<div dir="ltr">in my opinion this does not solve the fundamental problem of SIOP which is communication between the browser and the siop (wallet). I don't see much point in standards that will have a similar acceptance to OpenID 2.0 with incomprehensible identifiers and disjointed UX.<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peace ..tom</div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 18, 2020 at 5:06 PM Kristina Yasuda via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<p style="margin:0in;font-family:游ゴシック;font-size:11pt" lang="en-US">Dear AB/Connect WG experts,</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt" lang="en-US"><br>
</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt"><span lang="en-US">I would like to contribute a
</span><span lang="ja">Self-Issued OpenID Provider v2</span><span lang="en-US"> draft to the working group. Several working group members including
</span><span lang="ja">Torsten, Tobias, </span><span lang="en-US">Mike and Pam helped review it, and it incorporates ideas from Tom's
</span><span lang="ja">OpenID Self Issued Identifiers</span><span lang="en-US"> draft.
</span></p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt"><span lang="en-US">It is
</span><span lang="ja">a work in progress, but </span><span lang="en-US">I</span><span lang="ja"> think
</span><span lang="en-US">the document is</span><span lang="ja"> ready for others to review and for working group discussion</span><span lang="en-US">.
</span></p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt" lang="en-US"> </p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt"><span lang="en-US">Please find below is the full text of the draft. You can also read the current version of the draft at the following link:
</span><span lang="ja"><a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view" target="_blank">https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view</a></span></p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt">Best,</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt">Kristina</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:游ゴシック;font-size:11pt"><br>
</p>
<div style="margin:0px 0in;font-family:游ゴシック;font-size:11pt">
<h1 style="box-sizing:border-box;margin-bottom:16px;font-size:2em;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255);margin-top:0px">
<span style="box-sizing:border-box">Self-Issued OpenID Provider v2 draft</span></h1>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box;background-color:rgba(102,181,250,0.15);border-style:solid;border-color:transparent;border-width:0px 0px 2px"><span style="box-sizing:border-box;background-color:rgba(102,181,250,0.15);border-style:solid;border-color:transparent;border-width:0px 0px 2px"><span style="box-sizing:border-box;background-color:rgba(102,181,250,0.15);border-style:solid;border-color:transparent;border-width:0px 0px 2px"><span style="box-sizing:border-box;background-color:rgba(102,181,250,0.15);border-style:solid;border-color:transparent;border-width:0px 0px 2px">This
document defines a new<span> </span></span></span></span></span><span style="box-sizing:border-box">scope as well as rules for the use of OpenID Connect to present credentials that may be validated through the use of decentralized
identifiers, and Verifiable Credentials using a Self-Issued OpenID Provider (section 7 of [OpenID.Core]) in addition to the current scope.</span></p>
<h2 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#7-Self-Issued-OpenID-Provider" title="7-Self-Issued-OpenID-Provider" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.
Self-Issued OpenID Provider</span></h2>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">OpenID Connect supports Self-Issued OpenID Providers (Self-Issued OPs) - personal OpenID Providers that issue self-signed ID Tokens, enabling portability of the identities among providers.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">This section defines how a Holder provides ID Token to the Relying Party(RP) through the Self-Issued OP, and how a Holder asks and receives attested claims that can be included in the ID
Token.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Specifications for the few additional parameters used and for the values of some parameters in the Self-Issued case are defined in this section.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">NOTE: this section only outlines the verification process for the RP to request authentication information (either only log-in and/or claims) from Self-Issued OP. Issuance of the credentials
from the OpenID Provider to Self-Issued OP that is acting in RPs capacity is out of scope of this section.</span></p>
<h3 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#71-Terminology" title="71-Terminology" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.1.
Terminology</span></h3>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Common terms in this document come from four primary sources: [DID-CORE],[VC-DATA], [RFC6749] and [OpenID.Core]. In the case where a term has a definition that differs, the definition
below is authoritative.</span></p>
<h3 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#72-Protocol-Flow" title="72-Protocol-Flow" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.2.
Protocol Flow</span></h3>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Self-Issued OpenID Provider Request is an OpenID Connect Authentication Request that results in a Holder providing ID Token to the Relying Party through the Self-Issued OP. ID Token MAY
include attested claims about the Holder.</span></p>
<pre style="box-sizing:border-box;overflow:auto;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;display:block;padding:16px;margin:0px 0px 16px;line-height:1.45;color:rgb(51,51,51);word-break:break-all;background-color:rgb(247,247,247);border-radius:3px;letter-spacing:0.35px;border:inherit"><code style="box-sizing:border-box;background:transparent;border-radius:3px;margin:0px;display:inline;color:inherit">+----------+ +--------+
| | | |
| |-------(1) Self-Issued OpenID Provider Request----->| |
| | (OpenID Connect Authentication Request) | |
| | +--------+ | |
| | | | | |
| | | Hol- | | |
| RP | | der |<-(2) AuthN & AuthZ->| OP |
| | | | | (Self- |
| | +--------+ | Issued |
| | | OP) |
| |<------(3) Self-Issued OpenID Provider Response-----| |
| | (ID Token) | |
| | | |
+----------+ +--------+
</code></pre>
<h2 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#73-Self-Issued-OpenID-Provider-Discovery" title="73-Self-Issued-OpenID-Provider-Discovery" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.3.
Self-Issued OpenID Provider Discovery</span></h2>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Self-Issued OP MUST associate a custom schema<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">openid://</code><span style="box-sizing:border-box"><span> </span>with
itself. Relying Party MUST call<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">openid://</code><span style="box-sizing:border-box"><span> </span>when
sending a request to a Self-Issued OP.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">NOTE: consider using deeplinks for discovery in the scenarios when Self-Issued OP is PWA</span></p>
<h2 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#74-Self-Issued-OP-Registration" title="74-Self-Issued-OP-Registration" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.4.
Self-Issued OP Registration</span></h2>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">OpenID Connect defines the following registration parameters to enable Relying Party to provide information about itself to a Self-Issued OP that would normally be provided to an OP during
Dynamic RP Registration:</span></p>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<p style="box-sizing:border-box;margin:16px 0px">
<span style="box-sizing:border-box">registration</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">OPTIONAL. This parameter enables RP Registration Metadata to be passed in a single, self-contained parameter. The value is a JSON object containing RP Registration Metadata values.</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">NOTE: Do we also need to support JWT registration values?</span></p>
</li><li style="box-sizing:border-box;padding-top:0.25em">
<p style="box-sizing:border-box;margin:16px 0px">
<span style="box-sizing:border-box">registration_uri</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">OPTIONAL. This parameter enables RP Registration Metadata to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource
containing RP Registration Metadata values.</span></p>
</li></ul>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">RP Registration Metadata values are defined in Section 7.4.3 and Section 2.1 of the OpenID Connect Dynamic RP Registration 1.0 [OpenID.Registration] specification.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">If Self-Issued OP supports the same parameters, Self-Issued OpenID Provider flow continues, if Self-Issued OP does not support, it returns an error.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Configuration values should preferably sent by reference as a URI using<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">registration_uri</code><span style="box-sizing:border-box"><span> </span>parameter,
but when RP cannot host a webserver, configuration values should be sent by value using<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">registration</code><span style="box-sizing:border-box"><span> </span>parameter.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">RP MUST use either of there parameters, but if one of these parameters is used, the other MUST NOT be used in the same request.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">These registration parameters SHOULD NOT be used when the OP is not a Self-Issued OP.</span></p>
<h3 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#741-Passing-Relying-Party-Registration-Metadata-by-Value" title="741-Passing-Relying-Party-Registration-Metadata-by-Value" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.4.1.
Passing Relying Party Registration Metadata by Value</span></h3>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">registration</code><span style="box-sizing:border-box"><span> </span>SIOP
Request parameter enables RP Registration Metadata to be passed in a single, self-contained parameter.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The registration parameter value is represented in an OAuth 2.0 request as a UTF-8 encoded JSON object (which ends up being form-urlencoded when passed as an OAuth parameter). When used
in a Request Object value, per Section 6.1, the JSON object is used as the value of the registration member.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Following value MUST be included in the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">registration</code><span style="box-sizing:border-box"><span> </span>parameter
when it is used:</span></p>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">client_id</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">redirect_uri value of the RP.</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">NOTE: Is this still needed?</span></li></ul>
</li></ul>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The Registration parameters that would typically be used in requests to Self-Issued OPs are policy_uri, tos_uri, and logo_uri. If the RP uses more than one Redirection URI, the redirect_uris
parameter would be used to register them. Finally, if the RP is requesting encrypted responses, it would typically use the jwks_uri, id_token_encrypted_response_alg and id_token_encrypted_response_enc parameters.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Registration parameter may include decentralized identifier of the RP.</span></p>
<h3 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#742-Passing-Relying-Party-Registration-Metadata-by-Reference" title="742-Passing-Relying-Party-Registration-Metadata-by-Reference" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.4.2.
Passing Relying Party Registration Metadata by Reference</span></h3>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">registration_uri</code><span style="box-sizing:border-box"><span> </span>SIOP
Request parameter enables RP Registration Metadata to be passed by reference.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">This parameter is used identically to the request parameter, other than that the Relying Party registration metadata value is retrieved from the resource at the specified URL, rather than
passed by value.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The contents of the resource referenced by the URL MUST be a RP Registration Metadata Object. The scheme used in the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">registration_uri</code><span style="box-sizing:border-box"><span> </span>value
MUST be https. The request_uri value MUST be reachable by the Self-Issued OP, and SHOULD be reachable by the RP.</span></p>
<h3 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#743-Relying-Party-Registration-Metadata-Values" title="743-Relying-Party-Registration-Metadata-Values" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.4.3.
Relying Party Registration Metadata Values</span></h3>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">OpenID Conect defineds following RP Registration Metadata values that are used by RP to provide information about itself to the Self-Issued OP:</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Static Values</span></p>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">authorization_endpoint</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. MUST be<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">openid:</code><span style="box-sizing:border-box">.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">issuer</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. MUST be<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit"><a href="https://self-issued.me/v2" target="_blank">https://self-issued.me/v2</a></code></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">response_types_supported</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">MUST be<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">id_token</code></li></ul>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Dynamic Values</span></p>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">scopes_supported</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">openid</code><span style="box-sizing:border-box">,<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">profile</code><span style="box-sizing:border-box">,<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">email</code><span style="box-sizing:border-box">,<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">address</code><span style="box-sizing:border-box">,
and<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">phone</code><span style="box-sizing:border-box">.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">subject_types_supported</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">pairwise</code><span style="box-sizing:border-box"><span> </span>and<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">public</code><span style="box-sizing:border-box">.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">sub_types_supported</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">jkt</code><span style="box-sizing:border-box"><span> </span>and
concrete did methods supported. did methods supported must take the value of<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">Method
Name</code><span style="box-sizing:border-box"><span> </span>in Chapter 9 of<span> </span></span><a href="https://w3c.github.io/did-spec-registries/#did-methods" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">did-spec-registries</span></a><span style="box-sizing:border-box">,
such as<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">did:peer:</code></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">id_token_signing_alg_values_supported</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">RS256</code><span style="box-sizing:border-box">,<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">ES256</code><span style="box-sizing:border-box">,<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">ES256K</code><span style="box-sizing:border-box">,
and<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">EdDSA</code><span style="box-sizing:border-box">.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">request_object_signing_alg_values_supported</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. Valid values include<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">none</code><span style="box-sizing:border-box">,<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">RS256</code><span style="box-sizing:border-box">,<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">ES256</code><span style="box-sizing:border-box">,<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">ES256K</code><span style="box-sizing:border-box">,
and<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">EdDSA</code></li></ul>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The following is a non-normative example of RP Registration Metadata Values supported by Self-Issued OP:</span></p>
<pre style="box-sizing:border-box;overflow:auto;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;display:block;padding:16px;margin:0px 0px 16px;line-height:1.45;color:rgb(51,51,51);word-break:break-all;background-color:rgb(247,247,247);border-radius:3px;letter-spacing:0.35px;border:inherit"><code style="box-sizing:border-box;background:transparent;border-radius:3px;margin:0px;display:inline;color:inherit"> {
"authorization_endpoint":
"openid:",
"issuer":
"<a href="https://self-issued.me/v2" target="_blank">https://self-issued.me/v2</a>",
"scopes_supported":
["openid", "profile", "email", "address", "phone"],
"response_types_supported":
["id_token"]
"subject_types_supported":
["pairwise"],
"sub_types_supported":
["did:peer:", "did:ion:"],
"id_token_signing_alg_values_supported":
["ES256", "ES256K"],
"request_object_signing_alg_values_supported":
["ES256", "ES256K"]
}
</code></pre>
<h4 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#7431-Sub-Types" title="7431-Sub-Types" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.4.3.1.
Sub Types</span></h4>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">A sub type is used by Self-Issued OP to advertise which types of identifiers are supported for the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub</code><span style="box-sizing:border-box"><span> </span>claim.
Two types are defined by this specification:</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">jkt</code><br style="box-sizing:border-box">
<span style="box-sizing:border-box">JWK Thumbprint Subject sub type. When this subject sub type is used, the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub</code><span style="box-sizing:border-box"><span> </span>Claim
value MUST be the base64url encoded representation of the thumbprint of the key in the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>Claim.
[RFC7638]</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">did</code><br style="box-sizing:border-box">
<span style="box-sizing:border-box">Decentralized sub type. This sub type MUST specify concrete Decentralized Identifier (DID) methods supported using the value of<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">Method
Name</code><span style="box-sizing:border-box"><span> </span>in Chapter 9 of<span> </span></span><a href="https://w3c.github.io/did-spec-registries/#did-methods" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">did-spec-registries</span></a><span style="box-sizing:border-box">,
such as<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">did:peer:</code><span style="box-sizing:border-box">.
When this sub type is used, the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub</code><span style="box-sizing:border-box"><span> </span>value
MUST be a DID defined in [DID-CORE].</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">NOTE: Consider adding a subject type for OpenID Connect Federation entity statements.</span></p>
<h3 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#744-Relying-Party-Registration-Metadata-Error-Response" title="744-Relying-Party-Registration-Metadata-Error-Response" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.4.4.
Relying Party Registration Metadata Error Response</span></h3>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">OpenID Connect defines the following error codes that MUST be returned when Self-Issued OP does not support all of the Relying Party Registration metadata values received from the Relying
Party in the registration parameter:</span></p>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">value_not_supported</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">The Self-Issued OP does not support more than one of the RP Registration Metadata values defined in Section 7.4.3.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">invalid_registration_uri</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">The registration_uri in the Self-Issued OpenID Provider request returns an error or contains invalid data.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">invalid_registration_object</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">The registration parameter contains an invalid RP Registration Metadata Object.</span></li></ul>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Error response must be made in the same manner as defined in Section 3.1.2.6.</span></p>
<h2 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#75-Self-Issued-OpenID-Provider-Request" title="75-Self-Issued-OpenID-Provider-Request" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.5.
Self-Issued OpenID Provider Request</span></h2>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The RP sends the Authentication Request to the Authorization Endpoint with the following parameters:</span></p>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">scope</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. scope parameter value, as specified in Section 3.1.2.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">response_type</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. Constant string value id_token.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">client_id</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. RP ID value for the RP, which in this case contains the redirect_uri value of the RP.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">sub_type</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. A space seperated string denoting the URI types that the OpenID provider supports.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">id_token_hint</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">OPTIONAL. id_token_hint parameter value, as specified in Section 3.1.2. If the ID Token is encrypted to the Self-Issued OP, the sub (subject) of the signed ID Token MUST be sent as the
kid (Key ID) of the JWE.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">claims</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">OPTIONAL. claims parameter value, as specified in Section 5.5.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">registration</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">OPTIONAL. This parameter is used by the RP to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic RP Registration, as specified
in Section 7.2.1.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">request</span><br style="box-sizing:border-box">
<span style="box-sizing:border-box">OPTIONAL. Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to the Self-Issued OP by the RP. In this case, the sub (subject) of a previously issued
ID Token for this RP MUST be sent as the kid (Key ID) of the JWE.</span></li></ul>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Other parameters MAY be sent. Note that all Claims are returned in the ID Token.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The entire URL MUST NOT exceed 2048 ASCII characters.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The following is a non-normative example HTTP 302 redirect response by the RP, which triggers the User Agent to make an Authentication Request to the Self-Issued OP (with line wraps within
values for display purposes only):</span></p>
<pre style="box-sizing:border-box;overflow:auto;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;display:block;padding:16px;margin:0px 0px 16px;line-height:1.45;color:rgb(51,51,51);word-break:break-all;background-color:rgb(247,247,247);border-radius:3px;letter-spacing:0.35px;border:inherit"><code style="box-sizing:border-box;background:transparent;border-radius:3px;margin:0px;display:inline;color:inherit"> HTTP/1.1 302 Found
Location: openid://?
response_type=id_token
&client_id=https%3A%2F%<a href="http://2Fclient.example.org" target="_blank">2Fclient.example.org</a>%2Fcb
&redirect_uri=https%3A%2F%<a href="http://2Fclient.example.org" target="_blank">2Fclient.example.org</a>%2Fcb
&scope=openid%20profile
&identifier_uri=jwkthumb%3A%20did%3Akey%3A%20
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
®istration=%7B%22logo_uri%22%3A%22https%3A%2F%2F
<a href="http://client.example.org" target="_blank">client.example.org</a>%2Flogo.png%22%7D
</code></pre>
<h2 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#76-Self-Issued-OpenID-Provider-Response" title="76-Self-Issued-OpenID-Provider-Response" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.6.
Self-Issued OpenID Provider Response</span></h2>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Self-Issued OpenID Provider Response is returned when Self-Issued OP supports all of the Relying Party Registration metadata values received from the Relying Party in the registration
parameter. If even one of the Relying Party Registration Metadata Values is not supported, Self-Issued OP MUST return an error according to Section 7.4.4.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">OpenID Connect defines the following claims to be included in the ID token for use in Self-Issued OpenID Provider Responses:</span></p>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">sub</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. Subject identifier value, represented by a URI. When sub type is<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">jkt</code><span style="box-sizing:border-box">,
the value is the base64url encoded representation of the thumbprint of the key in the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>Claim.
When sub type is<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">did</code><span style="box-sizing:border-box">,
the value is a decentralized identifier. The thumbprint value is computed as the SHA-256 hash of the octets of the UTF-8 representation of a JWK constructed containing only the REQUIRED members to represent the key, with the member names sorted into lexicographic
order, and with no white space or line breaks. For instance, when the kty value is RSA, the member names e, kty, and n are the ones present in the constructed JWK used in the thumbprint computation and appear in that order; when the kty value is EC, the member
names crv, kty, x, and y are present in that order. Note that this thumbprint calculation is the same as that defined in the JWK Thumbprint [RFC7638] specification.</span></li></ul>
</li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">sub_jwk</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">REQUIRED. a secure binding between the subject of the verifiable credential and the subject identifier (and related keys) of the holder who creates the presentation. When subr type is<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">jkt</code><span style="box-sizing:border-box">,
the key is a bare key in JWK [JWK] format (not an X.509 certificate value). When sub type is<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">did</code><span style="box-sizing:border-box">,
sub_jwk MUST contain a kid that is a DID URL referring to the verification method in the Self-Issued OP’s DID Document that can be used to verify the JWS of the id_token directly or indirectly. The sub_jwk value is a JSON object. Use of the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>Claim
is NOT RECOMMENDED when the OP is not Self-Issued.</span></li></ul>
</li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">vp</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">OPTIONAL. A JSON object, that represents a JWT verifiable presentation, following W3C Verifiable Credentials Specification [VC-DATA-MODEL]. Verifiable Credentials must be embedded in
the Verifiable Presentation following W3C Verifiable Credentials Specification [VC-DATA-MODEL]</span></li></ul>
</li></ul>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Verifiable Presentation is data derived from one or more Verifiable Credentials, issued by one or more issuers, that is shared with a specific verifier. Verifiable Credential is a set
of one or more claims made by an issuer.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Self-Issued OP may present credentials to the RP using Verifiable Presentation credential format by including it in the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">vp</code><span style="box-sizing:border-box"><span> </span>claim
inside the ID token.</span></p>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">Whether the Self-Issued OP is a mobile client or a web client, response is the same as the normal Implicit Flow response with the following refinements. Since it is an Implicit Flow response,
the response parameters will be returned in the URL fragment component, unless a different Response Mode was specified.</span></p>
<ol style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">The<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">iss</code><span style="box-sizing:border-box"><span> </span>(issuer)
Claim Value is `<a href="https://self-issued.me/" target="_blank">https://self-issued.me/``</a>.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">A<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>Claim
is present, with its value being the public key used to check the signature of the ID Token.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">The<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub</code><span style="box-sizing:border-box"><span> </span>(subject)
Claim value is either the base64url encoded representation of the thumbprint of the key in the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>Claim
or a decentralized identifier.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">No Access Token is returned for accessing a UserInfo Endpoint, so all Claims returned MUST be in the ID Token.</span></li></ol>
<h2 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#77-Self-Issued-ID-Token-Validation" title="77-Self-Issued-ID-Token-Validation" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">7.7.
Self-Issued ID Token Validation</span></h2>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">To validate the ID Token received, the RP MUST do the following:</span></p>
<ol style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">The Relying Party (RP) MUST validate that the value of the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">iss</code><span style="box-sizing:border-box"><span> </span>(issuer)
Claim is<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit"><a href="https://self-isued.me" target="_blank">https://self-isued.me</a></code><span style="box-sizing:border-box">.
If iss contains a different value, the ID Token is not Self-Issued, and instead it MUST be validated according to Section 3.1.3.7.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">The RP MUST validate that the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">aud</code><span style="box-sizing:border-box"><span> </span>(audience)
Claim contains the value of the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">redirect_uri</code><span style="box-sizing:border-box"><span> </span>that
the RP sent in the Authentication Request as an audience.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">The RP MUST validate the signature of the ID Token. When sub type is</span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">jkt</code><span style="box-sizing:border-box">,
validation is done according to JWS [JWS] using the algorithm specified in the alg Header Parameter of the JOSE Header, using the key in the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>Claim.
When sub type is</span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">did</code><span style="box-sizing:border-box">,
vvalidation is done using the key derived as a result of DID Resolution as defined in [DID-CORE]. The key is a bare key in JWK format (not an X.509 certificate value) when sub type is</span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">jkt</code><span style="box-sizing:border-box"><span> </span>or
may be another key format when sub type is<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">did</code><span style="box-sizing:border-box">.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">Default<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">alg</code><span style="box-sizing:border-box"><span> </span>value
is RS256. It MAY also be ES256, ES256K or EdDSA.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">The RP MUST validate that the</span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub</code><span style="box-sizing:border-box"><span> </span>claim
is bound to the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>value.
When sub type is</span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">jkt</code><span style="box-sizing:border-box">,
the RP MUST validate that the sub Claim value is the base64url encoded representation of the thumbprint of the key in the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>Claim,
as specified in Section 7.6. When sub type is<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">did</code><span style="box-sizing:border-box">,
the RP MUST validate that the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">kid</code><span style="box-sizing:border-box"><span> </span>of
the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub_jwk</code><span style="box-sizing:border-box"><span> </span>claim
matches the verification method from the DID Document that is obtained by resolving decentralized identifier included in<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">sub</code><span style="box-sizing:border-box"><span> </span>claim.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">The current time MUST be before the time represented by the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">exp</code><span style="box-sizing:border-box"><span> </span>Claim
(possibly allowing for some small leeway to account for clock skew).</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">The<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">iat</code><span style="box-sizing:border-box"><span> </span>Claim
can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is RP specific.</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">If a<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">nonce</code><span style="box-sizing:border-box"><span> </span>value
was sent in the Authentication Request, a<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">nonce</code><span style="box-sizing:border-box"><span> </span>Claim
MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The RP SHOULD check the<span> </span></span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">nonce<span> </span></code><span style="box-sizing:border-box">value
for replay attacks. The precise method for detecting replay attacks is RP specific.</span></li></ol>
<p style="box-sizing:border-box;margin:0px 0px 16px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<span style="box-sizing:border-box">The following is a non-normative example of a base64url decoded Self-Issued ID Token (with line wraps within values for display purposes only):</span></p>
<pre style="box-sizing:border-box;overflow:auto;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;display:block;padding:16px;margin:0px 0px 16px;line-height:1.45;color:rgb(51,51,51);word-break:break-all;background-color:rgb(247,247,247);border-radius:3px;letter-spacing:0.35px;border:inherit"><code style="box-sizing:border-box;background:transparent;border-radius:3px;margin:0px;display:inline;color:inherit"> {
"iss": "<a href="https://self-issued.me" target="_blank">https://self-issued.me</a>",
"sub": "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs",
"aud": "<a href="https://client.example.org/cb" target="_blank">https://client.example.org/cb</a>",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"sub_jwk": {
"kty":"RSA",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e":"AQAB"
},
"vp": {
"@context": [
"<a href="https://www.w3.org/2018/credentials/v1" target="_blank">https://www.w3.org/2018/credentials/v1</a>",
"<a href="https://www.w3.org/2018/credentials/examples/v1" target="_blank">https://www.w3.org/2018/credentials/examples/v1</a>"
],
"type": ["VerifiablePresentation"],
"verifiableCredential": ["..."]
}
}
</code></pre>
<h1 style="box-sizing:border-box;margin:24px 0px 16px;font-size:2em;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#Possible-Future-Work" title="Possible-Future-Work" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Possible
Future Work</span></h1>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">Define Claims Issuance Flow</span>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">Need to defined a flow how Self-Issued OP requests and receives claims from a Claims Provider that Self-Issued OP can present to the RP in Self-Issued OpenID Provider response.</span></li></ul>
</li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">Define a flow when RP and Self-Issued OP are on the same device</span></li></ul>
<h1 style="box-sizing:border-box;margin:24px 0px 16px;font-size:2em;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#References" title="References" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">References</span></h1>
<h2 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#Normative-References" title="Normative-References" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Normative
References</span></h2>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">[DID-CORE]<span> </span></span><a href="https://github.com/w3c/did-core" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://github.com/w3c/did-core</span></a><span style="box-sizing:border-box"><span> </span>(not
yet a ratified draft)</span></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">[VC-DATA]<span> </span></span><a href="https://www.w3.org/TR/vc-data-model/" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://www.w3.org/TR/vc-data-model/</span></a></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">[RFC6749]<span> </span></span><a href="https://tools.ietf.org/html/rfc6749" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://tools.ietf.org/html/rfc6749</span></a></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">[RFC6750]<span> </span></span><a href="https://tools.ietf.org/html/rfc6750" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://tools.ietf.org/html/rfc6750</span></a></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">[OpenID.Core]<span> </span></span><a href="https://openid.net/specs/openid-connect-core-1_0.html" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://openid.net/specs/openid-connect-core-1_0.html</span></a></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">[RFC7638]<span> </span></span><a href="https://tools.ietf.org/html/rfc7638" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://tools.ietf.org/html/rfc7638</span></a></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">[OpenID.Registration]<span> </span></span><a href="https://openid.net/specs/openid-connect-registration-1_0.html" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://openid.net/specs/openid-connect-registration-1_0.html</span></a></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">[did-spec-registries]<span> </span></span><a href="https://w3c.github.io/did-spec-registries/#did-methods" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://w3c.github.io/did-spec-registries/#did-methods</span></a></li></ul>
<h2 style="box-sizing:border-box;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-weight:600;line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.5em;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;background-color:rgb(255,255,255)">
<a href="https://hackmd.io/NlVqlsfmQf6jeWqIlq8i7g?view#Non-Normative-References" title="Non-Normative-References" style="box-sizing:border-box;color:rgb(51,122,183);float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font:16px/1 octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Non-Normative
References</span></h2>
<ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,"Hiragino Kaku Gothic Pro","\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4 Pro W3",Osaka,Meiryo,メイリオ,"MS Gothic","\00ff2d\00ff33 \0030b4\0030b7\0030c3\0030af",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px;background-color:rgb(255,255,255)">
<li style="box-sizing:border-box">
<span style="box-sizing:border-box">[draft-jones-self_issued_identifier]<span> </span></span><a href="https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md</span></a></li><li style="box-sizing:border-box;padding-top:0.25em">
<span style="box-sizing:border-box">[siop-requirements]<span> </span></span><a href="https://bitbucket.org/openid/connect/src/master/SIOP/siop-requirements.md" rel="noopener" style="box-sizing:border-box;color:rgb(51,122,183)" target="_blank"><span style="box-sizing:border-box">https://bitbucket.org/openid/connect/src/master/SIOP/siop-requirements.md</span></a></li></ul>
<br>
</div>
<br>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>