OpenID Connect Discovery 1.0

In order for an OpenID client to utilize OpenID services for a user, the client needs to know where the OpenID provider is. OpenID Connect uses Simple Web Discovery to locate the openID Connect provider for a end-user. This document describes the OpenID Connect specific parts related to Simple Web Discovery. Once a OpenID provider is identified, the endpoint and other configuration information for that provider is retreved from a well known location as a JSON document.

An application obtaining authorization and making protected resource requests. A human resource owner. A human resource owner that is the target of a request in Simple Web Discovery. Authorization Servers that are able to support OpenID Connect Messages. The unique identifyer of the OpenID Provider. Client and Resource Servers. The Authorization Server's endpoint capable of authenticating the End-User and obtaining authorization. An unique identifier that the client uses to identify itself to the OP. The Authorization Server's HTTP endpoint capable of issuing tokens. End-User Authentication, & Authorization endpoint. The endpoint to which the OP responses are returned through redirect. A protected resource that when presented with a token by the client returns authorized information about the current user. The Authorization Servers endpoint that takes a ID_Token or access token as input and returns a unpacked JSON representation of a ID_Token. An Identifier is either a "http" or "https" URI, (commonly referred to as a "URL" within this document), or an account URI. This document defines various kinds of Identifiers, designed for use in different contexts.

Provider discovery is optional, If a RP knows through an out of band mechinisim that all identifiers containing particular have the same issuer then they can ship this step and procede to Section 4. Provider discovery Simple Web Discovery requires the following information to make a discovery request: principal - identifier of the target end user who is the subject of the discovery request host - server where a Simple Web Discovery service is hosted service - URI of the service whose location is requested OpendID Connect has the following discoverable service in Simple Web Discovery: Service Type URI OpenID Issuer http://openid.net/specs/cc/1.0/issuer To start discovery of OpenID end points, the end-user supplies an identifier to the client or relying party. The client performs normalization rules to the identifier to extract the principal and host. Then it makes a HTTPS request the host's Simple Web Discovery endpoint with the principal and service parameters to obtain the location of the requested service. What MUST be returned in the response is the Java origin of the Issuer. This includes URI scheme HOST and port.

The user identifier can be one of the following: Hostname Email address URL Identifiers starting with the XRI characters ('=','@', and '!') are reserved. Any identifier that contains the character '@' in any other position other than the first position must be treated as an email address.

If the identifier is the hostname, then the hostname is used as both the principal and host in Simple Web Discovery request. This results in a directed identity request.

If the identifier is an email address, the principal is the email address and the host is the portion to the right of the '@' character.

A URL identifier is normalized according to the following rules: If the URL does not have a "http" or "https" scheme, the string "https://" is prefixed to the URL. If the URL contains a fragment part, it MUST be stripped off together with the fragment delimiter character "#". The resulting URL is used as the principal and the host is extracted from it according to URI syntax rules.

To find the authorization endpoint for the given hostname, "example.com", the SWD parameters are as follows: SWD Parameter Value principal example.com host example.com service http://openid.net/specs/cc/1.0/issuer Following the SWD specification, the client would make the following request to get the discovery information:

To find the authorization endpoint for the given email address, "joe@example.com", the SWD parameters are as follows: SWD Parameter Value principal joe@example.com host example.com service http://openid.net/specs/cc/1.0/issuer Following the SWD specification, the client would make the following request to get the discovery information:

To find the authorization endpoint for the given URL, 'https://example.com/joe", the SWD parameters are as follows: SWD Parameter Value principal https://example.com/joe host example.com service http://openid.net/specs/cc/1.0/issuer Following the SWD specification, the client would make the following request to get the discovery information:

In cases where the SWD request is handled at a host or location other than the one derived from the end-user's identifier, the host will return a JSON object containing the new location.

This step is optional. The provider endpoints and configuration information may be provided out of band. Using the Issuer ID discoverd in Section 3 or through direct configuration the openID providers configuration can be retreved. OpenID providers MUST make available a JSON document at the path .well-known/openid-configuration. The syntax and semantics of ".well-known" are defined in RFC 5785 . "openid-configuration" MUST point to a JSON document compliant with this specification. OpenID providers MUST support receiving SWD requests via TLS 1.2 as defined in RFCRFC 5246 and MAY support other transport layer security mechanisms of equivalent security.

A Provider Configuration Document is queried using a HTTPS GET request with the previously specified path. The client would make the following request to get the Configuration information

The response is a set of claims about the OpenID Providers configuration, including all neccicary endpoint, supported scope, and public key location information. The response MUST return a plain text JSON object that contains a set of claims that are a subset of those defined below. Other claims MAY also be returned. Claim Type Description authorization_endpoint string URI of the providers Authentication & Authorization Endpoint. token_endpoint string URI of the providers Token introspection_endpoint string URI of the providers IDToken Introspection Endpoint user_info_endpoint string URI of the providers User Information Endpoint session_management_endpoint string URI of the providers Session Management Endpoint swk_endpoint string URI of the providers Simple Web Key "SWK" Document registration_endpoint string URI of the providers Simple Registration endpoint scopes_supported string A comma separated list of the OAuth 2.0 scopes which this server supports. The server MUST support the openid scope. flows_supported string A comma separated list of the OAuth 2.0 flows which this server supports. The server MUST support the code flow. eaa_supported string A comma separated list of the eaa which this server supports Identidiers_supported string A comma separated list of the user identifyer types which this server supports Example response

Should the Should

Should issuer be in the Provider Configuration Response Should issuer ID be explicitly restricted to the https:// scheme.

This document makes no request of IANA. Note to RFC Editor: this section may be removed on publication as an RFC.