consulting</organization>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization abbrev="Yubico (was at Ping Identity)">Yubico</organization>
</author>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Self-Issued Consulting (was at Microsoft)">Self-Issued Consulting</organization>
</author>
<date day="15" month="December" year="2023"/>
</front>
</reference>
<reference anchor="OpenID.Federation" target="https://openid.net/specs/openid-federation-1_0.html">
<front>
<title>OpenID Federation 1.0</title>
<author fullname="Roland Hedberg" initials="R." role="editor"
surname="Hedberg">
<organization>independent</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Self-Issued Consulting">Self-Issued Consulting</organization>
<address>
<email>[email protected]</email>
<uri>https://self-issued.info/</uri>
</address>
</author>
<author fullname="Andreas Åkre Solberg" initials="A.Å."
surname="Solberg">
<organization>Sikt</organization>
<address>
<email>[email protected]</email>
<uri>https://www.linkedin.com/in/andreassolberg/</uri>
</address>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization abbrev="Yubico">Yubico</organization>
<address>
<email>[email protected]</email>
<uri>http://www.thread-safe.com/</uri>
</address>
</author>
<author fullname="Giuseppe De Marco" initials="G." surname="De Marco">
<organization>independent</organization>
<address>
<email>[email protected]</email>
<uri>https://www.linkedin.com/in/giuseppe-de-marco-bb054245/</uri>
</address>
</author>
<author fullname="Vladimir Dzhuvinov" initials="V." surname="Dzhuvinov">
<organization>Connect2id</organization>
<address>
<email>[email protected]</email>
<uri>https://twitter.com/dzhuvi</uri>
</address>
</author>
<date day="15" month="September" year="2024"/>
</front>
</reference>
<reference anchor="JWT" target="https://tools.ietf.org/html/rfc7519">
<front>
<title>JSON Web Token (JWT)</title>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Microsoft">Microsoft</organization>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization>Ping Identity</organization>
</author>
<author fullname="Nat Sakimura" initials="N." surname="Sakimura">
<organization abbrev="NRI">Nomura Research Institute, Ltd.</organization>
</author>
<date month="May" year="2015" />
</front>
<seriesInfo name="RFC" value="7519"/>
<seriesInfo name="DOI" value="10.17487/RFC7519"/>
</reference>
<reference anchor="JWS" target="https://tools.ietf.org/html/rfc7515">
<front>
<title>JSON Web Signature (JWS)</title>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Microsoft">Microsoft</organization>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization>Ping Identity</organization>
</author>
<author fullname="Nat Sakimura" initials="N." surname="Sakimura">
<organization abbrev="NRI">Nomura Research Institute, Ltd.</organization>
</author>
<date month="May" year="2015" />
</front>
<seriesInfo name="RFC" value="7515"/>
<seriesInfo name="DOI" value="10.17487/RFC7515"/>
</reference>
<reference anchor="JWE" target="https://tools.ietf.org/html/rfc7516">
<front>
<title>JSON Web Encryption (JWE)</title>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization>Microsoft</organization>
</author>
<author fullname="Joe Hildebrand" initials="J." surname="Hildebrand">
<organization>Cisco Systems, Inc.</organization>
</author>
<date month="May" year="2015" />
</front>
<seriesInfo name="RFC" value="7516"/>
<seriesInfo name="DOI" value="10.17487/RFC7516"/>
</reference>
<reference anchor="IANA.OAuth.Parameters" target="https://www.iana.org/assignments/oauth-parameters">
<front>
<title>OAuth Parameters</title>
<author>
<organization>IANA</organization>
</author>
<date/>
</front>
</reference>
</references>
<references title="Informative References">
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7591.xml"/>
</references>
<section anchor="Notices" title="Notices">
<t>Copyright (c) 2024 The OpenID Foundation.</t>
<t>
The OpenID Foundation (OIDF) grants to any Contributor, developer,
implementer, or other interested party a non-exclusive, royalty free,
worldwide copyright license to reproduce, prepare derivative works from,
distribute, perform and display, this Implementers Draft or
Final Specification solely for the purposes of (i) developing
specifications, and (ii) implementing Implementers Drafts and
Final Specifications based on such documents, provided that attribution
be made to the OIDF as the source of the material, but that such attribution
does not indicate an endorsement by the OIDF.
</t>
<t>
The technology described in this specification was
made available from contributions from various sources,
including members of the OpenID Foundation and others.
Although the OpenID Foundation has taken steps to help ensure
that the technology is available for distribution, it takes
no position regarding the validity or scope of any intellectual
property or other rights that might be claimed to pertain to
the implementation or use of the technology described in
this specification or the extent to which any license under
such rights might or might not be available; neither does it
represent that it has made any independent effort to identify
any such rights. The OpenID Foundation and the contributors
to this specification make no (and hereby expressly disclaim any)
warranties (express, implied, or otherwise), including implied
warranties of merchantability, non-infringement, fitness for
a particular purpose, or title, related to this specification,
and the entire risk as to implementing this specification is
assumed by the implementer. The OpenID Intellectual
Property Rights policy requires contributors to offer
a patent promise not to assert certain patent claims against
other contributors and against implementers. The OpenID Foundation invites
any interested party to bring to its attention any copyrights,
patents, patent applications, or other proprietary rights
that may cover technology that may be required to practice
this specification.
</t>
</section>
<section anchor="History" title="Document History">
<t>[[ To be removed from the approved Final Specification ]]</t>
<t>
-01
<list style="symbols">
<t>
Specified that the multi-valued metadata parameters defined herein
are to be used as registration request parameters
and not as registration response parameters.
</t>
</list>
</t>
<t>
-00
<list style="symbols">
<t>
Initial version.
</t>
</list>
</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements" numbered="no">
<t>
The authors wish to acknowledge the contributions of the following
people to this specification:
Vladimir Dzhuvinov,
Joseph Heenan,
Stefan Santesson,
and
Filip Skokan.
</t>
</section>
</back>
</rfc>