<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt" lang="en-US">Dear AB/Connect WG experts,</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt" lang="en-US"><br>
</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt"><span lang="en-US">I would like to contribute a
</span><span lang="ja">Self-Issued OpenID Provider v2</span><span lang="en-US"> draft to the working group. Several working group members including
</span><span lang="ja">Torsten, Tobias, </span><span lang="en-US">Mike and Pam helped review it, and it incorporates ideas from Tom's
</span><span lang="ja">OpenID Self Issued Identifiers</span><span lang="en-US"> draft.
</span></p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt"><span lang="en-US">It is
</span><span lang="ja">a work in progress, but </span><span lang="en-US">I</span><span lang="ja"> think
</span><span lang="en-US">the document is</span><span lang="ja"> ready for others to review and for working group discussion</span><span lang="en-US">.
</span></p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt" lang="en-US"> </p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt"><span lang="en-US">Please find below is the full text of the draft. You can also read the current version of the draft at the following link:
</span><span lang="ja"><a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view">https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view</a></span></p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt"><br>
</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt">Best,</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt">Kristina</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt"><br>
</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11.0pt"><br>
</p>
<div style="margin: 0px 0in; font-family: 游ゴシック; font-size: 11pt;">
<h1 class="part" data-startline="1" data-endline="1" data-id="Self-Issued-OpenID-Provider-v2-draft" style="box-sizing:border-box;margin-top:0px !important;margin-bottom:16px;font-size:2em;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="2" data-size="36" style="box-sizing:border-box">Self-Issued OpenID Provider v2 draft</span></h1>
<p class="part" data-startline="3" data-endline="3" data-position="40" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="40" data-size="28" data-inline-comment-id="4007d1d6-12b0-403d-8669-2c5f86e3489e" class="ui-comment-inline-span" style="box-sizing:border-box;background-color:rgba(102, 181, 250, 0.15);border-style:solid;border-color:transparent;border-width:0px 0px 2px"><span class="ui-comment-inline-span" data-inline-comment-id="92ddc793-69cf-4af6-bfcc-d61f7faa91e0" style="box-sizing:border-box;background-color:rgba(102, 181, 250, 0.15);border-style:solid;border-color:transparent;border-width:0px 0px 2px"><span class="ui-comment-inline-span" data-inline-comment-id="fa9e0c3e-194e-4e7f-a13e-98e282ed845d" style="box-sizing:border-box;background-color:rgba(102, 181, 250, 0.15);border-style:solid;border-color:transparent;border-width:0px 0px 2px"><span class="ui-comment-inline-span" data-inline-comment-id="7cd614dc-0139-41b1-90cd-86b288bbe478" style="box-sizing:border-box;background-color:rgba(102, 181, 250, 0.15);border-style:solid;border-color:transparent;border-width:0px 0px 2px">This
document defines a new<span> </span></span></span></span></span><span data-position="68" data-size="269" style="box-sizing:border-box">scope as well as rules for the use of OpenID Connect to present credentials that may be validated through the use of decentralized
identifiers, and Verifiable Credentials using a Self-Issued OpenID Provider (section 7 of [OpenID.Core]) in addition to the current scope.</span></p>
<h2 class="part" data-startline="5" data-endline="5" data-id="7-Self-Issued-OpenID-Provider" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#7-Self-Issued-OpenID-Provider" title="7-Self-Issued-OpenID-Provider" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="342" data-size="30" style="box-sizing:border-box">7.
Self-Issued OpenID Provider</span></h2>
<p class="part" data-startline="6" data-endline="6" data-position="373" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="373" data-size="188" style="box-sizing:border-box">OpenID Connect supports Self-Issued OpenID Providers (Self-Issued OPs) - personal OpenID Providers that issue self-signed ID Tokens, enabling portability of the identities among providers.</span></p>
<p class="part" data-startline="8" data-endline="8" data-position="564" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="564" data-size="193" style="box-sizing:border-box">This section defines how a Holder provides ID Token to the Relying Party(RP) through the Self-Issued OP, and how a Holder asks and receives attested claims that can be included in the ID
Token.</span></p>
<p class="part" data-startline="10" data-endline="10" data-position="759" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="759" data-size="144" style="box-sizing:border-box">Specifications for the few additional parameters used and for the values of some parameters in the Self-Issued case are defined in this section.</span></p>
<p class="part" data-startline="12" data-endline="12" data-position="905" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="905" data-size="297" style="box-sizing:border-box">NOTE: this section only outlines the verification process for the RP to request authentication information (either only log-in and/or claims) from Self-Issued OP. Issuance of the credentials
from the OpenID Provider to Self-Issued OP that is acting in RPs capacity is out of scope of this section.</span></p>
<h3 class="part" data-startline="14" data-endline="14" data-id="71-Terminology" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#71-Terminology" title="71-Terminology" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="1208" data-size="16" style="box-sizing:border-box">7.1.
Terminology</span></h3>
<p class="part" data-startline="15" data-endline="15" data-position="1225" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="1225" data-size="207" style="box-sizing:border-box">Common terms in this document come from four primary sources: [DID-CORE],[VC-DATA], [RFC6749] and [OpenID.Core]. In the case where a term has a definition that differs, the definition
below is authoritative.</span></p>
<h3 class="part" data-startline="18" data-endline="18" data-id="72-Protocol-Flow" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#72-Protocol-Flow" title="72-Protocol-Flow" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="1439" data-size="18" style="box-sizing:border-box">7.2.
Protocol Flow</span></h3>
<p class="part" data-startline="20" data-endline="20" data-position="1459" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="1459" data-size="227" style="box-sizing:border-box">Self-Issued OpenID Provider Request is an OpenID Connect Authentication Request that results in a Holder providing ID Token to the Relying Party through the Self-Issued OP. ID Token MAY
include attested claims about the Holder.</span></p>
<pre class="part" data-startline="22" data-endline="38" data-position="1688" style="box-sizing:border-box;overflow:auto;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;display:block;padding:16px;margin:0px 0px 16px;line-height:1.45;color:rgb(51, 51, 51);word-break:break-all;background-color:rgb(247, 247, 247);border:inherit !important;border-radius:3px;letter-spacing:0.35px"><code style="box-sizing:border-box;color:inherit !important;background:transparent;border-radius:3px;margin:0px;display:inline">+----------+ +--------+
| | | |
| |-------(1) Self-Issued OpenID Provider Request----->| |
| | (OpenID Connect Authentication Request) | |
| | +--------+ | |
| | | | | |
| | | Hol- | | |
| RP | | der |<-(2) AuthN & AuthZ->| OP |
| | | | | (Self- |
| | +--------+ | Issued |
| | | OP) |
| |<------(3) Self-Issued OpenID Provider Response-----| |
| | (ID Token) | |
| | | |
+----------+ +--------+
</code></pre>
<h2 class="part" data-startline="42" data-endline="42" data-id="73-Self-Issued-OpenID-Provider-Discovery" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#73-Self-Issued-OpenID-Provider-Discovery" title="73-Self-Issued-OpenID-Provider-Discovery" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="2852" data-size="42" style="box-sizing:border-box">7.3.
Self-Issued OpenID Provider Discovery</span></h2>
<p class="part" data-startline="43" data-endline="43" data-position="2895" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="2895" data-size="46" style="box-sizing:border-box">Self-Issued OP MUST associate a custom schema<span> </span></span><code data-position="2942" data-size="9" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">openid://</code><span data-position="2952" data-size="38" style="box-sizing:border-box"><span> </span>with
itself. Relying Party MUST call<span> </span></span><code data-position="2991" data-size="9" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">openid://</code><span data-position="3001" data-size="44" style="box-sizing:border-box"><span> </span>when
sending a request to a Self-Issued OP.</span></p>
<p class="part" data-startline="45" data-endline="45" data-position="3047" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="3047" data-size="88" style="box-sizing:border-box">NOTE: consider using deeplinks for discovery in the scenarios when Self-Issued OP is PWA</span></p>
<h2 class="part" data-startline="48" data-endline="48" data-id="74-Self-Issued-OP-Registration" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#74-Self-Issued-OP-Registration" title="74-Self-Issued-OP-Registration" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="3141" data-size="32" style="box-sizing:border-box">7.4.
Self-Issued OP Registration</span></h2>
<p class="part" data-startline="50" data-endline="50" data-position="3175" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="3175" data-size="213" style="box-sizing:border-box">OpenID Connect defines the following registration parameters to enable Relying Party to provide information about itself to a Self-Issued OP that would normally be provided to an OP during
Dynamic RP Registration:</span></p>
<ul class="part" data-startline="52" data-endline="58" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="52" data-endline="55" data-position="3394" data-size="0" style="box-sizing:border-box">
<p data-position="3392" data-size="0" style="box-sizing:border-box;margin:16px 0px">
<span data-position="3394" data-size="12" style="box-sizing:border-box">registration</span><br style="box-sizing:border-box">
<span data-position="3414" data-size="180" style="box-sizing:border-box">OPTIONAL. This parameter enables RP Registration Metadata to be passed in a single, self-contained parameter. The value is a JSON object containing RP Registration Metadata values.</span><br style="box-sizing:border-box">
<span data-position="3595" data-size="57" style="box-sizing:border-box">NOTE: Do we also need to support JWT registration values?</span></p>
</li><li data-startline="56" data-endline="58" data-position="3654" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<p data-position="3652" data-size="0" style="box-sizing:border-box;margin:16px 0px">
<span data-position="3654" data-size="15" style="box-sizing:border-box">registration_uri</span><br style="box-sizing:border-box">
<span data-position="3677" data-size="226" style="box-sizing:border-box">OPTIONAL. This parameter enables RP Registration Metadata to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource
containing RP Registration Metadata values.</span></p>
</li></ul>
<p class="part" data-startline="59" data-endline="59" data-position="3908" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="3908" data-size="163" style="box-sizing:border-box">RP Registration Metadata values are defined in Section 7.4.3 and Section 2.1 of the OpenID Connect Dynamic RP Registration 1.0 [OpenID.Registration] specification.</span></p>
<p class="part" data-startline="61" data-endline="61" data-position="4073" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="4073" data-size="148" style="box-sizing:border-box">If Self-Issued OP supports the same parameters, Self-Issued OpenID Provider flow continues, if Self-Issued OP does not support, it returns an error.</span></p>
<p class="part" data-startline="63" data-endline="63" data-position="4224" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="4224" data-size="72" style="box-sizing:border-box">Configuration values should preferably sent by reference as a URI using<span> </span></span><code data-position="4297" data-size="16" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">registration_uri</code><span data-position="4314" data-size="100" style="box-sizing:border-box"><span> </span>parameter,
but when RP cannot host a webserver, configuration values should be sent by value using<span> </span></span><code data-position="4415" data-size="12" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">registration</code><span data-position="4428" data-size="11" style="box-sizing:border-box"><span> </span>parameter.</span></p>
<p class="part" data-startline="65" data-endline="65" data-position="4442" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="4442" data-size="127" style="box-sizing:border-box">RP MUST use either of there parameters, but if one of these parameters is used, the other MUST NOT be used in the same request.</span></p>
<p class="part" data-startline="67" data-endline="67" data-position="4571" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="4571" data-size="85" style="box-sizing:border-box">These registration parameters SHOULD NOT be used when the OP is not a Self-Issued OP.</span></p>
<h3 class="part" data-startline="70" data-endline="70" data-id="741-Passing-Relying-Party-Registration-Metadata-by-Value" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#741-Passing-Relying-Party-Registration-Metadata-by-Value" title="741-Passing-Relying-Party-Registration-Metadata-by-Value" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="4664" data-size="59" style="box-sizing:border-box">7.4.1.
Passing Relying Party Registration Metadata by Value</span></h3>
<p class="part" data-startline="72" data-endline="72" data-position="4729" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="4729" data-size="4" style="box-sizing:border-box">The<span> </span></span><code data-position="4734" data-size="12" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">registration</code><span data-position="4747" data-size="108" style="box-sizing:border-box"><span> </span>SIOP
Request parameter enables RP Registration Metadata to be passed in a single, self-contained parameter.</span></p>
<p class="part" data-startline="74" data-endline="74" data-position="4861" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="4861" data-size="294" style="box-sizing:border-box">The registration parameter value is represented in an OAuth 2.0 request as a UTF-8 encoded JSON object (which ends up being form-urlencoded when passed as an OAuth parameter). When used
in a Request Object value, per Section 6.1, the JSON object is used as the value of the registration member.</span></p>
<p class="part" data-startline="76" data-endline="76" data-position="5157" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="5157" data-size="40" style="box-sizing:border-box">Following value MUST be included in the<span> </span></span><code data-position="5198" data-size="12" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">registration</code><span data-position="5211" data-size="27" style="box-sizing:border-box"><span> </span>parameter
when it is used:</span></p>
<ul class="part" data-startline="77" data-endline="80" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="77" data-endline="80" data-position="5242" data-size="0" style="box-sizing:border-box">
<span data-position="5242" data-size="8" style="box-sizing:border-box">client_id</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li data-startline="78" data-endline="80" data-position="5259" data-size="0" style="box-sizing:border-box">
<span data-position="5259" data-size="28" style="box-sizing:border-box">redirect_uri value of the RP.</span><br style="box-sizing:border-box">
<span data-position="5290" data-size="27" style="box-sizing:border-box">NOTE: Is this still needed?</span></li></ul>
</li></ul>
<p class="part" data-startline="81" data-endline="81" data-position="5319" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="5319" data-size="390" style="box-sizing:border-box">The Registration parameters that would typically be used in requests to Self-Issued OPs are policy_uri, tos_uri, and logo_uri. If the RP uses more than one Redirection URI, the redirect_uris
parameter would be used to register them. Finally, if the RP is requesting encrypted responses, it would typically use the jwks_uri, id_token_encrypted_response_alg and id_token_encrypted_response_enc parameters.</span></p>
<p class="part" data-startline="83" data-endline="83" data-position="5724" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="5724" data-size="70" style="box-sizing:border-box">Registration parameter may include decentralized identifier of the RP.</span></p>
<h3 class="part" data-startline="85" data-endline="85" data-id="742-Passing-Relying-Party-Registration-Metadata-by-Reference" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#742-Passing-Relying-Party-Registration-Metadata-by-Reference" title="742-Passing-Relying-Party-Registration-Metadata-by-Reference" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="5800" data-size="63" style="box-sizing:border-box">7.4.2.
Passing Relying Party Registration Metadata by Reference</span></h3>
<p class="part" data-startline="87" data-endline="87" data-position="5865" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="5865" data-size="4" style="box-sizing:border-box">The<span> </span></span><code data-position="5870" data-size="16" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">registration_uri</code><span data-position="5887" data-size="83" style="box-sizing:border-box"><span> </span>SIOP
Request parameter enables RP Registration Metadata to be passed by reference.</span></p>
<p class="part" data-startline="89" data-endline="89" data-position="5973" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="5973" data-size="204" style="box-sizing:border-box">This parameter is used identically to the request parameter, other than that the Relying Party registration metadata value is retrieved from the resource at the specified URL, rather than
passed by value.</span></p>
<p class="part" data-startline="91" data-endline="91" data-position="6179" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="6179" data-size="117" style="box-sizing:border-box">The contents of the resource referenced by the URL MUST be a RP Registration Metadata Object. The scheme used in the<span> </span></span><code data-position="6297" data-size="16" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">registration_uri</code><span data-position="6314" data-size="118" style="box-sizing:border-box"><span> </span>value
MUST be https. The request_uri value MUST be reachable by the Self-Issued OP, and SHOULD be reachable by the RP.</span></p>
<h3 class="part" data-startline="93" data-endline="93" data-id="743-Relying-Party-Registration-Metadata-Values" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#743-Relying-Party-Registration-Metadata-Values" title="743-Relying-Party-Registration-Metadata-Values" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="6439" data-size="49" style="box-sizing:border-box">7.4.3.
Relying Party Registration Metadata Values</span></h3>
<p class="part" data-startline="95" data-endline="95" data-position="6490" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="6490" data-size="143" style="box-sizing:border-box">OpenID Conect defineds following RP Registration Metadata values that are used by RP to provide information about itself to the Self-Issued OP:</span></p>
<p class="part" data-startline="97" data-endline="97" data-position="6635" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="6635" data-size="13" style="box-sizing:border-box">Static Values</span></p>
<ul class="part" data-startline="98" data-endline="104" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="98" data-endline="99" data-position="6651" data-size="0" style="box-sizing:border-box">
<span data-position="6651" data-size="21" style="box-sizing:border-box">authorization_endpoint</span><br style="box-sizing:border-box">
<span data-position="6682" data-size="18" style="box-sizing:border-box">REQUIRED. MUST be<span> </span></span><code data-position="6696" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">openid:</code><span data-position="6709" data-size="1" style="box-sizing:border-box">.</span></li><li data-startline="100" data-endline="101" data-position="6710" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="6710" data-size="6" style="box-sizing:border-box">issuer</span><br style="box-sizing:border-box">
<span data-position="6725" data-size="18" style="box-sizing:border-box">REQUIRED. MUST be<span> </span></span><code data-position="6739" data-size="25" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">https://self-issued.me/v2</code></li><li data-startline="102" data-endline="104" data-position="6770" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="6770" data-size="22" style="box-sizing:border-box">response_types_supported</span><br style="box-sizing:border-box">
<span data-position="6803" data-size="8" style="box-sizing:border-box">MUST be<span> </span></span><code data-position="6807" data-size="8" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">id_token</code></li></ul>
<p class="part" data-startline="105" data-endline="105" data-position="6820" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="6820" data-size="14" style="box-sizing:border-box">Dynamic Values</span></p>
<ul class="part" data-startline="106" data-endline="116" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="106" data-endline="107" data-position="6837" data-size="0" style="box-sizing:border-box">
<span data-position="6837" data-size="15" style="box-sizing:border-box">scopes_supported</span><br style="box-sizing:border-box">
<span data-position="6862" data-size="31" style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code data-position="6889" data-size="6" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">openid</code><span data-position="6901" data-size="2" style="box-sizing:border-box">,<span> </span></span><code data-position="6899" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">profile</code><span data-position="6912" data-size="2" style="box-sizing:border-box">,<span> </span></span><code data-position="6910" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">email</code><span data-position="6921" data-size="2" style="box-sizing:border-box">,<span> </span></span><code data-position="6919" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">address</code><span data-position="6932" data-size="6" style="box-sizing:border-box">,
and<span> </span></span><code data-position="6934" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">phone</code><span data-position="6945" data-size="1" style="box-sizing:border-box">.</span></li><li data-startline="108" data-endline="109" data-position="6946" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="6946" data-size="21" style="box-sizing:border-box">subject_types_supported</span><br style="box-sizing:border-box">
<span data-position="6978" data-size="31" style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code data-position="7005" data-size="8" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">pairwise</code><span data-position="7019" data-size="5" style="box-sizing:border-box"><span> </span>and<span> </span></span><code data-position="7020" data-size="6" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">public</code><span data-position="7032" data-size="1" style="box-sizing:border-box">.</span></li><li data-startline="110" data-endline="111" data-position="7033" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="7033" data-size="17" style="box-sizing:border-box">sub_types_supported</span><br style="box-sizing:border-box">
<span data-position="7059" data-size="31" style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code data-position="7087" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">jkt</code><span data-position="7095" data-size="82" style="box-sizing:border-box"><span> </span>and
concrete did methods supported. did methods supported must take the value of<span> </span></span><code data-position="7174" data-size="11" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">Method
Name</code><span data-position="7191" data-size="17" style="box-sizing:border-box"><span> </span>in Chapter 9 of<span> </span></span><a href="https://w3c.github.io/did-spec-registries/#did-methods" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="7208" data-size="19" style="box-sizing:border-box">did-spec-registries</span></a><span data-position="7284" data-size="10" style="box-sizing:border-box">,
such as<span> </span></span><code data-position="7291" data-size="9" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">did:peer:</code></li><li data-startline="112" data-endline="113" data-position="7306" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="7306" data-size="32" style="box-sizing:border-box">id_token_signing_alg_values_supported</span><br style="box-sizing:border-box">
<span data-position="7352" data-size="31" style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code data-position="7379" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">RS256</code><span data-position="7390" data-size="2" style="box-sizing:border-box">,<span> </span></span><code data-position="7388" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">ES256</code><span data-position="7399" data-size="2" style="box-sizing:border-box">,<span> </span></span><code data-position="7397" data-size="6" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">ES256K</code><span data-position="7409" data-size="6" style="box-sizing:border-box">,
and<span> </span></span><code data-position="7411" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">EdDSA</code><span data-position="7422" data-size="1" style="box-sizing:border-box">.</span></li><li data-startline="114" data-endline="116" data-position="7423" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="7423" data-size="38" style="box-sizing:border-box">request_object_signing_alg_values_supported</span><br style="box-sizing:border-box">
<span data-position="7475" data-size="31" style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code data-position="7502" data-size="4" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">none</code><span data-position="7512" data-size="2" style="box-sizing:border-box">,<span> </span></span><code data-position="7510" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">RS256</code><span data-position="7521" data-size="2" style="box-sizing:border-box">,<span> </span></span><code data-position="7519" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">ES256</code><span data-position="7530" data-size="2" style="box-sizing:border-box">,<span> </span></span><code data-position="7528" data-size="6" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">ES256K</code><span data-position="7540" data-size="6" style="box-sizing:border-box">,
and<span> </span></span><code data-position="7542" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">EdDSA</code></li></ul>
<p class="part" data-startline="117" data-endline="117" data-position="7554" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="7554" data-size="104" style="box-sizing:border-box">The following is a non-normative example of RP Registration Metadata Values supported by Self-Issued OP:</span></p>
<pre class="part" data-startline="119" data-endline="138" data-position="7660" style="box-sizing:border-box;overflow:auto;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;display:block;padding:16px;margin:0px 0px 16px;line-height:1.45;color:rgb(51, 51, 51);word-break:break-all;background-color:rgb(247, 247, 247);border:inherit !important;border-radius:3px;letter-spacing:0.35px"><code style="box-sizing:border-box;color:inherit !important;background:transparent;border-radius:3px;margin:0px;display:inline"> {
"authorization_endpoint":
"openid:",
"issuer":
"https://self-issued.me/v2",
"scopes_supported":
["openid", "profile", "email", "address", "phone"],
"response_types_supported":
["id_token"]
"subject_types_supported":
["pairwise"],
"sub_types_supported":
["did:peer:", "did:ion:"],
"id_token_signing_alg_values_supported":
["ES256", "ES256K"],
"request_object_signing_alg_values_supported":
["ES256", "ES256K"]
}
</code></pre>
<h4 class="part" data-startline="140" data-endline="140" data-id="7431-Sub-Types" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#7431-Sub-Types" title="7431-Sub-Types" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="8155" data-size="18" style="box-sizing:border-box">7.4.3.1.
Sub Types</span></h4>
<p class="part" data-startline="142" data-endline="142" data-position="8175" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="8175" data-size="99" style="box-sizing:border-box">A sub type is used by Self-Issued OP to advertise which types of identifiers are supported for the<span> </span></span><code data-position="8275" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub</code><span data-position="8279" data-size="52" style="box-sizing:border-box"><span> </span>claim.
Two types are defined by this specification:</span></p>
<p class="part" data-startline="144" data-endline="145" data-position="8333" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<code data-position="8334" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">jkt</code><br style="box-sizing:border-box">
<span data-position="8348" data-size="73" style="box-sizing:border-box">JWK Thumbprint Subject sub type. When this subject sub type is used, the<span> </span></span><code data-position="8418" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub</code><span data-position="8426" data-size="94" style="box-sizing:border-box"><span> </span>Claim
value MUST be the base64url encoded representation of the thumbprint of the key in the<span> </span></span><code data-position="8517" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="8529" data-size="17" style="box-sizing:border-box"><span> </span>Claim.
[RFC7638]</span></p>
<p class="part" data-startline="147" data-endline="148" data-position="8548" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<code data-position="8549" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">did</code><br style="box-sizing:border-box">
<span data-position="8563" data-size="128" style="box-sizing:border-box">Decentralized sub type. This sub type MUST specify concrete Decentralized Identifier (DID) methods supported using the value of<span> </span></span><code data-position="8688" data-size="11" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">Method
Name</code><span data-position="8705" data-size="17" style="box-sizing:border-box"><span> </span>in Chapter 9 of<span> </span></span><a href="https://w3c.github.io/did-spec-registries/#did-methods" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="8722" data-size="19" style="box-sizing:border-box">did-spec-registries</span></a><span data-position="8798" data-size="10" style="box-sizing:border-box">,
such as<span> </span></span><code data-position="8805" data-size="9" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">did:peer:</code><span data-position="8819" data-size="35" style="box-sizing:border-box">.
When this sub type is used, the<span> </span></span><code data-position="8851" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub</code><span data-position="8859" data-size="43" style="box-sizing:border-box"><span> </span>value
MUST be a DID defined in [DID-CORE].</span></p>
<p class="part" data-startline="150" data-endline="150" data-position="8905" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="8905" data-size="85" style="box-sizing:border-box">NOTE: Consider adding a subject type for OpenID Connect Federation entity statements.</span></p>
<h3 class="part" data-startline="152" data-endline="152" data-id="744-Relying-Party-Registration-Metadata-Error-Response" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#744-Relying-Party-Registration-Metadata-Error-Response" title="744-Relying-Party-Registration-Metadata-Error-Response" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="8996" data-size="57" style="box-sizing:border-box">7.4.4.
Relying Party Registration Metadata Error Response</span></h3>
<p class="part" data-startline="154" data-endline="154" data-position="9055" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="9055" data-size="224" style="box-sizing:border-box">OpenID Connect defines the following error codes that MUST be returned when Self-Issued OP does not support all of the Relying Party Registration metadata values received from the Relying
Party in the registration parameter:</span></p>
<ul class="part" data-startline="156" data-endline="162" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="156" data-endline="157" data-position="9283" data-size="0" style="box-sizing:border-box">
<span data-position="9283" data-size="17" style="box-sizing:border-box">value_not_supported</span><br style="box-sizing:border-box">
<span data-position="9309" data-size="114" style="box-sizing:border-box">The Self-Issued OP does not support more than one of the RP Registration Metadata values defined in Section 7.4.3.</span></li><li data-startline="158" data-endline="159" data-position="9424" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="9424" data-size="22" style="box-sizing:border-box">invalid_registration_uri</span><br style="box-sizing:border-box">
<span data-position="9455" data-size="105" style="box-sizing:border-box">The registration_uri in the Self-Issued OpenID Provider request returns an error or contains invalid data.</span></li><li data-startline="160" data-endline="162" data-position="9562" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="9562" data-size="25" style="box-sizing:border-box">invalid_registration_object</span><br style="box-sizing:border-box">
<span data-position="9596" data-size="79" style="box-sizing:border-box">The registration parameter contains an invalid RP Registration Metadata Object.</span></li></ul>
<p class="part" data-startline="163" data-endline="163" data-position="9675" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="9675" data-size="77" style="box-sizing:border-box">Error response must be made in the same manner as defined in Section 3.1.2.6.</span></p>
<h2 class="part" data-startline="167" data-endline="167" data-id="75-Self-Issued-OpenID-Provider-Request" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#75-Self-Issued-OpenID-Provider-Request" title="75-Self-Issued-OpenID-Provider-Request" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="9759" data-size="41" style="box-sizing:border-box">7.5.
Self-Issued OpenID Provider Request</span></h2>
<p class="part" data-startline="168" data-endline="168" data-position="9801" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="9801" data-size="100" style="box-sizing:border-box">The RP sends the Authentication Request to the Authorization Endpoint with the following parameters:</span></p>
<ul class="part" data-startline="170" data-endline="186" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="170" data-endline="171" data-position="9905" data-size="0" style="box-sizing:border-box">
<span data-position="9905" data-size="5" style="box-sizing:border-box">scope</span><br style="box-sizing:border-box">
<span data-position="9917" data-size="63" style="box-sizing:border-box">REQUIRED. scope parameter value, as specified in Section 3.1.2.</span></li><li data-startline="172" data-endline="173" data-position="9981" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="9981" data-size="12" style="box-sizing:border-box">response_type</span><br style="box-sizing:border-box">
<span data-position="10001" data-size="40" style="box-sizing:border-box">REQUIRED. Constant string value id_token.</span></li><li data-startline="174" data-endline="175" data-position="10043" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="10043" data-size="8" style="box-sizing:border-box">client_id</span><br style="box-sizing:border-box">
<span data-position="10059" data-size="94" style="box-sizing:border-box">REQUIRED. RP ID value for the RP, which in this case contains the redirect_uri value of the RP.</span></li><li data-startline="176" data-endline="177" data-position="10155" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="10155" data-size="7" style="box-sizing:border-box">sub_type</span><br style="box-sizing:border-box">
<span data-position="10171" data-size="92" style="box-sizing:border-box">REQUIRED. A space seperated string denoting the URI types that the OpenID provider supports.</span></li><li data-startline="178" data-endline="179" data-position="10264" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="10264" data-size="11" style="box-sizing:border-box">id_token_hint</span><br style="box-sizing:border-box">
<span data-position="10284" data-size="207" style="box-sizing:border-box">OPTIONAL. id_token_hint parameter value, as specified in Section 3.1.2. If the ID Token is encrypted to the Self-Issued OP, the sub (subject) of the signed ID Token MUST be sent as the
kid (Key ID) of the JWE.</span></li><li data-startline="180" data-endline="181" data-position="10495" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="10495" data-size="6" style="box-sizing:border-box">claims</span><br style="box-sizing:border-box">
<span data-position="10508" data-size="62" style="box-sizing:border-box">OPTIONAL. claims parameter value, as specified in Section 5.5.</span></li><li data-startline="182" data-endline="183" data-position="10571" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="10571" data-size="12" style="box-sizing:border-box">registration</span><br style="box-sizing:border-box">
<span data-position="10590" data-size="202" style="box-sizing:border-box">OPTIONAL. This parameter is used by the RP to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic RP Registration, as specified
in Section 7.2.1.</span></li><li data-startline="184" data-endline="186" data-position="10793" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="10793" data-size="7" style="box-sizing:border-box">request</span><br style="box-sizing:border-box">
<span data-position="10807" data-size="250" style="box-sizing:border-box">OPTIONAL. Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to the Self-Issued OP by the RP. In this case, the sub (subject) of a previously issued
ID Token for this RP MUST be sent as the kid (Key ID) of the JWE.</span></li></ul>
<p class="part" data-startline="187" data-endline="187" data-position="11058" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="11058" data-size="80" style="box-sizing:border-box">Other parameters MAY be sent. Note that all Claims are returned in the ID Token.</span></p>
<p class="part" data-startline="189" data-endline="189" data-position="11140" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="11140" data-size="53" style="box-sizing:border-box">The entire URL MUST NOT exceed 2048 ASCII characters.</span></p>
<p class="part" data-startline="191" data-endline="191" data-position="11195" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="11195" data-size="223" style="box-sizing:border-box">The following is a non-normative example HTTP 302 redirect response by the RP, which triggers the User Agent to make an Authentication Request to the Self-Issued OP (with line wraps within
values for display purposes only):</span></p>
<pre class="part" data-startline="192" data-endline="204" data-position="11419" style="box-sizing:border-box;overflow:auto;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;display:block;padding:16px;margin:0px 0px 16px;line-height:1.45;color:rgb(51, 51, 51);word-break:break-all;background-color:rgb(247, 247, 247);border:inherit !important;border-radius:3px;letter-spacing:0.35px"><code style="box-sizing:border-box;color:inherit !important;background:transparent;border-radius:3px;margin:0px;display:inline"> HTTP/1.1 302 Found
Location: openid://?
response_type=id_token
&client_id=https%3A%2F%2Fclient.example.org%2Fcb
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&identifier_uri=jwkthumb%3A%20did%3Akey%3A%20
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
®istration=%7B%22logo_uri%22%3A%22https%3A%2F%2F
client.example.org%2Flogo.png%22%7D
</code></pre>
<h2 class="part" data-startline="209" data-endline="209" data-id="76-Self-Issued-OpenID-Provider-Response" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#76-Self-Issued-OpenID-Provider-Response" title="76-Self-Issued-OpenID-Provider-Response" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="11837" data-size="42" style="box-sizing:border-box">7.6.
Self-Issued OpenID Provider Response</span></h2>
<p class="part" data-startline="211" data-endline="211" data-position="11881" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="11881" data-size="338" style="box-sizing:border-box">Self-Issued OpenID Provider Response is returned when Self-Issued OP supports all of the Relying Party Registration metadata values received from the Relying Party in the registration
parameter. If even one of the Relying Party Registration Metadata Values is not supported, Self-Issued OP MUST return an error according to Section 7.4.4.</span></p>
<p class="part" data-startline="213" data-endline="213" data-position="12221" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="12221" data-size="124" style="box-sizing:border-box">OpenID Connect defines the following claims to be included in the ID token for use in Self-Issued OpenID Provider Responses:</span></p>
<ul class="part" data-startline="215" data-endline="221" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="215" data-endline="216" data-position="12350" data-size="0" style="box-sizing:border-box">
<span data-position="12350" data-size="3" style="box-sizing:border-box">sub</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li data-startline="216" data-endline="216" data-position="12360" data-size="0" style="box-sizing:border-box">
<span data-position="12360" data-size="75" style="box-sizing:border-box">REQUIRED. Subject identifier value, represented by a URI. When sub type is<span> </span></span><code data-position="12436" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">jkt</code><span data-position="12440" data-size="88" style="box-sizing:border-box">,
the value is the base64url encoded representation of the thumbprint of the key in the<span> </span></span><code data-position="12529" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="12537" data-size="25" style="box-sizing:border-box"><span> </span>Claim.
When sub type is<span> </span></span><code data-position="12563" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">did</code><span data-position="12567" data-size="691" style="box-sizing:border-box">,
the value is a decentralized identifier. The thumbprint value is computed as the SHA-256 hash of the octets of the UTF-8 representation of a JWK constructed containing only the REQUIRED members to represent the key, with the member names sorted into lexicographic
order, and with no white space or line breaks. For instance, when the kty value is RSA, the member names e, kty, and n are the ones present in the constructed JWK used in the thumbprint computation and appear in that order; when the kty value is EC, the member
names crv, kty, x, and y are present in that order. Note that this thumbprint calculation is the same as that defined in the JWK Thumbprint [RFC7638] specification.</span></li></ul>
</li><li data-startline="217" data-endline="218" data-position="13261" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="13261" data-size="6" style="box-sizing:border-box">sub_jwk</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li data-startline="218" data-endline="218" data-position="13275" data-size="0" style="box-sizing:border-box">
<span data-position="13275" data-size="184" style="box-sizing:border-box">REQUIRED. a secure binding between the subject of the verifiable credential and the subject identifier (and related keys) of the holder who creates the presentation. When subr type is<span> </span></span><code data-position="13460" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">jkt</code><span data-position="13464" data-size="95" style="box-sizing:border-box">,
the key is a bare key in JWK [JWK] format (not an X.509 certificate value). When sub type is<span> </span></span><code data-position="13560" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">did</code><span data-position="13564" data-size="240" style="box-sizing:border-box">,
sub_jwk MUST contain a kid that is a DID URL referring to the verification method in the Self-Issued OP’s DID Document that can be used to verify the JWS of the id_token directly or indirectly. The sub_jwk value is a JSON object. Use of the<span> </span></span><code data-position="13808" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="13816" data-size="57" style="box-sizing:border-box"><span> </span>Claim
is NOT RECOMMENDED when the OP is not Self-Issued.</span></li></ul>
</li><li data-startline="219" data-endline="221" data-position="13876" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="13876" data-size="2" style="box-sizing:border-box">vp</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li data-startline="220" data-endline="221" data-position="13885" data-size="0" style="box-sizing:border-box">
<span data-position="13885" data-size="277" style="box-sizing:border-box">OPTIONAL. A JSON object, that represents a JWT verifiable presentation, following W3C Verifiable Credentials Specification [VC-DATA-MODEL]. Verifiable Credentials must be embedded in
the Verifiable Presentation following W3C Verifiable Credentials Specification [VC-DATA-MODEL]</span></li></ul>
</li></ul>
<p class="part" data-startline="222" data-endline="222" data-position="14168" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="14168" data-size="224" style="box-sizing:border-box">Verifiable Presentation is data derived from one or more Verifiable Credentials, issued by one or more issuers, that is shared with a specific verifier. Verifiable Credential is a set
of one or more claims made by an issuer.</span></p>
<p class="part" data-startline="224" data-endline="224" data-position="14394" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="14394" data-size="120" style="box-sizing:border-box">Self-Issued OP may present credentials to the RP using Verifiable Presentation credential format by including it in the<span> </span></span><code data-position="14515" data-size="2" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">vp</code><span data-position="14518" data-size="27" style="box-sizing:border-box"><span> </span>claim
inside the ID token.</span></p>
<p class="part" data-startline="226" data-endline="226" data-position="14548" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="14548" data-size="311" style="box-sizing:border-box">Whether the Self-Issued OP is a mobile client or a web client, response is the same as the normal Implicit Flow response with the following refinements. Since it is an Implicit Flow response,
the response parameters will be returned in the URL fragment component, unless a different Response Mode was specified.</span></p>
<ol class="part" data-startline="228" data-endline="233" data-position="14861" data-size="0" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="228" data-endline="228" data-position="14864" data-size="0" style="box-sizing:border-box">
<span data-position="14864" data-size="4" style="box-sizing:border-box">The<span> </span></span><code data-position="14869" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">iss</code><span data-position="14873" data-size="52" style="box-sizing:border-box"><span> </span>(issuer)
Claim Value is `https://self-issued.me/``.</span></li><li data-startline="229" data-endline="229" data-position="14929" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="14929" data-size="2" style="box-sizing:border-box">A<span> </span></span><code data-position="14932" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="14940" data-size="99" style="box-sizing:border-box"><span> </span>Claim
is present, with its value being the public key used to check the signature of the ID Token.</span></li><li data-startline="230" data-endline="230" data-position="15043" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="15043" data-size="4" style="box-sizing:border-box">The<span> </span></span><code data-position="15048" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub</code><span data-position="15052" data-size="106" style="box-sizing:border-box"><span> </span>(subject)
Claim value is either the base64url encoded representation of the thumbprint of the key in the<span> </span></span><code data-position="15159" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="15167" data-size="37" style="box-sizing:border-box"><span> </span>Claim
or a decentralized identifier.</span></li><li data-startline="231" data-endline="233" data-position="15209" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="15209" data-size="110" style="box-sizing:border-box">No Access Token is returned for accessing a UserInfo Endpoint, so all Claims returned MUST be in the ID Token.</span></li></ol>
<h2 class="part" data-startline="234" data-endline="234" data-id="77-Self-Issued-ID-Token-Validation" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#77-Self-Issued-ID-Token-Validation" title="77-Self-Issued-ID-Token-Validation" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="15325" data-size="37" style="box-sizing:border-box">7.7.
Self-Issued ID Token Validation</span></h2>
<p class="part" data-startline="235" data-endline="235" data-position="15363" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="15363" data-size="64" style="box-sizing:border-box">To validate the ID Token received, the RP MUST do the following:</span></p>
<ol class="part" data-startline="237" data-endline="246" data-position="15429" data-size="0" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="237" data-endline="237" data-position="15432" data-size="0" style="box-sizing:border-box">
<span data-position="15432" data-size="59" style="box-sizing:border-box">The Relying Party (RP) MUST validate that the value of the<span> </span></span><code data-position="15492" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">iss</code><span data-position="15496" data-size="19" style="box-sizing:border-box"><span> </span>(issuer)
Claim is<span> </span></span><code data-position="15516" data-size="21" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">https://self-isued.me</code><span data-position="15538" data-size="132" style="box-sizing:border-box">.
If iss contains a different value, the ID Token is not Self-Issued, and instead it MUST be validated according to Section 3.1.3.7.</span></li><li data-startline="238" data-endline="238" data-position="15674" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="15674" data-size="30" style="box-sizing:border-box">The RP MUST validate that the<span> </span></span><code data-position="15705" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">aud</code><span data-position="15709" data-size="44" style="box-sizing:border-box"><span> </span>(audience)
Claim contains the value of the<span> </span></span><code data-position="15754" data-size="12" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">redirect_uri</code><span data-position="15767" data-size="63" style="box-sizing:border-box"><span> </span>that
the RP sent in the Authentication Request as an audience.</span></li><li data-startline="239" data-endline="239" data-position="15834" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="15834" data-size="68" style="box-sizing:border-box">The RP MUST validate the signature of the ID Token. When sub type is</span><code data-position="15903" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">jkt</code><span data-position="15907" data-size="143" style="box-sizing:border-box">,
validation is done according to JWS [JWS] using the algorithm specified in the alg Header Parameter of the JOSE Header, using the key in the<span> </span></span><code data-position="16051" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="16059" data-size="24" style="box-sizing:border-box"><span> </span>Claim.
When sub type is</span><code data-position="16084" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">did</code><span data-position="16088" data-size="185" style="box-sizing:border-box">,
vvalidation is done using the key derived as a result of DID Resolution as defined in [DID-CORE]. The key is a bare key in JWK format (not an X.509 certificate value) when sub type is</span><code data-position="16274" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">jkt</code><span data-position="16278" data-size="47" style="box-sizing:border-box"><span> </span>or
may be another key format when sub type is<span> </span></span><code data-position="16326" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">did</code><span data-position="16330" data-size="1" style="box-sizing:border-box">.</span></li><li data-startline="240" data-endline="240" data-position="16335" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="16335" data-size="8" style="box-sizing:border-box">Default<span> </span></span><code data-position="16344" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">alg</code><span data-position="16348" data-size="55" style="box-sizing:border-box"><span> </span>value
is RS256. It MAY also be ES256, ES256K or EdDSA.</span></li><li data-startline="241" data-endline="241" data-position="16407" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="16407" data-size="29" style="box-sizing:border-box">The RP MUST validate that the</span><code data-position="16437" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub</code><span data-position="16441" data-size="23" style="box-sizing:border-box"><span> </span>claim
is bound to the<span> </span></span><code data-position="16465" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="16473" data-size="24" style="box-sizing:border-box"><span> </span>value.
When sub type is</span><code data-position="16498" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">jkt</code><span data-position="16502" data-size="124" style="box-sizing:border-box">,
the RP MUST validate that the sub Claim value is the base64url encoded representation of the thumbprint of the key in the<span> </span></span><code data-position="16627" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="16635" data-size="54" style="box-sizing:border-box"><span> </span>Claim,
as specified in Section 7.6. When sub type is<span> </span></span><code data-position="16690" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">did</code><span data-position="16694" data-size="32" style="box-sizing:border-box">,
the RP MUST validate that the<span> </span></span><code data-position="16727" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">kid</code><span data-position="16731" data-size="8" style="box-sizing:border-box"><span> </span>of
the<span> </span></span><code data-position="16740" data-size="7" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub_jwk</code><span data-position="16748" data-size="128" style="box-sizing:border-box"><span> </span>claim
matches the verification method from the DID Document that is obtained by resolving decentralized identifier included in<span> </span></span><code data-position="16877" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">sub</code><span data-position="16881" data-size="7" style="box-sizing:border-box"><span> </span>claim.</span></li><li data-startline="242" data-endline="242" data-position="16892" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="16892" data-size="60" style="box-sizing:border-box">The current time MUST be before the time represented by the<span> </span></span><code data-position="16953" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">exp</code><span data-position="16957" data-size="75" style="box-sizing:border-box"><span> </span>Claim
(possibly allowing for some small leeway to account for clock skew).</span></li><li data-startline="243" data-endline="243" data-position="17036" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="17036" data-size="4" style="box-sizing:border-box">The<span> </span></span><code data-position="17041" data-size="3" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">iat</code><span data-position="17045" data-size="203" style="box-sizing:border-box"><span> </span>Claim
can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is RP specific.</span></li><li data-startline="244" data-endline="246" data-position="17252" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="17252" data-size="5" style="box-sizing:border-box">If a<span> </span></span><code data-position="17258" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">nonce</code><span data-position="17264" data-size="49" style="box-sizing:border-box"><span> </span>value
was sent in the Authentication Request, a<span> </span></span><code data-position="17314" data-size="5" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">nonce</code><span data-position="17320" data-size="161" style="box-sizing:border-box"><span> </span>Claim
MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The RP SHOULD check the<span> </span></span><code data-position="17482" data-size="6" style="box-sizing:border-box;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;padding:0.2em 0px;color:inherit !important;background-color:rgba(0, 0, 0, 0.04);border-radius:3px;margin:0px">nonce<span> </span></code><span data-position="17489" data-size="89" style="box-sizing:border-box">value
for replay attacks. The precise method for detecting replay attacks is RP specific.</span></li></ol>
<p class="part" data-startline="247" data-endline="247" data-position="17581" data-size="0" style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<span data-position="17581" data-size="143" style="box-sizing:border-box">The following is a non-normative example of a base64url decoded Self-Issued ID Token (with line wraps within values for display purposes only):</span></p>
<pre class="part" data-startline="249" data-endline="277" data-position="17726" style="box-sizing:border-box;overflow:auto;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;font-size:13.6px;display:block;padding:16px;margin:0px 0px 16px;line-height:1.45;color:rgb(51, 51, 51);word-break:break-all;background-color:rgb(247, 247, 247);border:inherit !important;border-radius:3px;letter-spacing:0.35px"><code style="box-sizing:border-box;color:inherit !important;background:transparent;border-radius:3px;margin:0px;display:inline"> {
"iss": "https://self-issued.me",
"sub": "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs",
"aud": "https://client.example.org/cb",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"sub_jwk": {
"kty":"RSA",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e":"AQAB"
},
"vp": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"type": ["VerifiablePresentation"],
"verifiableCredential": ["..."]
}
}
</code></pre>
<h1 class="part" data-startline="279" data-endline="279" data-id="Possible-Future-Work" style="box-sizing:border-box;margin:24px 0px 16px;font-size:2em;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#Possible-Future-Work" title="Possible-Future-Work" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="18625" data-size="20" style="box-sizing:border-box">Possible
Future Work</span></h1>
<ul class="part" data-startline="280" data-endline="283" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="280" data-endline="281" data-position="18648" data-size="0" style="box-sizing:border-box">
<span data-position="18648" data-size="27" style="box-sizing:border-box">Define Claims Issuance Flow</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li data-startline="281" data-endline="281" data-position="18682" data-size="0" style="box-sizing:border-box">
<span data-position="18682" data-size="176" style="box-sizing:border-box">Need to defined a flow how Self-Issued OP requests and receives claims from a Claims Provider that Self-Issued OP can present to the RP in Self-Issued OpenID Provider response.</span></li></ul>
</li><li data-startline="282" data-endline="283" data-position="18862" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="18862" data-size="63" style="box-sizing:border-box">Define a flow when RP and Self-Issued OP are on the same device</span></li></ul>
<h1 class="part" data-startline="284" data-endline="284" data-id="References" style="box-sizing:border-box;margin:24px 0px 16px;font-size:2em;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#References" title="References" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="18933" data-size="10" style="box-sizing:border-box">References</span></h1>
<h2 class="part" data-startline="286" data-endline="286" data-id="Normative-References" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#Normative-References" title="Normative-References" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="18948" data-size="20" style="box-sizing:border-box">Normative
References</span></h2>
<ul class="part" data-startline="287" data-endline="295" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="287" data-endline="287" data-position="18971" data-size="0" style="box-sizing:border-box">
<span data-position="18971" data-size="11" style="box-sizing:border-box">[DID-CORE]<span> </span></span><a href="https://github.com/w3c/did-core" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="18982" data-size="31" style="box-sizing:border-box">https://github.com/w3c/did-core</span></a><span data-position="19013" data-size="27" style="box-sizing:border-box"><span> </span>(not
yet a ratified draft)</span></li><li data-startline="288" data-endline="288" data-position="19043" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="19043" data-size="10" style="box-sizing:border-box">[VC-DATA]<span> </span></span><a href="https://www.w3.org/TR/vc-data-model/" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19053" data-size="36" style="box-sizing:border-box">https://www.w3.org/TR/vc-data-model/</span></a></li><li data-startline="289" data-endline="289" data-position="19092" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="19092" data-size="10" style="box-sizing:border-box">[RFC6749]<span> </span></span><a href="https://tools.ietf.org/html/rfc6749" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19102" data-size="35" style="box-sizing:border-box">https://tools.ietf.org/html/rfc6749</span></a></li><li data-startline="290" data-endline="290" data-position="19140" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="19140" data-size="10" style="box-sizing:border-box">[RFC6750]<span> </span></span><a href="https://tools.ietf.org/html/rfc6750" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19150" data-size="35" style="box-sizing:border-box">https://tools.ietf.org/html/rfc6750</span></a></li><li data-startline="291" data-endline="291" data-position="19188" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="19188" data-size="14" style="box-sizing:border-box">[OpenID.Core]<span> </span></span><a href="https://openid.net/specs/openid-connect-core-1_0.html" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19202" data-size="53" style="box-sizing:border-box">https://openid.net/specs/openid-connect-core-1_0.html</span></a></li><li data-startline="292" data-endline="292" data-position="19258" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="19258" data-size="10" style="box-sizing:border-box">[RFC7638]<span> </span></span><a href="https://tools.ietf.org/html/rfc7638" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19268" data-size="35" style="box-sizing:border-box">https://tools.ietf.org/html/rfc7638</span></a></li><li data-startline="293" data-endline="293" data-position="19306" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="19306" data-size="22" style="box-sizing:border-box">[OpenID.Registration]<span> </span></span><a href="https://openid.net/specs/openid-connect-registration-1_0.html" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19328" data-size="61" style="box-sizing:border-box">https://openid.net/specs/openid-connect-registration-1_0.html</span></a></li><li data-startline="294" data-endline="295" data-position="19392" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="19392" data-size="22" style="box-sizing:border-box">[did-spec-registries]<span> </span></span><a href="https://w3c.github.io/did-spec-registries/#did-methods" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19414" data-size="54" style="box-sizing:border-box">https://w3c.github.io/did-spec-registries/#did-methods</span></a></li></ul>
<h2 class="part" data-startline="296" data-endline="296" data-id="Non-Normative-References" style="box-sizing:border-box;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51, 51, 51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238, 238, 238);letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<a class="anchor hidden-xs" href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#Non-Normative-References" title="Non-Normative-References" style="box-sizing:border-box;color:rgb(51, 122, 183);float:left;padding-right:4px;margin-left:-20px;line-height:1"><span class="octicon octicon-link" style="box-sizing:border-box;font:16px / 1 octicons;display:inline-block;text-rendering:auto;user-select:none;color:rgb(0, 0, 0);vertical-align:middle;visibility:hidden"></span></a><span data-position="19473" data-size="24" style="box-sizing:border-box">Non-Normative
References</span></h2>
<ul class="part" data-startline="297" data-endline="300" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51, 51, 51);font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Helvetica, Roboto, Arial, "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", Osaka, Meiryo, メイリオ, "MS Gothic", "MS ゴシック", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255, 255, 255)">
<li data-startline="297" data-endline="297" data-position="19500" data-size="0" style="box-sizing:border-box">
<span data-position="19500" data-size="37" style="box-sizing:border-box">[draft-jones-self_issued_identifier]<span> </span></span><a href="https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19537" data-size="90" style="box-sizing:border-box">https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md</span></a></li><li data-startline="298" data-endline="300" data-position="19630" data-size="0" style="box-sizing:border-box;padding-top:0.25em">
<span data-position="19630" data-size="20" style="box-sizing:border-box">[siop-requirements]<span> </span></span><a href="https://bitbucket.org/openid/connect/src/master/SIOP/siop-requirements.md" target="_blank" rel="noopener" style="box-sizing:border-box;color:rgb(51, 122, 183)"><span data-position="19650" data-size="73" style="box-sizing:border-box">https://bitbucket.org/openid/connect/src/master/SIOP/siop-requirements.md</span></a></li></ul>
<br>
</div>
<br>
</div>
</body>
</html>