B. Hjelm Verizon T. Bradley Ping Identity April 7, 2015 OpenID Connect Mobile Registration Profile 1.0 draft-mobile-registration-01 Abstract The profile shall allow a RP to access ID services of multiple MNOs (e.g. in a market) while not requiring this RP to (manually) register with all of them. The RP shall register to a certain MNO or another entity MNOs delegated this task to once and obtain the right to access the desired MNO's ID services. To enable this autonomy of relying parties and OpenID Providers (the MNO's) dynamic client registration must be possible. It is however necessary to verify the level of trustworthiness (and potentially entitlement) of an RP and enable the OP to approve or block RP's accordingly. Thus it will be necessary to establish some measures of control to verify the legitimacy of the RP. For the Mobile Profile we propose to extend [OpenID.Registration] with Software Statements as specified in [OAuth.Registration]. It is beyond the scope of the Mobile Profile how the RP will obtain original legitimation. It is assumed that some trustworthy party validates the RP and issues the software statement to the RP. It is also beyond the scope of the Mobile Profile how an OP validates the software statement. It could be in scope to profile the use of software statements to (a) certain signature algorithm(s) and meta data. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Notation and Conventions . . . . . . . . . . 2 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Client Registration . . . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 3 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 7. Normative References . . . . . . . . . . . . . . . . . . . . 3 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 4 Hjelm & Bradley Expires October 9, 2015 [Page 1] OIDC Mobile Registration Profile 1.0 April 2015 Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . 4 Appendix C. Document History . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction OpenID Connect Mobile Registration Profile 1.0 is a profile of the OpenID Connect Registration 1.0 [OpenID.Registration] specification that allows a Client to dynamically register with multiple Mobile Network Operators (MNOs) based on information asserted by a primary MNO that the client has a relationship with. 1.1. Requirements Notation and Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. 1.2. Terminology This specification uses the terms "Access Token", "Refresh Token", "Authorization Code", "Authorization Grant", "Authorization Server", "Authorization Endpoint", "Client", "Client Identifier", "Client Secret", "Protected Resource", "Resource Owner", "Resource Server", and "Token Endpoint" defined by OAuth 2.0 [RFC6749]. This specification also defines the following terms: Token Agent (TA) A native application that obtains access tokens on behalf of other native applications - thereby enabling a Single SignOn experience for Native Application end users because the End-Users need only explicitly authenticate the _TA_ once per Authorization Server. AppInfo Endpoint A protected resource that the _TA_ can call (using its primary access token) to obtain metadata corresponding to a set of applications - both web & native. The _TA_ uses the application metadata in order to obtain secondary access tokens for those applications. Primary Token An OAuth token (access, refresh, and id_token) obtained by the _TA_ for its own uses. Secondary Token An OAuth access token obtained by the _TA_ on behalf of another native application. Hjelm & Bradley Expires October 9, 2015 [Page 2] OIDC Mobile Registration Profile 1.0 April 2015 2. Overview The OIDC Mobile Profile is based on OpenID Connect 1.0 intended to be appropriate for use by Mobile Network Operators (MNOs) providing identity services to Relaying Parties (RPs). This specification defines the dynamic client registration process for OIDC Mobile Profile and describes how an OpenID Connect Relying Party can dynamically register with the End-User's Mobile Network Operator and obtain the information needed to use it with multiple MNOs. 3. Client Registration 3.1 Registration Credentials 3.2 Software Statement OAuth Signature algorithm Issuer (Registry) Redirect-URI Display name/homepage/tos/... Token and OAuth method scopes Claims (not supported yet) Grant types, registration types (unique uses) Allowed acus Software ID gti Registry tos [Editor's note:] Cross-check with HEART and Blue Button Plus. Multiple Software Statement per Software ID. 3.3 Error Response [Editor's note:] Error message should include the scenario when an OP blocks a RP. 4. Security Considerations [Editor's note:] Define authentication mechanism. Start with RSA and define minimum and maximum key length. 5. Privacy Considerations TBD 6. IANA Considerations This document makes no requests of IANA. 7. Normative References [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", draft-ietf-oauth-json-web-token (work in progress), May 2013. [OpenID.Core] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, "OpenID Connect Standard 1.0", December 2013. [OpenID.Discovery] Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID Connect Discovery 1.0", September 2014. [OpenID.Registration] Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect Dynamic Client Registration 1.0", December 2013. [OAuth.Registration] Richer, J., Jones, M., Bradley, J., Machulak, M., and P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", draft-ietf-oauth-dyn-reg (work in progress), March 2015. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012. Hjelm & Bradley Expires October 9, 2015 [Page 3] OIDC Mobile Registration Profile 1.0 April 2015 [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, October 2012. Appendix A. Acknowledgements The following have contributed to the development of this specification. Appendix B. Notices Copyright (c) 2014 The OpenID Foundation. The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF. The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non- infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification. Hjelm & Bradley Expires October 9, 2015 [Page 4] OIDC Mobile Registration Profile 1.0 April 2015 Appendix C. Document History [[ To be removed from the final specification ]] -01 o Initial draft o Added OIDF Standard Notice Authors' Addresses Bjorn Hjelm Verizon Email: bjorn.hjelm@verizon.com John Bradley Ping Identity Email: jbradley@pingidentity.com Hjelm & Bradley Expires October 9, 2015 [Page 5]