<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>Draft: OpenID Connect
Dynamic Client Registration 1.0 - draft 07</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="OpenID Connect
Dynamic Client Registration 1.0 - draft 07">
<meta name="generator" content="xml2rfc v1.36 (http://xml.resource.org/)">
<style type='text/css'><!--
body {
font-family: verdana, charcoal, helvetica, arial, sans-serif;
font-size: small; color: #000; background-color: #FFF;
margin: 2em;
}
h1, h2, h3, h4, h5, h6 {
font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
font-weight: bold; font-style: normal;
}
h1 { color: #900; background-color: transparent; text-align: right; }
h3 { color: #333; background-color: transparent; }
td.RFCbug {
font-size: x-small; text-decoration: none;
width: 30px; height: 30px; padding-top: 2px;
text-align: justify; vertical-align: middle;
background-color: #000;
}
td.RFCbug span.RFC {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: bold; color: #666;
}
td.RFCbug span.hotText {
font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: normal; text-align: center; color: #FFF;
}
table.TOCbug { width: 30px; height: 15px; }
td.TOCbug {
text-align: center; width: 30px; height: 15px;
color: #FFF; background-color: #900;
}
td.TOCbug a {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
font-weight: bold; font-size: x-small; text-decoration: none;
color: #FFF; background-color: transparent;
}
td.header {
font-family: arial, helvetica, sans-serif; font-size: x-small;
vertical-align: top; width: 33%;
color: #FFF; background-color: #666;
}
td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
td.author-text { font-size: x-small; }
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a { font-weight: bold; }
a:link { color: #900; background-color: transparent; }
a:visited { color: #633; background-color: transparent; }
a:active { color: #633; background-color: transparent; }
p { margin-left: 2em; margin-right: 2em; }
p.copyright { font-size: x-small; }
p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }
ol.text { margin-left: 2em; margin-right: 2em; }
ul.text { margin-left: 2em; margin-right: 2em; }
li { margin-left: 3em; }
/* RFC-2629 <spanx>s and <artwork>s. */
em { font-style: italic; }
strong { font-weight: bold; }
dfn { font-weight: bold; font-style: normal; }
cite { font-weight: normal; font-style: normal; }
tt { color: #036; }
tt, pre, pre dfn, pre em, pre cite, pre span {
font-family: "Courier New", Courier, monospace; font-size: small;
}
pre {
text-align: left; padding: 4px;
color: #000; background-color: #CCC;
}
pre dfn { color: #900; }
pre em { color: #66F; background-color: #FFC; font-weight: normal; }
pre .key { color: #33C; font-weight: bold; }
pre .id { color: #900; }
pre .str { color: #000; background-color: #CFF; }
pre .val { color: #066; }
pre .rep { color: #909; }
pre .oth { color: #000; background-color: #FCF; }
pre .err { background-color: #FCC; }
/* RFC-2629 <texttable>s. */
table.all, table.full, table.headers, table.none {
font-size: small; text-align: center; border-width: 2px;
vertical-align: top; border-collapse: collapse;
}
table.all, table.full { border-style: solid; border-color: black; }
table.headers, table.none { border-style: none; }
th {
font-weight: bold; border-color: black;
border-width: 2px 2px 3px 2px;
}
table.all th, table.full th { border-style: solid; }
table.headers th { border-style: none none solid none; }
table.none th { border-style: none; }
table.all td {
border-style: solid; border-color: #333;
border-width: 1px 2px;
}
table.full td, table.headers td, table.none td { border-style: none; }
hr { height: 1px; }
hr.insert {
width: 80%; border-style: none; border-width: 0;
color: #CCC; background-color: #CCC;
}
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Draft</td><td class="header">N. Sakimura</td></tr>
<tr><td class="header"> </td><td class="header">NRI</td></tr>
<tr><td class="header"> </td><td class="header">J. Bradley, Ed.</td></tr>
<tr><td class="header"> </td><td class="header">Protiviti</td></tr>
<tr><td class="header"> </td><td class="header">M. Jones</td></tr>
<tr><td class="header"> </td><td class="header">Microsoft</td></tr>
<tr><td class="header"> </td><td class="header">September 30, 2011</td></tr>
</table></td></tr></table>
<h1><br />OpenID Connect
Dynamic Client Registration 1.0 - draft 07</h1>
<h3>Abstract</h3>
<p>OpenID Connect is an identity protocol that provides authentication,
authorization, and attribute transmission capability. It allows third
party attested claims from distributed sources. The specification suite
builds on OAuth 2.0 and consists of Building Blocks (Messages,
Discovery, Dynamic Client Registration, Session Management, JSON Web
Token, JSON Web Signature, JSON WEB Encryption, JSON Web Keys, Simple
Web Discovery), Protocol Bindings (e.g., Standard and Basic Client) and
Extensions. This specification is the "Dynamic Client Registration" part
of the suite that defines how clients register with OpenID
Providers.
</p>
<h3>Requirements Language</h3>
<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a class='info' href='#RFC2119'>RFC 2119<span> (</span><span class='info'>Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.</span><span>)</span></a> [RFC2119].
</p><a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>
Introduction<br />
<a href="#terminology">2.</a>
Terminology<br />
<a href="#anchor2">3.</a>
Discovery<br />
<a href="#anchor3">4.</a>
Client Registration Endpoint<br />
<a href="#anchor4">4.1.</a>
Request<br />
<a href="#anchor5">4.2.</a>
Response<br />
<a href="#IANA">5.</a>
IANA Considerations<br />
<a href="#Security">6.</a>
Security Considerations<br />
<a href="#rfc.references1">7.</a>
Normative References<br />
<a href="#Acknowledgements">Appendix A.</a>
Acknowledgements<br />
<a href="#anchor7">Appendix B.</a>
Document History<br />
<a href="#rfc.authors">§</a>
Authors' Addresses<br />
</p>
<br clear="all" />
<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.
Introduction</h3>
<p>In order for an OpenID Connect client to utilize OpenID services for
a user, the client needs to register with the OpenID Provider to acquire
a client ID and shared secret. This document describes how a new client
can register with the provider, and how a client already in possession
of a client_id can retrieve updated registration information.
</p>
<p>The Client Registration endpoint may be co-resident with the token
endpoint as an optimization in some deployments.
</p>
<a name="terminology"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.
Terminology</h3>
<p>This specification uses the terms "Access Token", "Refresh Token",
"Authorization Code", "Authorization Grant", "Authorization Server",
"Authorization Endpoint", "Client", "Client Identifier", "Client
Secret", "Protected Resource", "Resource Owner", "Resource Server", and
"Token Endpoint" that are defined by <a class='info' href='#OAuth.2.0'>OAuth
2.0<span> (</span><span class='info'>Hammer-Lahav, E., Ed., Recordon, D., and D. Hardt, “OAuth 2.0 Authorization Protocol,” September 2011.</span><span>)</span></a> [OAuth.2.0], and the terminology defined in the <a class='info' href='#OpenID.Messages'>OpenID Connect Messages 1.0<span> (</span><span class='info'>Sakimura, N., Recordon, D., Bradley, J., de Medeiros, B., Jones, M., and E. Jay, “OpenID Connect Messages 1.0,” September 2011.</span><span>)</span></a> [OpenID.Messages]
specification.
</p>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.
Discovery</h3>
<p>OpenID Connect uses the registration_endpoint from the Provider
Configuration Response <a class='info' href='#OpenID.Discovery'>Sec
4.2<span> (</span><span class='info'>Sakimura, N., Bradley, J., Jones, M., and E. Jay, “OpenID Connect Discovery 1.0,” September 2011.</span><span>)</span></a> [OpenID.Discovery].
</p>
<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.
Client Registration Endpoint</h3>
<p>The Client Registration Endpoint returns registration information for
the client to configure itself for the OpenID Provider.
</p>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.1"></a><h3>4.1.
Request</h3>
<p>Clients MUST send requests encoded as a POST with the following
parameters added to the HTTP request entity-body using
"application/x-www-form-urlencoded" format:
</p>
<p></p>
<blockquote class="text"><dl>
<dt>type</dt>
<dd>REQUIRED. Values <tt>client_associate</tt>,
<tt>client_update</tt>
</dd>
<dt>client_id</dt>
<dd>OPTIONAL. Used with <tt>client_update</tt>
</dd>
<dt>client_secret</dt>
<dd>OPTIONAL. Used with <tt>client_update</tt>
</dd>
<dt>contact</dt>
<dd>OPTIONAL. Space-separated of e-mail
addresses for people allowed to administer the application.
</dd>
<dt>application_type</dt>
<dd>OPTIONAL. <tt>native</tt>
or <tt>web</tt>.
</dd>
<dt>application_name</dt>
<dd>OPTIONAL. Name of the application
to be presented to the user.
</dd>
<dt>logo_url</dt>
<dd>OPTIONAL. URL that a logo for the
application can be retrieved from.
</dd>
<dt>redirect_uri</dt>
<dd>OPTIONAL. Space-separated list of
redirect URIs
</dd>
<dt>js_origin_uri</dt>
<dd>OPTIONAL. Space-separated list of
JavaScript Origin URIs (used for Post Message flow)
</dd>
<dt>jwk_url</dt>
<dd>OPTIONAL. URL for the RP's <a class='info' href='#JWK'>JSON Web Key<span> (</span><span class='info'>Jones, M., “JSON Web Key (JWK),” July 2011.</span><span>)</span></a> [JWK]
</dd>
<dt>x509_url</dt>
<dd>OPTIONAL URL for the RP's PEM encoded X.509
Certificate or Certificate chain.
</dd>
<dt>sector_identifier</dt>
<dd>OPTIONAL URL to be used in
calculating Pseudonymous Identifiers by the OP. The URL contains a
file with an array of redirect_uri values.
</dd>
</dl></blockquote><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>POST /connect/register HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: server.example.com
type=client_associate
&redirect_uri=https://client.example.com/callback https://client.example.com/callback2
&logo_url=https://client.example.com/logo.png
</pre></div>
<a name="anchor5"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.2"></a><h3>4.2.
Response</h3>
<p>The response is returned as a JSON object with all the parameters
as top level elements.
</p>
<p></p>
<blockquote class="text"><dl>
<dt>client_id</dt>
<dd>REQUIRED. The unique client
identifier.
</dd>
<dt>client_secret</dt>
<dd>REQUIRED. The client secret. This
should change with each response.
</dd>
<dt>expires_in</dt>
<dd>REQUIRED. The number of seconds that this
id and secret are good for or <tt>0</tt> if it
does not expire.
</dd>
</dl></blockquote>
<p>The following is an example response.
</p>
<p></p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"client_id":"SlAV32hkKG",
"client_secret":"cf136dc3c1fd9153029bb9c6cc9ecead918bad9887fce6c93f31185e5885805d",
"expires_in":3600
}</pre></div><p>
</p>
<a name="IANA"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.
IANA Considerations</h3>
<p>This document makes no request of IANA.
</p>
<a name="Security"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6"></a><h3>6.
Security Considerations</h3>
<p>Since requests to the client registration endpoint result in the
transmission of clear-text credentials (in the HTTP request and
response), the server MUST require the use of a transport-layer security
mechanism when sending requests to the token endpoint. The server MUST
support TLS 1.2 as defined in [RFC5246], and MAY support additional
transport-layer mechanisms meeting its security requirements.
</p>
<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>7. Normative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="JWK">[JWK]</a></td>
<td class="author-text">Jones, M., “<a href="http://self-issued.info/docs/draft-jones-json-web-key.html">JSON Web Key (JWK)</a>,” July 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OAuth.2.0">[OAuth.2.0]</a></td>
<td class="author-text">Hammer-Lahav, E., Ed., Recordon, D., and D. Hardt, “<a href="http://tools.ietf.org/html/draft-ietf-oauth-v2">OAuth 2.0 Authorization Protocol</a>,” September 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.Discovery">[OpenID.Discovery]</a></td>
<td class="author-text">Sakimura, N., Bradley, J., Jones, M., and E. Jay, “<a href="http://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>,” September 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.Messages">[OpenID.Messages]</a></td>
<td class="author-text">Sakimura, N., Recordon, D., Bradley, J., de Medeiros, B., Jones, M., and E. Jay, “<a href="http://openid.net/specs/openid-connect-messages-1_0.html">OpenID Connect Messages 1.0</a>,” September 2011.</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text"><a href="mailto:sob@harvard.edu">Bradner, S.</a>, “<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>,” BCP 14, RFC 2119, March 1997 (<a href="http://www.rfc-editor.org/rfc/rfc2119.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2119.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2119.xml">XML</a>).</td></tr>
</table>
<a name="Acknowledgements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.A"></a><h3>Appendix A.
Acknowledgements</h3>
<p>
</p>
<a name="anchor7"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.B"></a><h3>Appendix B.
Document History</h3>
<p>[[ To be removed from the final specification ]]
</p>
<p>-07
</p>
<p></p>
<ul class="text">
<li>Changed request from posting a JSON object to being HTTP
Form encoded.
</li>
<li>Added x509_url to support optional encryption.
</li>
</ul>
<p>-06 </p>
<ul class="text">
<li>Changes associated with renaming "Lite" to "Basic Client" and
replacing "Core" and "Framework" with "Messages" and "Standard".
</li>
<li>Numerous cleanups, including updating references.
</li>
</ul>
<p>-05 </p>
<ul class="text">
<li>Changed <tt>redirect_url</tt> to <tt>redirect_uri</tt> and <tt>js_origin_url</tt>
to <tt>js_origin_uri</tt>.
</li>
</ul>
<p>-04 </p>
<ul class="text">
<li>Correct issues raised by Johnny Bufu and discussed on the
7-Jul-11 working group call.
</li>
</ul>
<p>-03 </p>
<ul class="text">
<li>Incorporate working group decisions from 5-Jul-11 spec call.
</li>
<li>Consistency and cleanup pass, including removing unused
references.
</li>
</ul>
<p>-02 </p>
<ul class="text">
<li>Incorporate working group decisions from 23-Jun-11 spec call.
</li>
</ul>
<p>-01 </p>
<ul class="text">
<li>Initial version.
</li>
</ul>
<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>Authors' Addresses</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text"> </td>
<td class="author-text">Nat Sakimura</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Nomura Research Institute,
Ltd.</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">John Bradley (editor)</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Protiviti Government
Services</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:jbradley@mac.com">jbradley@mac.com</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Michael B. Jones</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Microsoft Corporation</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:mbj@microsoft.com">mbj@microsoft.com</a></td></tr>
</table>
</body></html>