<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>OpenID Connect Simple Client
Registration 1.0 - draft 02</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="OpenID Connect Simple Client
Registration 1.0 - draft 02">
<meta name="generator" content="xml2rfc v1.35 (http://xml.resource.org/)">
<style type='text/css'><!--
body {
font-family: verdana, charcoal, helvetica, arial, sans-serif;
font-size: small; color: #000; background-color: #FFF;
margin: 2em;
}
h1, h2, h3, h4, h5, h6 {
font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
font-weight: bold; font-style: normal;
}
h1 { color: #900; background-color: transparent; text-align: right; }
h3 { color: #333; background-color: transparent; }
td.RFCbug {
font-size: x-small; text-decoration: none;
width: 30px; height: 30px; padding-top: 2px;
text-align: justify; vertical-align: middle;
background-color: #000;
}
td.RFCbug span.RFC {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: bold; color: #666;
}
td.RFCbug span.hotText {
font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: normal; text-align: center; color: #FFF;
}
table.TOCbug { width: 30px; height: 15px; }
td.TOCbug {
text-align: center; width: 30px; height: 15px;
color: #FFF; background-color: #900;
}
td.TOCbug a {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
font-weight: bold; font-size: x-small; text-decoration: none;
color: #FFF; background-color: transparent;
}
td.header {
font-family: arial, helvetica, sans-serif; font-size: x-small;
vertical-align: top; width: 33%;
color: #FFF; background-color: #666;
}
td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
td.author-text { font-size: x-small; }
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a { font-weight: bold; }
a:link { color: #900; background-color: transparent; }
a:visited { color: #633; background-color: transparent; }
a:active { color: #633; background-color: transparent; }
p { margin-left: 2em; margin-right: 2em; }
p.copyright { font-size: x-small; }
p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }
ol.text { margin-left: 2em; margin-right: 2em; }
ul.text { margin-left: 2em; margin-right: 2em; }
li { margin-left: 3em; }
/* RFC-2629 <spanx>s and <artwork>s. */
em { font-style: italic; }
strong { font-weight: bold; }
dfn { font-weight: bold; font-style: normal; }
cite { font-weight: normal; font-style: normal; }
tt { color: #036; }
tt, pre, pre dfn, pre em, pre cite, pre span {
font-family: "Courier New", Courier, monospace; font-size: small;
}
pre {
text-align: left; padding: 4px;
color: #000; background-color: #CCC;
}
pre dfn { color: #900; }
pre em { color: #66F; background-color: #FFC; font-weight: normal; }
pre .key { color: #33C; font-weight: bold; }
pre .id { color: #900; }
pre .str { color: #000; background-color: #CFF; }
pre .val { color: #066; }
pre .rep { color: #909; }
pre .oth { color: #000; background-color: #FCF; }
pre .err { background-color: #FCC; }
/* RFC-2629 <texttable>s. */
table.all, table.full, table.headers, table.none {
font-size: small; text-align: center; border-width: 2px;
vertical-align: top; border-collapse: collapse;
}
table.all, table.full { border-style: solid; border-color: black; }
table.headers, table.none { border-style: none; }
th {
font-weight: bold; border-color: black;
border-width: 2px 2px 3px 2px;
}
table.all th, table.full th { border-style: solid; }
table.headers th { border-style: none none solid none; }
table.none th { border-style: none; }
table.all td {
border-style: solid; border-color: #333;
border-width: 1px 2px;
}
table.full td, table.headers td, table.none td { border-style: none; }
hr { height: 1px; }
hr.insert {
width: 80%; border-style: none; border-width: 0;
color: #CCC; background-color: #CCC;
}
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Network Working Group</td><td class="header">N. Sakimura</td></tr>
<tr><td class="header">Internet-Draft</td><td class="header">NRI</td></tr>
<tr><td class="header">Intended status: Experimental</td><td class="header">J. Bradley, Ed.</td></tr>
<tr><td class="header">Expires: December 18, 2011</td><td class="header">Protiviti Government Services</td></tr>
<tr><td class="header"> </td><td class="header">M. Jones</td></tr>
<tr><td class="header"> </td><td class="header">Microsoft</td></tr>
<tr><td class="header"> </td><td class="header">June 16, 2011</td></tr>
</table></td></tr></table>
<h1><br />OpenID Connect Simple Client
Registration 1.0 - draft 02<br />draft-openid-connect-SCR-0_1.xml</h1>
<h3>Abstract</h3>
<p>OpenID Connect is an identity framework that provides authentication,
authorization, and attribute transmition capability. It allows third
party attested claims from distributed sources. The specification suite
consists of Core, Protocol Bindings, Dynamic Registration, Discovery,
and Extensions. This specification is the "Dynamic Registration" part of
the suite that defines how clients register with openID providers.
</p>
<h3>Requirements Language</h3>
<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a class='info' href='#RFC2119'>RFC 2119<span> (</span><span class='info'>Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.</span><span>)</span></a> [RFC2119].
</p>
<h3>Status of this Memo</h3>
<p>
This Internet-Draft is submitted in full
conformance with the provisions of BCP 78 and BCP 79.</p>
<p>
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current
Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.</p>
<p>
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any time.
It is inappropriate to use Internet-Drafts as reference material or to cite
them other than as “work in progress.”</p>
<p>
This Internet-Draft will expire on December 18, 2011.</p>
<h3>Copyright Notice</h3>
<p>
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.</p>
<p>
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.</p>
<a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>
Introduction<br />
<a href="#terminology">2.</a>
Terminology<br />
<a href="#anchor2">3.</a>
Discovery<br />
<a href="#anchor3">4.</a>
Client Registration Endpoint<br />
<a href="#anchor4">4.1.</a>
Request<br />
<a href="#anchor5">4.2.</a>
Response<br />
<a href="#anchor6">5.</a>
Other Items for Consideration<br />
<a href="#IANA">6.</a>
IANA Considerations<br />
<a href="#Security">7.</a>
Security Considerations<br />
<a href="#Acknowledgements">8.</a>
Acknowledgements<br />
<a href="#rfc.references1">9.</a>
Normative References<br />
<a href="#rfc.authors">§</a>
Authors' Addresses<br />
</p>
<br clear="all" />
<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.
Introduction</h3>
<p>In order for an OpenID client to utilize OpenID services for a user,
the client needs to register with the OpenID provider to aquire a client
ID and shared secret. This document describes how a new client can
register with the provider, and how a client allready in posetion of a
client_id can retreve updated registration information.
</p>
<p>The Client Registration endpoint may be co-resident with the token
endpoint as an optimization in some deplyments.
</p>
<a name="terminology"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.
Terminology</h3>
<p></p>
<blockquote class="text"><dl>
<dt>Client</dt>
<dd>An application obtaining authorization and
making protected resource requests.
</dd>
<dt>End-user</dt>
<dd>A human resource owner.
</dd>
<dt>Principal</dt>
<dd>A human resource owner that is the target of
a request in Simple Web Discovery.
</dd>
<dt>OpenID Provider (OP)</dt>
<dd>Authorization Servers that are
able to support OpenID Connect Messages.
</dd>
<dt>Relying Party (RP)</dt>
<dd>Client and Resource Servers.
</dd>
<dt>End-User Authorization Endpoint</dt>
<dd>The Authorization
Server's endpoint capable of authenticating the End-User and
obtaining authorization.
</dd>
<dt>Client Identifier</dt>
<dd>An unique identifier that the client
uses to identify itself to the OP.
</dd>
<dt>Token Endpoint</dt>
<dd>The Authorization Server's HTTP
endpoint capable of issuing tokens.
</dd>
<dt>OP Endpoints</dt>
<dd>End-User Authentication, Authorization,
and Token Endpoint.
</dd>
<dt>RP Endpoints</dt>
<dd>The endpoint to which the OP responses
are returned through redirect.
</dd>
<dt>UserInfo Endpoint</dt>
<dd>A protected resource that when
presented with a token by the client returns authorized information
about the current user.
</dd>
<dt>Identifier</dt>
<dd>An Identifier is either a "http" or "https"
URI, (commonly referred to as a "URL" within this document), or an
account URI. This document defines various kinds of Identifiers,
designed for use in different contexts.
</dd>
</dl></blockquote>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.
Discovery</h3>
<p>OpenID Connect uses the registration_endpoint from the Provider
Configuration Response <a class='info' href='#OCD'>Sec 4.2<span> (</span><span class='info'>Sakimura, N., Bradley, J., and M. Jones, “OpenID Connect Discovery 1.0,” July 2011.</span><span>)</span></a> [OCD].
</p>
<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.
Client Registration Endpoint</h3>
<p>The Client Registration Endpoint returns registration information for
the client to configure itself for the openID provider.
</p>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.1"></a><h3>4.1.
Request</h3>
<p>Clients MAY send POST requests with the following parameters form
encoded in the POST body to the Client Registration Endpoint.
</p>
<p></p>
<blockquote class="text"><dl>
<dt>type</dt>
<dd>REQUIRED values "client_associate",
"client_update"
</dd>
<dt>client_id</dt>
<dd>OPTIONAL. used with "client_update"
</dd>
<dt>client_secret</dt>
<dd>OPTIONAL used with "client_update"
</dd>
<dt>contact</dt>
<dd>OPTIONAL comma separated list email
addresses for people allowed to administer the application.
</dd>
<dt>application_type</dt>
<dd>OPTIONAL "native" or "web"
</dd>
<dt>application_name to be </dt>
<dd>OPTIONAL Name of the
application to be presented to the user.
</dd>
<dt>logo_url</dt>
<dd>OPTIONAL url that a logo for the
application can be retreved from.
</dd>
<dt>redirect_url</dt>
<dd>OPTIONAL comma separated list of
redirect URL
</dd>
<dt>js_origin_url</dt>
<dd>OPTIONAL comma separated list of Java
Script Origins (used for Post Message flow)
</dd>
<dt>jwk_url</dt>
<dd>OPTIONAL URL for the RP's <a class='info' href='#JWK'>JSON Web Key<span> (</span><span class='info'>Jones, M., “JSON Web Key (JWK),” April 2011.</span><span>)</span></a> [JWK]
</dd>
</dl></blockquote><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>POST /oauth/token
type=client_associate&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2callback HTTP/1.1
Host: server.example.com
</pre></div>
<a name="anchor5"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.2"></a><h3>4.2.
Response</h3>
<p>The response is returned as a JSON object with all the paramaters
as top level elements.
</p>
<p></p>
<blockquote class="text"><dl>
<dt>client_id</dt>
<dd>REQUIRED The unique client identifier
</dd>
<dt>client_secret</dt>
<dd>REQUIRED The client secret. This
should change with each response.
</dd>
<dt>expires_in</dt>
<dd>REQUIRED The number of seconds that this
id and secret are good for or "0" if it does not expire.
</dd>
</dl></blockquote>
<p>The following is an example resp[onse.
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"client_id":"SlAV32hkKG",
"client_secret":"cf136dc3c1fd9153029bb9c6cc9ecead918bad9887fce6c93f31185e5885805d",
"expires_in":3600
}</pre></div><p>
</p>
<a name="anchor6"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.
Other Items for Consideration</h3>
<p>
</p>
<a name="IANA"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6"></a><h3>6.
IANA Considerations</h3>
<p>This document makes no request of IANA.
</p>
<p>Note to RFC Editor: this section may be removed on publication as an
RFC.
</p>
<a name="Security"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.7"></a><h3>7.
Security Considerations</h3>
<p>Since requests to the client registration endpoint result in the
transmission of clear-text credentials (in the HTTP request and
response), the server MUST require the use of a transport-layer security
mechanism when sending requests to the token endpoint. The server MUST
support TLS 1.2 as defined in [RFC5246], and MAY support additional
transport-layer mechanisms meeting its security requirements.
</p>
<a name="Acknowledgements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.8"></a><h3>8.
Acknowledgements</h3>
<p>
</p>
<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>9. Normative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="JWK">[JWK]</a></td>
<td class="author-text">Jones, M., “JSON Web Key (JWK),” April 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="JWS">[JWS]</a></td>
<td class="author-text">Jones, M., Balfanz, D., Bradley, J., Goland, Y., Panzer, J., Sakimura, N., and P. Tarjan, “<a href="http://self-issued.info/docs/draft-jones-json-web-signature-01.html">JSON Web Signatures</a>,” March 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="JWT">[JWT]</a></td>
<td class="author-text">Jones, M., Balfanz, D., Bradley, J., Goland, Y., Panzer, J., Sakimura, N., and P. Tarjan, “<a href="http://self-issued.info/docs/draft-jones-json-web-token-03.html">JSON Web Token</a>,” March 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OCD">[OCD]</a></td>
<td class="author-text">Sakimura, N., Bradley, J., and M. Jones, “<a href="http://openid4.us/specs/ab/draft-openid-connect-discovery-0_1">OpenID Connect Discovery 1.0</a>,” July 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.2.0">[OpenID.2.0]</a></td>
<td class="author-text">specs@openid.net, “OpenID Authentication 2.0,” 2007 (<a href="http://www.openid.net/specs/openid-authentication-2_0.txt">TXT</a>, <a href="http://www.openid.net/specs/openid-authentication-2_0.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.AB">[OpenID.AB]</a></td>
<td class="author-text">Sakimura, N., Ed., Bradley, J., de Madeiros, B., Ito, R., and M. Jones, “<a href="http://openid4.us/specs/ab/openid-connect-ab-1_0.html">OpenID Connect Artifact Binding 1.0</a>,” January 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.CC">[OpenID.CC]</a></td>
<td class="author-text">Recordon, D., Sakimura, N., Bradley, J., de Madeiros, B., and M. Jones, “<a href="http://openid4.us/specs/ab/openid-connect-core-1_0.html">OpenID Connect Connect Core 1.0</a>,” January 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text"><a href="mailto:sob@harvard.edu">Bradner, S.</a>, “<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>,” BCP 14, RFC 2119, March 1997 (<a href="http://www.rfc-editor.org/rfc/rfc2119.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2119.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2119.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC3986">[RFC3986]</a></td>
<td class="author-text"><a href="mailto:timbl@w3.org">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com">Fielding, R.</a>, and <a href="mailto:LMM@acm.org">L. Masinter</a>, “<a href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>,” STD 66, RFC 3986, January 2005 (<a href="http://www.rfc-editor.org/rfc/rfc3986.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc3986.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc3986.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="SWD">[SWD]</a></td>
<td class="author-text">Jones, M., Ed. and Y. Goland, “<a href="http://self-issued.info/docs/draft-jones-simple-web-discovery-00.html">Simple Web Discovery</a>,” October 2010.</td></tr>
<tr><td class="author-text" valign="top"><a name="XRI_Syntax_2.0">[XRI_Syntax_2.0]</a></td>
<td class="author-text">Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” November 2005 (<a href="http://www.oasis-open.org/committees/download.php/15376/xri-syntax-V2.0-cs.html">HTML</a>, <a href="http://www.oasis-open.org/committees/download.php/15377/xri-syntax-V2.0-cs.pdf">PDF</a>).</td></tr>
</table>
<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>Authors' Addresses</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text"> </td>
<td class="author-text">Nat Sakimura</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Nomura Research Institute,
Ltd.</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">John Bradley (editor)</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Protiviti
Government Services</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:jbradley@mac.com">jbradley@mac.com</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Mike Jones</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Microsoft Corporation</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a></td></tr>
</table>
</body></html>