<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>Draft: OpenID Connect Discovery 1.0 - draft 06</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="OpenID Connect Discovery 1.0 - draft 06">
<meta name="generator" content="xml2rfc v1.36 (http://xml.resource.org/)">
<style type='text/css'><!--
body {
font-family: verdana, charcoal, helvetica, arial, sans-serif;
font-size: small; color: #000; background-color: #FFF;
margin: 2em;
}
h1, h2, h3, h4, h5, h6 {
font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
font-weight: bold; font-style: normal;
}
h1 { color: #900; background-color: transparent; text-align: right; }
h3 { color: #333; background-color: transparent; }
td.RFCbug {
font-size: x-small; text-decoration: none;
width: 30px; height: 30px; padding-top: 2px;
text-align: justify; vertical-align: middle;
background-color: #000;
}
td.RFCbug span.RFC {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: bold; color: #666;
}
td.RFCbug span.hotText {
font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: normal; text-align: center; color: #FFF;
}
table.TOCbug { width: 30px; height: 15px; }
td.TOCbug {
text-align: center; width: 30px; height: 15px;
color: #FFF; background-color: #900;
}
td.TOCbug a {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
font-weight: bold; font-size: x-small; text-decoration: none;
color: #FFF; background-color: transparent;
}
td.header {
font-family: arial, helvetica, sans-serif; font-size: x-small;
vertical-align: top; width: 33%;
color: #FFF; background-color: #666;
}
td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
td.author-text { font-size: x-small; }
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a { font-weight: bold; }
a:link { color: #900; background-color: transparent; }
a:visited { color: #633; background-color: transparent; }
a:active { color: #633; background-color: transparent; }
p { margin-left: 2em; margin-right: 2em; }
p.copyright { font-size: x-small; }
p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }
ol.text { margin-left: 2em; margin-right: 2em; }
ul.text { margin-left: 2em; margin-right: 2em; }
li { margin-left: 3em; }
/* RFC-2629 <spanx>s and <artwork>s. */
em { font-style: italic; }
strong { font-weight: bold; }
dfn { font-weight: bold; font-style: normal; }
cite { font-weight: normal; font-style: normal; }
tt { color: #036; }
tt, pre, pre dfn, pre em, pre cite, pre span {
font-family: "Courier New", Courier, monospace; font-size: small;
}
pre {
text-align: left; padding: 4px;
color: #000; background-color: #CCC;
}
pre dfn { color: #900; }
pre em { color: #66F; background-color: #FFC; font-weight: normal; }
pre .key { color: #33C; font-weight: bold; }
pre .id { color: #900; }
pre .str { color: #000; background-color: #CFF; }
pre .val { color: #066; }
pre .rep { color: #909; }
pre .oth { color: #000; background-color: #FCF; }
pre .err { background-color: #FCC; }
/* RFC-2629 <texttable>s. */
table.all, table.full, table.headers, table.none {
font-size: small; text-align: center; border-width: 2px;
vertical-align: top; border-collapse: collapse;
}
table.all, table.full { border-style: solid; border-color: black; }
table.headers, table.none { border-style: none; }
th {
font-weight: bold; border-color: black;
border-width: 2px 2px 3px 2px;
}
table.all th, table.full th { border-style: solid; }
table.headers th { border-style: none none solid none; }
table.none th { border-style: none; }
table.all td {
border-style: solid; border-color: #333;
border-width: 1px 2px;
}
table.full td, table.headers td, table.none td { border-style: none; }
hr { height: 1px; }
hr.insert {
width: 80%; border-style: none; border-width: 0;
color: #CCC; background-color: #CCC;
}
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Draft</td><td class="header">N. Sakimura</td></tr>
<tr><td class="header"> </td><td class="header">NRI</td></tr>
<tr><td class="header"> </td><td class="header">J. Bradley, Ed.</td></tr>
<tr><td class="header"> </td><td class="header">Independent</td></tr>
<tr><td class="header"> </td><td class="header">M. Jones</td></tr>
<tr><td class="header"> </td><td class="header">Microsoft</td></tr>
<tr><td class="header"> </td><td class="header">E. Jay</td></tr>
<tr><td class="header"> </td><td class="header">MGI1</td></tr>
<tr><td class="header"> </td><td class="header">September 30, 2011</td></tr>
</table></td></tr></table>
<h1><br />OpenID Connect Discovery 1.0 - draft 06</h1>
<h3>Abstract</h3>
<p>OpenID Connect is an identity protocol that provides authentication,
authorization, and attribute transmission capability. It allows third
party attested claims from distributed sources. The specification suite
builds on OAuth 2.0 and consists of Building Blocks (Messages,
Discovery, Dynamic Client Registration, Session Management, JSON Web
Token, JSON Web Signature, JSON WEB Encryption, JSON Web Keys, Simple
Web Discovery), Protocol Bindings (e.g., Standard and Basic Client) and
Extensions. This specification is the "Discovery" part of the suite that
defines how user and server endpoints are discovered.
</p>
<h3>Requirements Language</h3>
<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a class='info' href='#RFC2119'>RFC 2119<span> (</span><span class='info'>Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.</span><span>)</span></a> [RFC2119].
</p><a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>
Introduction<br />
<a href="#terminology">2.</a>
Terminology<br />
<a href="#ProviderDisc">3.</a>
Provider Discovery<br />
<a href="#anchor2">3.1.</a>
Identifier Normalization<br />
<a href="#anchor3">3.1.1.</a>
Identifier Type<br />
<a href="#anchor4">3.1.2.</a>
E-mail Address<br />
<a href="#anchor5">3.1.3.</a>
URL<br />
<a href="#anchor6">3.2.</a>
Non-Normative Examples<br />
<a href="#anchor7">3.2.1.</a>
E-Mail Address<br />
<a href="#anchor8">3.2.2.</a>
URL<br />
<a href="#anchor9">3.2.3.</a>
Account URI<br />
<a href="#anchor10">3.2.4.</a>
Hostname & Port<br />
<a href="#anchor11">3.3.</a>
Redirection<br />
<a href="#anchor12">3.4.</a>
Error<br />
<a href="#ProviderConfig">4.</a>
Provider Configuration Information<br />
<a href="#anchor13">4.1.</a>
Provider Configuration Request<br />
<a href="#anchor14">4.2.</a>
Provider Configuration Response<br />
<a href="#anchor15">4.3.</a>
Provider Configuration Verification<br />
<a href="#IANA">5.</a>
IANA Considerations<br />
<a href="#Security">6.</a>
Security Considerations<br />
<a href="#anchor16">7.</a>
Open Issues and Things To Be Done (TBD)<br />
<a href="#rfc.references1">8.</a>
References<br />
<a href="#rfc.references1">8.1.</a>
Normative References<br />
<a href="#rfc.references2">8.2.</a>
Informative References<br />
<a href="#Acknowledgements">Appendix A.</a>
Acknowledgements<br />
<a href="#anchor19">Appendix B.</a>
Document History<br />
<a href="#rfc.authors">§</a>
Authors' Addresses<br />
</p>
<br clear="all" />
<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.
Introduction</h3>
<p>In order for an OpenID client to utilize OpenID Connect services for
a user, the client needs to know where the OpenID Provider is. OpenID
Connect uses <a class='info' href='#SWD'>Simple Web Discovery<span> (</span><span class='info'>Jones, M., Ed. and Y. Goland, “Simple Web Discovery,” July 2011.</span><span>)</span></a> [SWD] to locate
the OpenID Provider for an end-user.
</p>
<p>Once an OpenID Provider is identified, the endpoint and other
configuration information for that OP is retrieved from a well-known
location as a JSON document.
</p>
<a name="terminology"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.
Terminology</h3>
<p>In addition to the terms "Access Token", "Refresh Token",
"Authorization Code", "Authorization Grant", "Authorization Server",
"Authorization Endpoint", "Client", "Client Identifier", "Client
Secret", "Protected Resource", "Resource Owner", "Resource Server", and
"Token Endpoint" that are defined by <a class='info' href='#OAuth2.0'>OAuth
2.0<span> (</span><span class='info'>Hammer-Lahav, E., Ed., Recordon, D., and D. Hardt, “OAuth 2.0 Authorization Protocol,” July 2011.</span><span>)</span></a> [OAuth2.0], and the terminology defined in the <a class='info' href='#OpenID.Messages'>OpenID Connect Messages 1.0<span> (</span><span class='info'>Sakimura, N., Recordon, D., Bradley, J., de Medeiros, B., Jones, M., and E. Jay, “OpenID Connect Messages 1.0,” September 2011.</span><span>)</span></a> [OpenID.Messages]
specification, the following terms are defined:</p>
<blockquote class="text"><dl>
<dt>Principal</dt>
<dd>A resource that is the target of a request
in Simple Web Discovery.
</dd>
<dt>Issuer</dt>
<dd>A verifiable identifier for the OpenID
Provider. An <tt>issuer</tt> is a HTTPS URL with
no path component.
</dd>
<dt>Identifier</dt>
<dd>An Identifier is either an <tt>http</tt> or <tt>https</tt> URI
(commonly referred to as a <tt>URL</tt> within
this document), or an account URI. This document defines various
kinds of Identifiers, designed for use in different contexts.
</dd>
</dl></blockquote>
<a name="ProviderDisc"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.
Provider Discovery</h3>
<p>OpenID Provider discovery is optional; if a Relying Party knows the
OP information through an out-of-band mechanism, they can skip this step
and proceed to <a class='info' href='#ProviderConfig'>Section 4<span> (</span><span class='info'>Provider Configuration Information</span><span>)</span></a>.
</p>
<p>Provider discovery requires the following information to make a
discovery request:
</p>
<p></p>
<blockquote class="text"><dl>
<dt>Principal</dt>
<dd>Identifier of the target end-user who is the
subject of the discovery request
</dd>
<dt>Host</dt>
<dd>Server where a Simple Web Discovery service is
hosted
</dd>
<dt>Service</dt>
<dd>URI identifying the type of service whose
location is requested
</dd>
</dl></blockquote>
<p>OpenID Connect uses the following discoverable service in Simple Web
Discovery (SWD):
</p><table class="all" align="center" border="0" cellpadding="2" cellspacing="2">
<col align="left"><col align="left">
<tr><th align="left">Service Type</th><th align="left">URI</th></tr>
<tr>
<td align="left">OpenID Connect Issuer</td>
<td align="left">http://openid.net/specs/connect/1.0/issuer</td>
</tr>
</table>
<br clear="all" />
<p>To start discovery of OpenID end points, the end-user supplies an
identifier to the client or relying party. The client performs
normalization rules to the identifier to extract the principal and host.
Then it makes a HTTPS request to the host's Simple Web Discovery
endpoint with the <tt>principal</tt> and <tt>service</tt> parameters to obtain the location of the
requested service.
</p>
<p>What MUST be returned in the response is the <tt>issuer</tt>.
This includes URI scheme, HOST, and OPTIONALLY, port.
</p>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.1"></a><h3>3.1.
Identifier Normalization</h3>
<p>The purpose of normalization is to extract a normalized principal
and host from the user input. This is then used as input to SWD to
discover the <tt>issuer</tt>.
</p>
<p>The user identifier can be one of the following:
</p>
<p></p>
<ul class="text">
<li>xri
</li>
<li>E-mail address
</li>
<li>URL
</li>
</ul>
<p>The identifier normalization rules are not extensible.
</p>
<p>URLs without a host segment are not supported by this discovery
specification.
</p>
<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.1.1"></a><h3>3.1.1.
Identifier Type</h3>
<p></p>
<ol class="text">
<li>Identifiers starting with the <a class='info' href='#XRI_Syntax_2.0'>XRI<span> (</span><span class='info'>Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” November 2005.</span><span>)</span></a> [XRI_Syntax_2.0] characters ('=','@', and '!')
are reserved. Processing of these is out of scope for this
document.
</li>
<li>Any identifier that contains the character '@' in any other
position other than the first position must be treated as an
e-mail address.
</li>
<li>All other identifiers are treated as a URL.
</li>
</ol>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.1.2"></a><h3>3.1.2.
E-mail Address</h3>
<p>If the identifier is an e-mail address, the principal is the
e-mail address and the host is the portion to the right of the '@'
character.
</p>
<a name="anchor5"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.1.3"></a><h3>3.1.3.
URL</h3>
<p>A URL identifier is normalized according to the following
rules:
</p>
<p></p>
<ul class="text">
<li>If the URL does not have a Scheme part, the string "https://"
is prefixed to the URL as the <a class='info' href='#RFC3986'>Scheme<span> (</span><span class='info'>Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.</span><span>)</span></a> [RFC3986].
</li>
<li>If the URL contains a fragment part, it MUST be stripped off
together with the fragment delimiter character "#".
</li>
<li>The resulting URL is used as the principal and the host is
extracted from it according to <a class='info' href='#RFC3986'>URI<span> (</span><span class='info'>Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.</span><span>)</span></a> [RFC3986]
syntax rules.
</li>
</ul>
<a name="anchor6"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.2"></a><h3>3.2.
Non-Normative Examples</h3>
<a name="anchor7"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.2.1"></a><h3>3.2.1.
E-Mail Address</h3>
<p>To find the <tt>issuer</tt> for the given
e-mail address, <tt>joe@example.com</tt>, the SWD
parameters are as follows:
</p><table class="full" align="center" border="0" cellpadding="2" cellspacing="2">
<col align="left"><col align="left">
<tr><th align="left">SWD Parameter</th><th align="left">Value</th></tr>
<tr>
<td align="left">principal</td>
<td align="left">joe@example.com</td>
</tr>
<tr>
<td align="left">host</td>
<td align="left">example.com</td>
</tr>
<tr>
<td align="left">service</td>
<td align="left">http://openid.net/specs/connect/1.0/issuer</td>
</tr>
</table>
<br clear="all" />
<p>Following the SWD specification, the client would make the
following request to get the discovery information:
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>GET /.well-known/simple-web-discovery?principal=joe%40example%2Ecom&service=http%3A%2F%2Fopenid%2Enet%2Fspecs%2Fconnect%2F1%2E0%2Fissuer HTTP/1.1
Host: example.com
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.com/auth"]
}</pre></div><p>
</p>
<a name="anchor8"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.2.2"></a><h3>3.2.2.
URL</h3>
<p>To find the <tt>issuer</tt> for the given URL,
<tt>https://example.com/joe</tt>, the SWD
parameters are as follows:
</p><table class="full" align="center" border="0" cellpadding="2" cellspacing="2">
<col align="left"><col align="left">
<tr><th align="left">SWD Parameter</th><th align="left">Value</th></tr>
<tr>
<td align="left">principal</td>
<td align="left">https://example.com/joe</td>
</tr>
<tr>
<td align="left">host</td>
<td align="left">example.com</td>
</tr>
<tr>
<td align="left">service</td>
<td align="left">http://openid.net/specs/connect/1.0/issuer</td>
</tr>
</table>
<br clear="all" />
<p>Following the SWD specification, the client would make the
following request to get the discovery information:
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>GET /.well-known/simple-web-discovery?principal=https%3A%2F%2Fexample%2Ecom%2Fjoe&service=http%3A%2F%2Fopenid%2Enet%2Fspecs%2Fconnect%2F1%2E0%2Fissuer HTTP/1.1
Host: example.com
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.com"]
}</pre></div><p>
</p>
<a name="anchor9"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.2.3"></a><h3>3.2.3.
Account URI</h3>
<p>To find the <tt>issuer</tt> for the given URI,
<tt>acct://joe@example.com</tt>, the SWD
parameters are as follows:
</p><table class="full" align="center" border="0" cellpadding="2" cellspacing="2">
<col align="left"><col align="left">
<tr><th align="left">SWD Parameter</th><th align="left">Value</th></tr>
<tr>
<td align="left">principal</td>
<td align="left">acct://joe@example.com/</td>
</tr>
<tr>
<td align="left">host</td>
<td align="left">example.com</td>
</tr>
<tr>
<td align="left">service</td>
<td align="left">http://openid.net/specs/connect/1.0/issuer</td>
</tr>
</table>
<br clear="all" />
<p>Following the SWD specification, the client would make the
following request to get the discovery information:
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>GET /.well-known/simple-web-discovery?principal=acct%3A%2F%2Fjoe%40example%2Ecom%2F&service=http%3A%2F%2Fopenid%2Enet%2Fspecs%2Fconnect%2F1%2E0%2Fissuer HTTP/1.1
Host: example.com
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.com"]
}</pre></div><p>
</p>
<a name="anchor10"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.2.4"></a><h3>3.2.4.
Hostname & Port</h3>
<p>To find the <tt>issuer</tt> for the given
hostname, <tt>example.com:8080</tt>, the SWD
parameters are as follows:
</p><table class="full" align="center" border="0" cellpadding="2" cellspacing="2">
<col align="left"><col align="left">
<tr><th align="left">SWD Parameter</th><th align="left">Value</th></tr>
<tr>
<td align="left">principal</td>
<td align="left">https://example.com:8080/</td>
</tr>
<tr>
<td align="left">host</td>
<td align="left">example.com:8080</td>
</tr>
<tr>
<td align="left">service</td>
<td align="left">http://openid.net/specs/connect/1.0/issuer</td>
</tr>
</table>
<br clear="all" />
<p>Following the SWD specification, the client would make the
following request to get the discovery information:
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>GET /.well-known/simple-web-discovery?principal=https%3A%2F%2Fexample%2Ecom%3A8080%2F&service=http%3A%2F%2Fopenid%2Enet%2Fspecs%2Fconnect%2F1%2E0%2Fissuer HTTP/1.1
Host: example.com:8080
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.com"]
}</pre></div><p>
</p>
<a name="anchor11"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.3"></a><h3>3.3.
Redirection</h3>
<p>In cases where the SWD request is handled at a host or location
other than the one derived from the end-user's identifier, the host
will return a JSON object containing the new location.
</p>
<p>To enable service level redirection a SWD server MAY return a 200
O.k. to an HTTPS request with a content type of application/json (or
whatever other content type has been negotiated) that contains a JSON
object that contains a member pair whose name is the string
"SWD_service_redirect" whose value is a JSON object with a member pair
whose name is "location" and whose value is a string that encodes a
URI. Optionally the JSON object value of "SWD_service_redirect" MAY
also contain a member whose name is "expires" and whose value is a
JSON number that encodes an integer.
</p>
<p>The "location" member identifies the URI that the caller MUST
redirect all SWD requests for that domain to until the "expires" time
is met. SWD requests for the redirected domain MUST be constructed by
taking the URI returned in the "location" and using it as the base URI
to which the SWD form arguments are then added as query parameters.
The location URI MUST NOT include a query component.
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>GET /.well-known/simple-web-discovery?principal=joe%40example%2Ecom&service=http%3A%2F%2Fopenid%2Enet%2Fspecs%2Fconnect%2F1%2E0%2Fissuer HTTP/1.1
Host: example.com
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"SWD_service_redirect":
{
"location":"https://example.net/swd_server"
}
}
GET /swd_server?principal=joe%40example%2Ecom&service=http%3A%2F%2Fopenid%2Enet%2Fspecs%2Fconnect%2F1%2E0%2Fissuer HTTP/1.1
Host: example.net
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.net/auth"]
}</pre></div><p>
</p>
<a name="anchor12"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.4"></a><h3>3.4.
Error</h3>
<p>If the Simple Web Discovery endpoint is unreachable or returns an
error, then the RP may prepend https: to the host from <a class='info' href='#ProviderDisc'>Sec 3.1<span> (</span><span class='info'>Provider Discovery</span><span>)</span></a> and use that as the <tt>issuer</tt>.
</p>
<a name="ProviderConfig"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.
Provider Configuration Information</h3>
<p>This step is optional. The OpenID Provider endpoints and
configuration information may be obtained out-of-band.
</p>
<p>Using the <tt>issuer</tt> discovered in <a class='info' href='#ProviderDisc'>Section 3<span> (</span><span class='info'>Provider Discovery</span><span>)</span></a> or through direct configuration the OpenID
Provider's configuration can be retrieved.
</p>
<p>OpenID Providers MUST make available a JSON document at the path
.well-known/openid-configuration. The syntax and semantics of <tt>.well-known</tt> are defined in <a class='info' href='#RFC5785'>RFC 5785<span> (</span><span class='info'>Nottingham, M. and E. Hammer-Lahav, “Defining Well-Known Uniform Resource Identifiers (URIs),” April 2010.</span><span>)</span></a> [RFC5785]. <tt>openid-configuration</tt>
MUST point to a JSON document compliant with this specification.
</p>
<p>OpenID Providers MUST support receiving SWD requests via TLS 1.2 as
defined in <a class='info' href='#RFC5246'>RFC 5246<span> (</span><span class='info'>Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” August 2008.</span><span>)</span></a> [RFC5246] and MAY support other
transport layer security mechanisms of equivalent security.
</p>
<a name="anchor13"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.1"></a><h3>4.1.
Provider Configuration Request</h3>
<p>An OpenID Provider Configuration Document is queried using a HTTPS
GET request with the previously specified path.
</p>
<p>The client would make the following request to the <tt>issuer </tt>using TLS to get the Configuration
information
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>GET /.well-known/openid-configuration HTTP/1.1
Host: example.com
</pre></div><p>
</p>
<a name="anchor14"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.2"></a><h3>4.2.
Provider Configuration Response</h3>
<p>The response is a set of claims about the OpenID Provider's
configuration, including all necessary endpoint, supported scope, and
public key location information.
</p>
<p>The response MUST return a plain text JSON object that contains a
set of claims that are a subset of those defined below.
</p>
<p>Claims that return multiple values are JSON arrays. Claims with 0
elements must be omitted from the response.
</p>
<p>Other claims MAY also be returned.
</p><br /><hr class="insert" />
<a name="ClaimTable"></a>
<table class="full" align="center" border="0" cellpadding="2" cellspacing="2">
<col align="left"><col align="left"><col align="left">
<tr><th align="left">Claim</th><th align="left">Type</th><th align="left">Description</th></tr>
<tr>
<td align="left">version</td>
<td align="left">string</td>
<td align="left">Version of the provider response. "3.0" is the default.</td>
</tr>
<tr>
<td align="left">issuer</td>
<td align="left">string</td>
<td align="left">The https: URL with no path component the OP asserts as <tt>its issuer identifier</tt></td>
</tr>
<tr>
<td align="left">authorization_endpoint</td>
<td align="left">string</td>
<td align="left">URL of the OP's Authentication and Authorization Endpoint <a class='info' href='#OpenID.Messages'>[OpenID.Messages]<span> (</span><span class='info'>Sakimura, N., Recordon, D., Bradley, J., de Medeiros, B., Jones, M., and E. Jay, “OpenID Connect Messages 1.0,” September 2011.</span><span>)</span></a></td>
</tr>
<tr>
<td align="left">token_endpoint</td>
<td align="left">string</td>
<td align="left">URL of the OP's OAuth 2.0 Token Endpoint <a class='info' href='#OpenID.Messages'>[OpenID.Messages]<span> (</span><span class='info'>Sakimura, N., Recordon, D., Bradley, J., de Medeiros, B., Jones, M., and E. Jay, “OpenID Connect Messages 1.0,” September 2011.</span><span>)</span></a></td>
</tr>
<tr>
<td align="left">user_info_endpoint</td>
<td align="left">string</td>
<td align="left">URL of the OP's UserInfo Endpoint <a class='info' href='#OpenID.Messages'>[OpenID.Messages]<span> (</span><span class='info'>Sakimura, N., Recordon, D., Bradley, J., de Medeiros, B., Jones, M., and E. Jay, “OpenID Connect Messages 1.0,” September 2011.</span><span>)</span></a></td>
</tr>
<tr>
<td align="left">check_id_endpoint</td>
<td align="left">string</td>
<td align="left">URL of the OP's Check ID Endpoint <a class='info' href='#OpenID.Session'>[OpenID.Session]<span> (</span><span class='info'>Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, “OpenID Connect Session Management 1.0,” September 2011.</span><span>)</span></a></td>
</tr>
<tr>
<td align="left">refresh_session_endpoint</td>
<td align="left">string</td>
<td align="left">URL of the OP's Refresh Session Endpoint <a class='info' href='#OpenID.Session'>[OpenID.Session]<span> (</span><span class='info'>Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, “OpenID Connect Session Management 1.0,” September 2011.</span><span>)</span></a></td>
</tr>
<tr>
<td align="left">end_session_endpoint</td>
<td align="left">string</td>
<td align="left">URL of the OP's End Session Endpoint <a class='info' href='#OpenID.Session'>[OpenID.Session]<span> (</span><span class='info'>Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, “OpenID Connect Session Management 1.0,” September 2011.</span><span>)</span></a></td>
</tr>
<tr>
<td align="left">jwk_document</td>
<td align="left">string</td>
<td align="left">URL of the OP's JSON Web Key <a class='info' href='#JWK'>[JWK]<span> (</span><span class='info'>Jones, M., “JSON Web Key (JWK),” July 2011.</span><span>)</span></a>
document</td>
</tr>
<tr>
<td align="left">x509_url</td>
<td align="left">string</td>
<td align="left">URL of the OP's X.509 certificates in PEM format.</td>
</tr>
<tr>
<td align="left">registration_endpoint</td>
<td align="left">string</td>
<td align="left">URL of the OP's Dynamic Client Registration Endpoint <a class='info' href='#OpenID.Registration'>[OpenID.Registration]<span> (</span><span class='info'>Sakimura, N., Bradley, J., Ed., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0,” September 2011.</span><span>)</span></a></td>
</tr>
<tr>
<td align="left">scopes_supported</td>
<td align="left">array</td>
<td align="left">A JSON array containing a list of the <a class='info' href='#OAuth2.0'>OAuth 2.0<span> (</span><span class='info'>Hammer-Lahav, E., Ed., Recordon, D., and D. Hardt, “OAuth 2.0 Authorization Protocol,” July 2011.</span><span>)</span></a> [OAuth2.0] scopes that this server
supports. The server MUST support the <tt>openid</tt>
scope.</td>
</tr>
<tr>
<td align="left">flows_supported</td>
<td align="left">array</td>
<td align="left">A JSON array containing a list of the OAuth 2.0 flows that this
server supports. The server MUST support the code flow.</td>
</tr>
<tr>
<td align="left">iso29115_supported</td>
<td align="left">array</td>
<td align="left">A JSON array containing a list of the ISO 29115 assurance
contexts that this server supports.</td>
</tr>
<tr>
<td align="left">identifiers_supported</td>
<td align="left">array</td>
<td align="left">A JSON array containing a list of the user identifier types that
this server supports</td>
</tr>
</table>
<br clear="all" />
<table border="0" cellpadding="0" cellspacing="2" align="center"><tr><td align="center"><font face="monaco, MS Sans Serif" size="1"><b> Table 1: Reserved Claim Definitions </b></font><br /></td></tr></table><hr class="insert" />
<p>Example response
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>{
"authorization_endpoint": "https://example.com/connect/authorize",
"issuer" : "https://example.com",
"token_endpoint": "https://example.com/connect/token"
"user_info_endpoint": "https://example.com/connect/user",
"check_id_endpoint": "https://example.com/connect/check_id",
"refresh_session_endpoint": "https://example.com/connect/refresh_session",
"end_session_endpoint": "https://example.com/connect/end_session",
"jwk_document": "https://example.com/jwk.json",
"registration_endpoint": "https://example.com/connect/register",
"scopes_supported": ["openid"],
"flows_supported": ["code", "token"],
"iso29115_supported": ["http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf"],
"identifiers_supported": ["public", "ppid"]
}</pre></div><p>
</p>
<a name="anchor15"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.3"></a><h3>4.3.
Provider Configuration Verification</h3>
<p>If the configuration response contains the <tt>issuer</tt>
element, the value MUST exactly match the <tt>issuer</tt>
URL that was used to retrieve it.
</p>
<a name="IANA"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.
IANA Considerations</h3>
<p>This document makes no request of IANA.
</p>
<a name="Security"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6"></a><h3>6.
Security Considerations</h3>
<p>TBD
</p>
<a name="anchor16"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.7"></a><h3>7.
Open Issues and Things To Be Done (TBD)</h3>
<p>[[ To be removed from the final specification ]]
</p>
<p>Following items remain to be done in this draft:
</p>
<p></p>
<ul class="text">
<li>Should <tt>issuer</tt> be in the Provider
Configuration Response?
</li>
<li>Should <tt>issuer</tt> be explicitly
restricted to the https:// scheme?
</li>
</ul>
<a name="rfc.references"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.8"></a><h3>8.
References</h3>
<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>8.1. Normative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="JWK">[JWK]</a></td>
<td class="author-text">Jones, M., “<a href="http://self-issued.info/docs/draft-jones-json-web-key.html">JSON Web Key (JWK)</a>,” July 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.Messages">[OpenID.Messages]</a></td>
<td class="author-text">Sakimura, N., Recordon, D., Bradley, J., de Medeiros, B., Jones, M., and E. Jay, “<a href="http://openid.net/specs/openid-connect-messages-1_0.html">OpenID Connect Messages 1.0</a>,” September 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.Registration">[OpenID.Registration]</a></td>
<td class="author-text">Sakimura, N., Bradley, J., Ed., and M. Jones, “<a href="http://openid.net/specs/openid-connect-registration-1_0.html">OpenID Connect Dynamic Client Registration 1.0</a>,” September 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.Session">[OpenID.Session]</a></td>
<td class="author-text">Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, “<a href="http://openid.net/specs/openid-connect-session-1_0.html">OpenID Connect Session Management 1.0</a>,” September 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text"><a href="mailto:sob@harvard.edu">Bradner, S.</a>, “<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>,” BCP 14, RFC 2119, March 1997 (<a href="http://www.rfc-editor.org/rfc/rfc2119.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2119.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2119.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC3986">[RFC3986]</a></td>
<td class="author-text"><a href="mailto:timbl@w3.org">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com">Fielding, R.</a>, and <a href="mailto:LMM@acm.org">L. Masinter</a>, “<a href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>,” STD 66, RFC 3986, January 2005 (<a href="http://www.rfc-editor.org/rfc/rfc3986.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc3986.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc3986.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC5246">[RFC5246]</a></td>
<td class="author-text">Dierks, T. and E. Rescorla, “<a href="http://tools.ietf.org/html/rfc5246">The Transport Layer Security (TLS) Protocol Version 1.2</a>,” RFC 5246, August 2008 (<a href="http://www.rfc-editor.org/rfc/rfc5246.txt">TXT</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC5785">[RFC5785]</a></td>
<td class="author-text">Nottingham, M. and E. Hammer-Lahav, “<a href="http://tools.ietf.org/html/rfc5785">Defining Well-Known Uniform Resource Identifiers (URIs)</a>,” RFC 5785, April 2010 (<a href="http://www.rfc-editor.org/rfc/rfc5785.txt">TXT</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="SWD">[SWD]</a></td>
<td class="author-text">Jones, M., Ed. and Y. Goland, “<a href="http://self-issued.info/docs/draft-jones-simple-web-discovery.html">Simple Web Discovery</a>,” July 2011.</td></tr>
</table>
<a name="rfc.references2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>8.2. Informative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="OAuth2.0">[OAuth2.0]</a></td>
<td class="author-text">Hammer-Lahav, E., Ed., Recordon, D., and D. Hardt, “<a href="http://tools.ietf.org/html/draft-ietf-oauth-v2">OAuth 2.0 Authorization Protocol</a>,” July 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="XRI_Syntax_2.0">[XRI_Syntax_2.0]</a></td>
<td class="author-text">Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” November 2005 (<a href="http://www.oasis-open.org/committees/download.php/15376/xri-syntax-V2.0-cs.html">HTML</a>, <a href="http://www.oasis-open.org/committees/download.php/15377/xri-syntax-V2.0-cs.pdf">PDF</a>).</td></tr>
</table>
<a name="Acknowledgements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.A"></a><h3>Appendix A.
Acknowledgements</h3>
<p>
</p>
<a name="anchor19"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.B"></a><h3>Appendix B.
Document History</h3>
<p>[[ To be removed from the final specification ]]
</p>
<p>-06
</p>
<p></p>
<ul class="text">
<li>Changed Check Session Endpoint to Check ID Endpoint to match
Basic.
</li>
<li>Changed certs_url to x509_url to match registration and JWE
format.
</li>
</ul>
<p>-05</p>
<ul class="text">
<li>Ticket #46 Added text to 3.3
</li>
<li>Deleted duplicate check session endpoint from 4.2
</li>
<li>Ticket #40 Added clarification of issuer url to 4.2
</li>
<li>Ticket #39 Cleaned up issuer examples and added verification
text.
</li>
</ul>
<p>-04 </p>
<ul class="text">
<li>Changes associated with renaming "Lite" to "Basic Client" and
replacing "Core" and "Framework" with "Messages" and "Standard".
</li>
<li>Numerous cleanups, including updating references.
</li>
</ul>
<p>-03 </p>
<ul class="text">
<li>Corrected examples.
</li>
</ul>
<p>-02 </p>
<ul class="text">
<li>Correct issues raised by Johnny Bufu and discussed on the
7-Jul-11 working group call.
</li>
</ul>
<p>-01 </p>
<ul class="text">
<li>Incorporate working group decisions from 5-Jul-11 spec call.
</li>
<li>Consistency and cleanup pass, including removing unused
references.
</li>
</ul>
<p>-00 </p>
<ul class="text">
<li>Initial version based upon former openid-connect-swd-1_0
spec.
</li>
</ul>
<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>Authors' Addresses</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text"> </td>
<td class="author-text">Nat Sakimura</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Nomura Research Institute,
Ltd.</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">John Bradley (editor)</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Independent</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Michael B. Jones</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Microsoft Corporation</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:mbj@microsoft.com">mbj@microsoft.com</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Edmund Jay</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">MGI1</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:ejay@mgi1.com">ejay@mgi1.com</a></td></tr>
</table>
</body></html>