<!DOCTYPE html>
<html lang="en" class="Internet-Draft">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>OpenID Provider Commands - draft 00</title>
<meta content="Dick Hardt" name="author">
<meta content="Karl McGuinness" name="author">
<meta content="
OpenID Connect defines a protocol for an end-user to use an OpenID Provider (OP) to log in to a Relying Party (RP) and assert Claims about the end-user using an ID Token. RPs will often use the identity Claims about the user to implicitly (or explicitly) establish an Account for the user at the RP
OpenID Provider Commands complements OpenID Connect by introducing a set of Commands for an OP to directly manage an end-user Account at an RP. These Commands enable an OP to activate, maintain, suspend, reactivate, archive, restore, delete, and unauthorize an end-user Account. Command Tokens build on the OpenID Connect ID Token schema and verification, simplifying adoption by RPs.
" name="description">
<meta content="xml2rfc 3.25.0" name="generator">
<meta content="security" name="keyword">
<meta content="openid" name="keyword">
<meta content="lifecycle" name="keyword">
<meta content="openid-connect-commands-1_0-10" name="ietf.draft">
<!-- Generator version information:
xml2rfc 3.25.0
Python 3.10.12
ConfigArgParse 1.7
google-i18n-address 3.1.1
intervaltree 3.1.0
Jinja2 3.1.5
lxml 5.3.0
platformdirs 4.3.6
pycountry 24.6.1
pydyf 0.9.0
PyYAML 6.0.2
requests 2.32.3
setuptools 75.7.0
wcwidth 0.2.13
weasyprint 61.2
-->
<link href="/usr/src/app/tmp/b307d42c-8bb9-496c-9350-84ed571d014f/openid-provider-commands-1_0-00.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*
NOTE: Changes at the bottom of this file overrides some earlier settings.
Once the style has stabilized and has been adopted as an official RFC style,
this can be consolidated so that style settings occur only in one place, but
for now the contents of this file consists first of the initial CSS work as
provided to the RFC Formatter (xml2rfc) work, followed by itemized and
commented changes found necessary during the development of the v3
formatters.
*/
/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
:root {
--font-sans: 'Noto Sans', Arial, Helvetica, sans-serif;
--font-serif: 'Noto Serif', 'Times', 'Times New Roman', serif;
--font-mono: 'Roboto Mono', Courier, 'Courier New', monospace;
}
@viewport {
zoom: 1.0;
}
@-ms-viewport {
width: extend-to-zoom;
zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
max-width: 90%;
margin: 1.5em auto;
color: #222;
background-color: #fff;
font-size: 14px;
font-family: var(--font-sans);
line-height: 1.6;
scroll-behavior: smooth;
overflow-wrap: break-word;
}
.ears {
display: none;
}
/* headings */
#title, h1, h2, h3, h4, h5, h6 {
margin: 1em 0 0.5em;
font-weight: bold;
line-height: 1.3;
}
#title {
clear: both;
border-bottom: 1px solid #ddd;
margin: 0 0 0.5em 0;
padding: 1em 0 0.5em;
}
.author {
padding-bottom: 4px;
}
h1 {
font-size: 26px;
margin: 1em 0;
}
h2 {
font-size: 22px;
margin-top: -20px; /* provide offset for in-page anchors */
padding-top: 33px;
}
h3 {
font-size: 18px;
margin-top: -36px; /* provide offset for in-page anchors */
padding-top: 42px;
}
h4 {
font-size: 16px;
margin-top: -36px; /* provide offset for in-page anchors */
padding-top: 42px;
}
h5, h6 {
font-size: 14px;
}
#n-copyright-notice {
border-bottom: 1px solid #ddd;
padding-bottom: 1em;
margin-bottom: 1em;
}
/* general structure */
p {
padding: 0;
margin: 0 0 1em 0;
text-align: left;
}
div, span {
position: relative;
}
div {
margin: 0;
}
.alignRight.art-text {
background-color: #f9f9f9;
border: 1px solid #eee;
border-radius: 3px;
padding: 1em 1em 0;
margin-bottom: 1.5em;
}
.alignRight.art-text pre {
padding: 0;
}
.alignRight {
margin: 1em 0;
}
.alignRight > *:first-child {
border: none;
margin: 0;
float: right;
clear: both;
}
.alignRight > *:nth-child(2) {
clear: both;
display: block;
border: none;
}
svg {
display: block;
}
svg[font-family~="serif" i], svg [font-family~="serif" i] {
font-family: var(--font-serif);
}
svg[font-family~="sans-serif" i], svg [font-family~="sans-serif" i] {
font-family: var(--font-sans);
}
svg[font-family~="monospace" i], svg [font-family~="monospace" i] {
font-family: var(--font-mono);
}
.alignCenter.art-text {
background-color: #f9f9f9;
border: 1px solid #eee;
border-radius: 3px;
padding: 1em 1em 0;
margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
padding: 0;
}
.alignCenter {
margin: 1em 0;
}
.alignCenter > *:first-child {
display: table;
border: none;
margin: 0 auto;
}
/* lists */
ol, ul {
padding: 0;
margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
margin-left: 1em;
}
li {
margin: 0 0 0.25em 0;
}
.ulCompact li {
margin: 0;
}
ul.empty, .ulEmpty {
list-style-type: none;
}
ul.empty li, .ulEmpty li {
margin-top: 0.5em;
}
ul.ulBare, li.ulBare {
margin-left: 0em !important;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
line-height: 100%;
margin: 0 0 0 2em;
}
/* definition lists */
dl {
}
dl > dt {
float: left;
margin-right: 1em;
}
/*
dl.nohang > dt {
float: none;
}
*/
dl > dd {
margin-bottom: .8em;
min-height: 1.3em;
}
dl.compact > dd, .dlCompact > dd {
margin-bottom: 0em;
}
dl > dd > dl {
margin-top: 0.5em;
margin-bottom: 0em;
}
/* links */
a {
text-decoration: none;
}
a[href] {
color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
background-color: transparent;
cursor: default;
} */
/* Figures */
tt, code, pre {
background-color: #f9f9f9;
font-family: var(--font-mono);
}
pre {
border: 1px solid #eee;
margin: 0;
padding: 1em;
}
img {
max-width: 100%;
}
figure {
margin: 0;
}
figure blockquote {
margin: 0.8em 0.4em 0.4em;
}
figcaption {
font-style: italic;
margin: 0 0 1em 0;
}
@media screen {
pre {
overflow-x: auto;
max-width: 100%;
max-width: calc(100% - 22px);
}
}
/* aside, blockquote */
aside, blockquote {
margin-left: 0;
padding: 1.2em 2em;
}
blockquote {
background-color: #f9f9f9;
color: #111; /* Arlen: WCAG 2019 */
border: 1px solid #ddd;
border-radius: 3px;
margin: 1em 0;
}
blockquote > *:last-child {
margin-bottom: 0;
}
cite {
display: block;
text-align: right;
font-style: italic;
}
.xref {
overflow-wrap: normal;
}
/* tables */
table {
width: 100%;
margin: 0 0 1em;
border-collapse: collapse;
border: 1px solid #eee;
}
th, td {
text-align: left;
vertical-align: top;
padding: 0.5em 0.75em;
}
th {
text-align: left;
background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
background-color: #f5f5f5;
}
table caption {
font-style: italic;
margin: 0;
padding: 0;
text-align: left;
}
table p {
/* XXX to avoid bottom margin on table row signifiers. If paragraphs should
be allowed within tables more generally, it would be far better to select on a class. */
margin: 0;
}
/* pilcrow */
a.pilcrow {
color: #666; /* Arlen: AHDJ 2019 */
text-decoration: none;
visibility: hidden;
user-select: none;
-ms-user-select: none;
-o-user-select:none;
-moz-user-select: none;
-khtml-user-select: none;
-webkit-user-select: none;
-webkit-touch-callout: none;
}
@media screen {
aside:hover > a.pilcrow,
p:hover > a.pilcrow,
blockquote:hover > a.pilcrow,
div:hover > a.pilcrow,
li:hover > a.pilcrow,
pre:hover > a.pilcrow {
visibility: visible;
}
a.pilcrow:hover {
background-color: transparent;
}
}
/* misc */
hr {
border: 0;
border-top: 1px solid #eee;
}
.bcp14 {
font-variant: small-caps;
}
.role {
font-variant: all-small-caps;
}
/* info block */
#identifiers {
margin: 0;
font-size: 0.9em;
}
#identifiers dt {
width: 3em;
clear: left;
}
#identifiers dd {
float: left;
margin-bottom: 0;
}
/* Fix PDF info block run off issue */
@media print {
#identifiers dd {
float: none;
}
}
#identifiers .authors .author {
display: inline-block;
margin-right: 1.5em;
}
#identifiers .authors .org {
font-style: italic;
}
/* The prepared/rendered info at the very bottom of the page */
.docInfo {
color: #666; /* Arlen: WCAG 2019 */
font-size: 0.9em;
font-style: italic;
margin-top: 2em;
}
.docInfo .prepared {
float: left;
}
.docInfo .prepared {
float: right;
}
/* table of contents */
#toc {
padding: 0.75em 0 2em 0;
margin-bottom: 1em;
}
nav.toc ul {
margin: 0 0.5em 0 0;
padding: 0;
list-style: none;
}
nav.toc li {
line-height: 1.3em;
margin: 0.75em 0;
padding-left: 1.2em;
text-indent: -1.2em;
}
/* references */
.references dt {
text-align: right;
font-weight: bold;
min-width: 7em;
}
.references dd {
margin-left: 8em;
overflow: auto;
}
.refInstance {
margin-bottom: 1.25em;
}
.refSubseries {
margin-bottom: 1.25em;
}
.references .ascii {
margin-bottom: 0.25em;
}
/* index */
.index ul {
margin: 0 0 0 1em;
padding: 0;
list-style: none;
}
.index ul ul {
margin: 0;
}
.index li {
margin: 0;
text-indent: -2em;
padding-left: 2em;
padding-bottom: 5px;
}
.indexIndex {
margin: 0.5em 0 1em;
}
.index a {
font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
.index ul {
-moz-column-count: 2;
-moz-column-gap: 20px;
}
.index ul ul {
-moz-column-count: 1;
-moz-column-gap: 0;
}
}
/* authors */
address.vcard {
font-style: normal;
margin: 1em 0;
}
address.vcard .nameRole {
font-weight: 700;
margin-left: 0;
}
address.vcard .label {
font-family: var(--font-sans);
margin: 0.5em 0;
}
address.vcard .type {
display: none;
}
.alternative-contact {
margin: 1.5em 0 1em;
}
hr.addr {
border-top: 1px dashed;
margin: 0;
color: #ddd;
max-width: calc(100% - 16px);
}
/* temporary notes */
.rfcEditorRemove::before {
position: absolute;
top: 0.2em;
right: 0.2em;
padding: 0.2em;
content: "The RFC Editor will remove this note";
color: #9e2a00; /* Arlen: WCAG 2019 */
background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
position: relative;
padding-top: 1.8em;
background-color: #ffd; /* Arlen: WCAG 2019 */
border-radius: 3px;
}
.cref {
background-color: #ffd; /* Arlen: WCAG 2019 */
padding: 2px 4px;
}
.crefSource {
font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
body {
padding-top: 2em;
}
#title {
padding: 1em 0;
}
h1 {
font-size: 24px;
}
h2 {
font-size: 20px;
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 38px;
}
#identifiers dd {
max-width: 60%;
}
#toc {
position: fixed;
z-index: 2;
top: 0;
right: 0;
padding: 0;
margin: 0;
background-color: inherit;
border-bottom: 1px solid #ccc;
}
#toc h2 {
margin: -1px 0 0 0;
padding: 4px 0 4px 6px;
padding-right: 1em;
min-width: 190px;
font-size: 1.1em;
text-align: right;
background-color: #444;
color: white;
cursor: pointer;
}
#toc h2::before { /* css hamburger */
float: right;
position: relative;
width: 1em;
height: 1px;
left: -164px;
margin: 6px 0 0 0;
background: white none repeat scroll 0 0;
box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
content: "";
}
#toc nav {
display: none;
padding: 0.5em 1em 1em;
overflow: auto;
height: calc(100vh - 48px);
border-left: 1px solid #ddd;
}
}
/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
body {
max-width: 724px;
margin: 42px auto;
padding-left: 1.5em;
padding-right: 29em;
}
#toc {
position: fixed;
top: 42px;
right: 42px;
width: 25%;
margin: 0;
padding: 0 1em;
z-index: 1;
}
#toc h2 {
border-top: none;
border-bottom: 1px solid #ddd;
font-size: 1em;
font-weight: normal;
margin: 0;
padding: 0.25em 1em 1em 0;
}
#toc nav {
display: block;
height: calc(90vh - 84px);
bottom: 0;
padding: 0.5em 0 0;
overflow: auto;
}
img { /* future proofing */
max-width: 100%;
height: auto;
}
}
/* pagination */
@media print {
body {
width: 100%;
}
p {
orphans: 3;
widows: 3;
}
#n-copyright-notice {
border-bottom: none;
}
#toc, #n-introduction {
page-break-before: always;
}
#toc {
border-top: none;
padding-top: 0;
}
figure, pre {
page-break-inside: avoid;
}
figure {
overflow: scroll;
}
.breakable pre {
break-inside: auto;
}
h1, h2, h3, h4, h5, h6 {
page-break-after: avoid;
}
h2+*, h3+*, h4+*, h5+*, h6+* {
page-break-before: avoid;
}
pre {
white-space: pre-wrap;
word-wrap: break-word;
font-size: 10pt;
}
table {
border: 1px solid #ddd;
}
td {
border-top: 1px solid #ddd;
}
}
/* This is commented out here, as the string-set: doesn't
pass W3C validation currently */
/*
.ears thead .left {
string-set: ears-top-left content();
}
.ears thead .center {
string-set: ears-top-center content();
}
.ears thead .right {
string-set: ears-top-right content();
}
.ears tfoot .left {
string-set: ears-bottom-left content();
}
.ears tfoot .center {
string-set: ears-bottom-center content();
}
.ears tfoot .right {
string-set: ears-bottom-right content();
}
*/
@page :first {
padding-top: 0;
@top-left {
content: normal;
border: none;
}
@top-center {
content: normal;
border: none;
}
@top-right {
content: normal;
border: none;
}
}
@page {
size: A4;
margin-bottom: 45mm;
padding-top: 20px;
/* The following is commented out here, but set appropriately by in code, as
the content depends on the document */
/*
@top-left {
content: 'Internet-Draft';
vertical-align: bottom;
border-bottom: solid 1px #ccc;
}
@top-left {
content: string(ears-top-left);
vertical-align: bottom;
border-bottom: solid 1px #ccc;
}
@top-center {
content: string(ears-top-center);
vertical-align: bottom;
border-bottom: solid 1px #ccc;
}
@top-right {
content: string(ears-top-right);
vertical-align: bottom;
border-bottom: solid 1px #ccc;
}
@bottom-left {
content: string(ears-bottom-left);
vertical-align: top;
border-top: solid 1px #ccc;
}
@bottom-center {
content: string(ears-bottom-center);
vertical-align: top;
border-top: solid 1px #ccc;
}
@bottom-right {
content: '[Page ' counter(page) ']';
vertical-align: top;
border-top: solid 1px #ccc;
}
*/
}
/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
clear: both;
}
/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
vertical-align: top;
}
/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
width: 8em;
}
/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
margin-left: 1em;
}
/* Give floating toc a background color (needed when it's a div inside section */
#toc {
background-color: white;
}
/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
#toc h2 a,
#toc h2 a:link,
#toc h2 a:focus,
#toc h2 a:hover,
#toc a.toplink,
#toc a.toplink:hover {
color: white;
background-color: #444;
text-decoration: none;
}
}
/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
#toc {
padding: 0 0 1em 1em;
}
}
/* Style section numbers with more space between number and title */
.section-number {
padding-right: 0.5em;
}
/* prevent monospace from becoming overly large */
tt, code, pre {
font-size: 95%;
}
/* Fix the height/width aspect for ascii art*/
.sourcecode pre,
.art-text pre {
line-height: 1.12;
}
/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
float: right;
margin-right: 0.5em;
}
/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
float: left;
margin-right: 1em;
}
dl.dlNewline > dt {
float: none;
}
/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
text-align: left;
}
table td.text-center,
table th.text-center {
text-align: center;
}
table td.text-right,
table th.text-right {
text-align: right;
}
/* Make the alternative author contact information look less like just another
author, and group it closer with the primary author contact information */
.alternative-contact {
margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
margin: 0 0 0 2em;
}
/* With it being possible to set tables with alignment
left, center, and right, { width: 100%; } does not make sense */
table {
width: auto;
}
/* Avoid reference text that sits in a block with very wide left margin,
because of a long floating dt label.*/
.references dd {
overflow: visible;
}
/* Control caption placement */
caption {
caption-side: bottom;
}
/* Limit the width of the author address vcard, so names in right-to-left
script don't end up on the other side of the page. */
address.vcard {
max-width: 30em;
margin-right: auto;
}
/* For address alignment dependent on LTR or RTL scripts */
address div.left {
text-align: left;
}
address div.right {
text-align: right;
}
/* Provide table alignment support. We can't use the alignX classes above
since they do unwanted things with caption and other styling. */
table.right {
margin-left: auto;
margin-right: 0;
}
table.center {
margin-left: auto;
margin-right: auto;
}
table.left {
margin-left: 0;
margin-right: auto;
}
/* Give the table caption label the same styling as the figcaption */
caption a[href] {
color: #222;
}
@media print {
.toplink {
display: none;
}
/* avoid overwriting the top border line with the ToC header */
#toc {
padding-top: 1px;
}
/* Avoid page breaks inside dl and author address entries */
.vcard {
page-break-inside: avoid;
}
}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
font-variant: small-caps;
font-weight: bold;
font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
h2 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 31px;
}
h3 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 24px;
}
h4 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 24px;
}
/* Float artwork pilcrow to the right */
@media screen {
.artwork a.pilcrow {
display: block;
line-height: 0.7;
margin-top: 0.15em;
}
}
/* Make pilcrows on dd visible */
@media screen {
dd:hover > a.pilcrow {
visibility: visible;
}
}
/* Make the placement of figcaption match that of a table's caption
by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
possibly even requiring a new line */
@media print {
a.pilcrow {
display: none;
}
}
/* Styling for the external metadata */
div#external-metadata {
background-color: #eee;
padding: 0.5em;
margin-bottom: 0.5em;
display: none;
}
div#internal-metadata {
padding: 0.5em; /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
clear: both;
margin: 0 0 -1em;
padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
margin-bottom: 0.25em;
min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
border-left: 1px solid #ddd;
margin: 1em 0 1em 2em;
padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
figcaption, table caption {
page-break-before: avoid;
}
}
/* Font size adjustments for print */
@media print {
body { font-size: 10pt; line-height: normal; max-width: 96%; }
h1 { font-size: 1.72em; padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
h2 { font-size: 1.44em; padding-top: 1.5em; } /* 1*1.2*1.2 */
h3 { font-size: 1.2em; padding-top: 1.5em; } /* 1*1.2 */
h4 { font-size: 1em; padding-top: 1.5em; }
h5, h6 { font-size: 1em; margin: initial; padding: 0.5em 0 0.3em; }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
.artwork,
.artwork > pre,
.sourcecode {
margin-bottom: 1em;
}
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
min-width: 20em;
}
/* ol type a */
ol.type-a { list-style-type: lower-alpha; }
ol.type-A { list-style-type: upper-alpha; }
ol.type-i { list-style-type: lower-roman; }
ol.type-I { list-style-type: upper-roman; }
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background slightly */
table {
border: 1px solid #ddd;
}
td {
border-top: 1px solid #ddd;
}
tr {
break-inside: avoid;
}
tr:nth-child(2n+1) > td {
background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
#toc nav { display: none; }
#toc.active nav { display: block; }
}
/* Add support for keepWithNext */
.keepWithNext {
break-after: avoid-page;
break-after: avoid-page;
}
/* Add support for keepWithPrevious */
.keepWithPrevious {
break-before: avoid-page;
}
/* Change the approach to avoiding breaks inside artwork etc. */
figure, pre, table, .artwork, .sourcecode {
break-before: auto;
break-after: auto;
}
/* Avoid breaks between <dt> and <dd> */
dl {
break-before: auto;
break-inside: auto;
}
dt {
break-before: auto;
break-after: avoid-page;
}
dd {
break-before: avoid-page;
break-after: auto;
orphans: 3;
widows: 3
}
span.break, dd.break {
margin-bottom: 0;
min-height: 0;
break-before: auto;
break-inside: auto;
break-after: auto;
}
/* Undo break-before ToC */
@media print {
#toc {
break-before: auto;
}
}
/* Text in compact lists should not get extra bottom margin space,
since that would makes the list not compact */
ul.compact p, .ulCompact p,
ol.compact p, .olCompact p {
margin: 0;
}
/* But the list as a whole needs the extra space at the end */
section ul.compact,
section .ulCompact,
section ol.compact,
section .olCompact {
margin-bottom: 1em; /* same as p not within ul.compact etc. */
}
/* The tt and code background above interferes with for instance table cell
backgrounds. Changed to something a bit more selective. */
tt, code {
background-color: transparent;
}
p tt, p code, li tt, li code, dt tt, dt code {
background-color: #f8f8f8;
}
/* Tweak the pre margin -- 0px doesn't come out well */
pre {
margin-top: 0.5px;
}
/* Tweak the compact list text */
ul.compact, .ulCompact,
ol.compact, .olCompact,
dl.compact, .dlCompact {
line-height: normal;
}
/* Don't add top margin for nested lists */
li > ul, li > ol, li > dl,
dd > ul, dd > ol, dd > dl,
dl > dd > dl {
margin-top: initial;
}
/* Elements that should not be rendered on the same line as a <dt> */
/* This should match the element list in writer.text.TextWriter.render_dl() */
dd > div.artwork:first-child,
dd > aside:first-child,
dd > figure:first-child,
dd > ol:first-child,
dd > div.sourcecode:first-child,
dd > table:first-child,
dd > ul:first-child {
clear: left;
}
/* fix for weird browser behaviour when <dd/> is empty */
dt+dd:empty::before{
content: "\00a0";
}
/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
li > p {
margin-bottom: 0.5em
}
/* Don't let p margin spill out from inside list items */
li > p:last-of-type:only-child {
margin-bottom: 0;
}
</style>
<link href="rfc-local.css" rel="stylesheet" type="text/css">
<script type="application/javascript">async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata);</script>
</head>
<body class="xml2rfc">
<script src="metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left"></td>
<td class="center">openid-provider-commands</td>
<td class="right">January 2025</td>
</tr></thead>
<tfoot><tr>
<td class="left">Hardt & McGuinness</td>
<td class="center">Standards Track</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">OpenID Connect</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2025-01-13" class="published">13 January 2025</time>
</dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
<div class="author-name">D. Hardt</div>
<div class="org">Hellō</div>
</div>
<div class="author">
<div class="author-name">K. McGuinness</div>
<div class="org">Independent</div>
</div>
</dd>
</dl>
</div>
<h1 id="title">OpenID Provider Commands - draft 00</h1>
<section id="section-abstract">
<h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">OpenID Connect defines a protocol for an end-user to use an OpenID Provider (OP) to log in to a Relying Party (RP) and assert Claims about the end-user using an ID Token. RPs will often use the identity Claims about the user to implicitly (or explicitly) establish an Account for the user at the RP<a href="#section-abstract-1" class="pilcrow">¶</a></p>
<p id="section-abstract-2">OpenID Provider Commands complements OpenID Connect by introducing a set of Commands for an OP to directly manage an end-user Account at an RP. These Commands enable an OP to activate, maintain, suspend, reactivate, archive, restore, delete, and unauthorize an end-user Account. Command Tokens build on the OpenID Connect ID Token schema and verification, simplifying adoption by RPs.<a href="#section-abstract-2" class="pilcrow">¶</a></p>
</section>
<div id="toc">
<section id="section-toc.1">
<a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
</h2>
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
<p id="section-toc.1-1.1.1"><a href="#section-1" class="auto internal xref">1</a>. <a href="#name-introduction" class="internal xref">Introduction</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.1">
<p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="auto internal xref">1.1</a>. <a href="#name-requirements-notation-and-c" class="internal xref">Requirements Notation and Conventions</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.2">
<p id="section-toc.1-1.1.2.2.1" class="keepWithNext"><a href="#section-1.2" class="auto internal xref">1.2</a>. <a href="#name-terminology" class="internal xref">Terminology</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.3">
<p id="section-toc.1-1.1.2.3.1" class="keepWithNext"><a href="#section-1.3" class="auto internal xref">1.3</a>. <a href="#name-protocol-overview" class="internal xref">Protocol Overview</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.4">
<p id="section-toc.1-1.1.2.4.1"><a href="#section-1.4" class="auto internal xref">1.4</a>. <a href="#name-command-usage-overview" class="internal xref">Command Usage Overview</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
<p id="section-toc.1-1.2.1"><a href="#section-2" class="auto internal xref">2</a>. <a href="#name-command-request" class="internal xref">Command Request</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
<p id="section-toc.1-1.3.1"><a href="#section-3" class="auto internal xref">3</a>. <a href="#name-command-response" class="internal xref">Command Response</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
<p id="section-toc.1-1.3.2.1.1"><a href="#section-3.1" class="auto internal xref">3.1</a>. <a href="#name-invalid-request-error" class="internal xref">Invalid Request Error</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2">
<p id="section-toc.1-1.3.2.2.1"><a href="#section-3.2" class="auto internal xref">3.2</a>. <a href="#name-unrecognized-provider-error" class="internal xref">Unrecognized Provider Error</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3">
<p id="section-toc.1-1.3.2.3.1"><a href="#section-3.3" class="auto internal xref">3.3</a>. <a href="#name-unsupported-command-error" class="internal xref">Unsupported Command Error</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.4">
<p id="section-toc.1-1.3.2.4.1"><a href="#section-3.4" class="auto internal xref">3.4</a>. <a href="#name-server-error" class="internal xref">Server Error</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
<p id="section-toc.1-1.4.1"><a href="#section-4" class="auto internal xref">4</a>. <a href="#name-command-token" class="internal xref">Command Token</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
<p id="section-toc.1-1.5.1"><a href="#section-5" class="auto internal xref">5</a>. <a href="#name-account-commands" class="internal xref">Account Commands</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1">
<p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="auto internal xref">5.1</a>. <a href="#name-account-lifecycle-states" class="internal xref">Account Lifecycle States</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2">
<p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="auto internal xref">5.2</a>. <a href="#name-success-response" class="internal xref">Success Response</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.3">
<p id="section-toc.1-1.5.2.3.1"><a href="#section-5.3" class="auto internal xref">5.3</a>. <a href="#name-incompatible-state-response" class="internal xref">Incompatible State Response</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.4">
<p id="section-toc.1-1.5.2.4.1"><a href="#section-5.4" class="auto internal xref">5.4</a>. <a href="#name-activate-command" class="internal xref">Activate Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.5">
<p id="section-toc.1-1.5.2.5.1"><a href="#section-5.5" class="auto internal xref">5.5</a>. <a href="#name-maintain-command" class="internal xref">Maintain Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.6">
<p id="section-toc.1-1.5.2.6.1"><a href="#section-5.6" class="auto internal xref">5.6</a>. <a href="#name-suspend-command" class="internal xref">Suspend Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.7">
<p id="section-toc.1-1.5.2.7.1"><a href="#section-5.7" class="auto internal xref">5.7</a>. <a href="#name-reactivate-command" class="internal xref">Reactivate Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.8">
<p id="section-toc.1-1.5.2.8.1"><a href="#section-5.8" class="auto internal xref">5.8</a>. <a href="#name-archive-command" class="internal xref">Archive Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.9">
<p id="section-toc.1-1.5.2.9.1"><a href="#section-5.9" class="auto internal xref">5.9</a>. <a href="#name-restore-command" class="internal xref">Restore Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.10">
<p id="section-toc.1-1.5.2.10.1"><a href="#section-5.10" class="auto internal xref">5.10</a>. <a href="#name-delete-command" class="internal xref">Delete Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.11">
<p id="section-toc.1-1.5.2.11.1"><a href="#section-5.11" class="auto internal xref">5.11</a>. <a href="#name-unauthorize-command" class="internal xref">Unauthorize Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.12">
<p id="section-toc.1-1.5.2.12.1"><a href="#section-5.12" class="auto internal xref">5.12</a>. <a href="#name-unauthorize-functionality" class="internal xref">Unauthorize Functionality</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
<p id="section-toc.1-1.6.1"><a href="#section-6" class="auto internal xref">6</a>. <a href="#name-tenant-commands" class="internal xref">Tenant Commands</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.1">
<p id="section-toc.1-1.6.2.1.1"><a href="#section-6.1" class="auto internal xref">6.1</a>. <a href="#name-metadata-command" class="internal xref">Metadata Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
<p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="auto internal xref">6.2</a>. <a href="#name-metadata-response" class="internal xref">Metadata Response</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
<p id="section-toc.1-1.6.2.3.1"><a href="#section-6.3" class="auto internal xref">6.3</a>. <a href="#name-streaming-request" class="internal xref">Streaming Request</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.4">
<p id="section-toc.1-1.6.2.4.1"><a href="#section-6.4" class="auto internal xref">6.4</a>. <a href="#name-streaming-response" class="internal xref">Streaming Response</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.5">
<p id="section-toc.1-1.6.2.5.1"><a href="#section-6.5" class="auto internal xref">6.5</a>. <a href="#name-audit-tenant-command" class="internal xref">Audit Tenant Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.6">
<p id="section-toc.1-1.6.2.6.1"><a href="#section-6.6" class="auto internal xref">6.6</a>. <a href="#name-audit-tenant-response" class="internal xref">Audit Tenant Response</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.7">
<p id="section-toc.1-1.6.2.7.1"><a href="#section-6.7" class="auto internal xref">6.7</a>. <a href="#name-suspend-tenant-command" class="internal xref">Suspend Tenant Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.8">
<p id="section-toc.1-1.6.2.8.1"><a href="#section-6.8" class="auto internal xref">6.8</a>. <a href="#name-archive-tenant-command" class="internal xref">Archive Tenant Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9">
<p id="section-toc.1-1.6.2.9.1"><a href="#section-6.9" class="auto internal xref">6.9</a>. <a href="#name-delete-tenant-command" class="internal xref">Delete Tenant Command</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.10">
<p id="section-toc.1-1.6.2.10.1"><a href="#section-6.10" class="auto internal xref">6.10</a>. <a href="#name-unauthorize-tenant-command" class="internal xref">Unauthorize Tenant Command</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
<p id="section-toc.1-1.7.1"><a href="#section-7" class="auto internal xref">7</a>. <a href="#name-extensibility" class="internal xref">Extensibility</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1">
<p id="section-toc.1-1.7.2.1.1"><a href="#section-7.1" class="auto internal xref">7.1</a>. <a href="#name-defining-new-commands" class="internal xref">Defining New Commands</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2">
<p id="section-toc.1-1.7.2.2.1"><a href="#section-7.2" class="auto internal xref">7.2</a>. <a href="#name-defining-new-tenant-metadat" class="internal xref">Defining New Tenant Metadata</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.3">
<p id="section-toc.1-1.7.2.3.1"><a href="#section-7.3" class="auto internal xref">7.3</a>. <a href="#name-defining-new-relying-party-" class="internal xref">Defining New Relying Party Metadata</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
<p id="section-toc.1-1.8.1"><a href="#section-8" class="auto internal xref">8</a>. <a href="#name-openid-provider-command-sup" class="internal xref">OpenID Provider Command Support</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
<p id="section-toc.1-1.9.1"><a href="#section-9" class="auto internal xref">9</a>. <a href="#name-implementation-consideratio" class="internal xref">Implementation Considerations</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
<p id="section-toc.1-1.10.1"><a href="#section-10" class="auto internal xref">10</a>. <a href="#name-security-considerations" class="internal xref">Security Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.1">
<p id="section-toc.1-1.10.2.1.1"><a href="#section-10.1" class="auto internal xref">10.1</a>. <a href="#name-cross-jwt-confusion" class="internal xref">Cross-JWT Confusion</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
<p id="section-toc.1-1.11.1"><a href="#section-11" class="auto internal xref">11</a>. <a href="#name-privacy-considerations" class="internal xref">Privacy Considerations</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
<p id="section-toc.1-1.12.1"><a href="#section-12" class="auto internal xref">12</a>. <a href="#name-iana-considerations" class="internal xref">IANA Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.1">
<p id="section-toc.1-1.12.2.1.1"><a href="#section-12.1" class="auto internal xref">12.1</a>. <a href="#name-json-web-token-claims" class="internal xref">JSON Web Token Claims</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.1.2.1">
<p id="section-toc.1-1.12.2.1.2.1.1"><a href="#section-12.1.1" class="auto internal xref">12.1.1</a>. <a href="#name-registry-contents" class="internal xref">Registry Contents</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.2">
<p id="section-toc.1-1.12.2.2.1"><a href="#section-12.2" class="auto internal xref">12.2</a>. <a href="#name-oauth-dynamic-client-regist" class="internal xref">OAuth Dynamic Client Registration Metadata Registration</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.2.2.1">
<p id="section-toc.1-1.12.2.2.2.1.1"><a href="#section-12.2.1" class="auto internal xref">12.2.1</a>. <a href="#name-registry-contents-2" class="internal xref">Registry Contents</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.3">
<p id="section-toc.1-1.12.2.3.1"><a href="#section-12.3" class="auto internal xref">12.3</a>. <a href="#name-media-type-registration" class="internal xref">Media Type Registration</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13">
<p id="section-toc.1-1.13.1"><a href="#section-13" class="auto internal xref">13</a>. <a href="#name-references" class="internal xref">References</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.1">
<p id="section-toc.1-1.13.2.1.1"><a href="#section-13.1" class="auto internal xref">13.1</a>. <a href="#name-normative-references" class="internal xref">Normative References</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.2">
<p id="section-toc.1-1.13.2.2.1"><a href="#section-13.2" class="auto internal xref">13.2</a>. <a href="#name-informative-references" class="internal xref">Informative References</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14">
<p id="section-toc.1-1.14.1"><a href="#section-14" class="auto internal xref">14</a>. <a href="#name-acknowledgements" class="internal xref">Acknowledgements</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15">
<p id="section-toc.1-1.15.1"><a href="#section-15" class="auto internal xref">15</a>. <a href="#name-notices" class="internal xref">Notices</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.16">
<p id="section-toc.1-1.16.1"><a href="#section-16" class="auto internal xref">16</a>. <a href="#name-document-history" class="internal xref">Document History</a></p>
</li>
</ul>
</nav>
</section>
</div>
<div id="introduction">
<section id="section-1">
<h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
</h2>
<blockquote id="section-1-1">
<p id="section-1-1.1"><strong>FAQ for early reviewers</strong><a href="#section-1-1.1" class="pilcrow">¶</a></p>
<p id="section-1-1.2"><strong>1. How does SCIM compare to OpenID Provider (OP) Commands?</strong><a href="#section-1-1.2" class="pilcrow">¶</a></p>
<p id="section-1-1.3">The SCIM protocol is a general purpose protocol for a client to manage resources at a server. When the SCIM protocol is used between an IdP and an RP, the schema is defined by the RP. The resources managed are in the context of the RP Tenant in a multi-tenant RP. Any extensions to the schema are defined by the RP. This provided an interoperable protocol to manage RP resources.
OpenID Provider Commands are an extension of a user Account created by OpenID Connect. It uses the same identity Claims that the OP issues for the user. It uses the same token Claims, and is verified the same way. OpenID Provider Commands are issued in the context of the OP Tenant in a multi-tenant OP.<a href="#section-1-1.3" class="pilcrow">¶</a></p>
<p id="section-1-1.4"><strong>2. How do Shared Signals / RISC compare to OpenID Provider Commands?</strong><a href="#section-1-1.4" class="pilcrow">¶</a></p>
<p id="section-1-1.5">Shared Signals and RISC are events that one party is sharing with another party. The actions a receiving party takes upon receiving a signal are intentionally not defined.
The actions taken by the RP when receiving an OpenID Provider Command is specified. This gives an OP control over the Account at the RP.<a href="#section-1-1.5" class="pilcrow">¶</a></p>
<p id="section-1-1.6"><strong>3. Are OpenID Provider Commands a replacement for SCIM, Shared Signals, or RISC?</strong><a href="#section-1-1.6" class="pilcrow">¶</a></p>
<p id="section-1-1.7">No. These standards are deployed by organizations that have complex requirements, and these standards meet there needs. Most OP / RPs do not deploy any of these standards, as the implementation complexity is not warranted. OpenID Provider Commands are designed to build on OpenID Connect, allowing RPs using OpenID Connect an easy path to offer OPs a standard API for security and lifecycle operations.<a href="#section-1-1.7" class="pilcrow">¶</a></p>
<p id="section-1-1.8"><strong>4. Why are there only groups? Why not roles and entitlements?</strong><a href="#section-1-1.8" class="pilcrow">¶</a></p>
<p id="section-1-1.9">OpenID Provider Commands are used to project the Tenant data managed centrally by the OP. Groups are
a common term used by OPs to manage a collection of Accounts. The terms roles and
entitlements tend to be RP specific. Generally, groups from the OP will be mapped to
roles and/or entitlements that are RP specific, at the RP.<a href="#section-1-1.9" class="pilcrow">¶</a></p>
</blockquote>
<p id="section-1-2">OpenID Connect 1.0 is a widely adopted identity protocol that enables client applications, known as relying parties (RPs), to verify the identity of end-users based on authentication performed by a trusted service, the OpenID Provider (OP). OpenID Connect also provides mechanisms for securely obtaining identity attributes, or Claims, about the end-user, which helps RPs tailor experiences and manage access with confidence.<a href="#section-1-2" class="pilcrow">¶</a></p>
<p id="section-1-3">OpenID Connect not only allows an end-user to log in and authorize access to resources at an RP but may also be
used to implicitly or explicitly create an Account at the RP. However, Account creation is only the beginning of an Account's lifecycle. Throughout the lifecycle, various actions may be required to ensure data integrity, security, and regulatory compliance.<a href="#section-1-3" class="pilcrow">¶</a></p>
<p id="section-1-4">For example, many jurisdictions grant end-users the "right to be forgotten," enabling them to request the deletion of their Accounts and associated data. When such requests arise, OPs may need to notify RPs to fully delete the end-user's Account and remove all related data, respecting both regulatory obligations and end-user privacy preferences.<a href="#section-1-4" class="pilcrow">¶</a></p>
<p id="section-1-5">In scenarios where malicious activity is detected or suspected, OPs play a vital role in protecting end-users. They may need to instruct RPs to revoke authorization or delete Accounts created by malicious actors. This helps contain the impact of unauthorized actions and prevent further misuse of compromised Accounts.<a href="#section-1-5" class="pilcrow">¶</a></p>
<p id="section-1-6">In enterprise environments, where organizations centrally manage workforce access, OPs handle essential Account operations across various stages of the lifecycle. These operations include activating, maintaining, suspending, reactivating, archiving, restoring, and deleting Accounts to maintain security and compliance.<a href="#section-1-6" class="pilcrow">¶</a></p>
<p id="section-1-7">OpenID Provider Commands are a remote procedure call from the OP to the RP that enables OPs to manage the Account lifecycle, building upon the existing OP / RP relationship to cover the full spectrum of Account management requirements.<a href="#section-1-7" class="pilcrow">¶</a></p>
<div id="requirements-notation-and-conventions">
<section id="section-1.1">
<h3 id="name-requirements-notation-and-c">
<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-requirements-notation-and-c" class="section-name selfRef">Requirements Notation and Conventions</a>
</h3>
<p id="section-1.1-1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in {{RFC2119}}.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
<p id="section-1.1-2">The key word "PROHIBITED" is to be interpreted as "MUST NOT".<a href="#section-1.1-2" class="pilcrow">¶</a></p>
<p id="section-1.1-3">In the .txt version of this specification,
values are quoted to indicate that they are to be taken literally.
When using these values in protocol messages,
the quotes MUST NOT be used as part of the value.
In the HTML version of this specification,
values to be taken literally are indicated by
the use of <em>this fixed-width font</em>.<a href="#section-1.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="terminology">
<section id="section-1.2">
<h3 id="name-terminology">
<a href="#section-1.2" class="section-number selfRef">1.2. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
</h3>
<p id="section-1.2-1">This specification defines the following terms:<a href="#section-1.2-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-1.2-2.1">
<p id="section-1.2-2.1.1"><strong>Account</strong>: The Claims about a user in the RPs identity register.<a href="#section-1.2-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-1.2-2.2">
<p id="section-1.2-2.2.1"><strong>Command</strong>: An instruction from an OP to an RP. It is a synchronous request and response.<a href="#section-1.2-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-1.2-2.3">
<p id="section-1.2-2.3.1"><strong>Command Token</strong>: A JSON Web Token (JWT) signed by the OP that contains Claims about the Command being issued.<a href="#section-1.2-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-1.2-2.4">
<p id="section-1.2-2.4.1"><strong>Commands URI</strong>: The URL at the RP where OPs post Command Tokens.<a href="#section-1.2-2.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-1.2-2.5">
<p id="section-1.2-2.5.1"><strong>Tenant</strong>: A logically isolated entity within an OP that represents a distinct organizational or administrative boundary. An OP may have a single Tenant, or multiple Tenants. The Tenant may contain Accounts managed by individuals, or may contain Accounts managed by an organization.<a href="#section-1.2-2.5.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="protocol-overview">
<section id="section-1.3">
<h3 id="name-protocol-overview">
<a href="#section-1.3" class="section-number selfRef">1.3. </a><a href="#name-protocol-overview" class="section-name selfRef">Protocol Overview</a>
</h3>
<p id="section-1.3-1">This specification defines a Command Request containing a Command Token sent from the OP to the RP, and a Command Response returned from the RP to the OP.<a href="#section-1.3-1" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-1.3-2">
<pre>+------+ Command request +------+
| |---- Command Token ---->| |
| OP | | RP |
| |<-----------------------| |
+------+ Command response +------+
</pre><a href="#section-1.3-2" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="command-usage-overview">
<section id="section-1.4">
<h3 id="name-command-usage-overview">
<a href="#section-1.4" class="section-number selfRef">1.4. </a><a href="#name-command-usage-overview" class="section-name selfRef">Command Usage Overview</a>
</h3>
<p id="section-1.4-1">An OP will typically send a Metadata Command at the start of the relationship between a Tenant and an RP to share the OP's capabilities and metadata and to learn the Commands an RP supports, and other RP metadata. The OP will typically send the Metadata Command when there is a change in the OP capabilities or metadata, and periodically to learn of any RP changes. The OP may use the response from the Metadata Command to determine if the RP supports functionality required by the Tenant before issuing ID Tokens or Activate Commands to the RP.<a href="#section-1.4-1" class="pilcrow">¶</a></p>
<p id="section-1.4-2">If the RP supports any Account Commands, the OP will send supported Account Commands to synchronize the state of Accounts at the RP with the state at the Tenant. If the RP supports Account Commands, the RP should also support the Audit Tenant Command. The OP will typically send an Audit Tenant Command at the start of the Tenant and RP relationship, and then periodically, to learn the state of the Tenant's Accounts at the RP and correct any drift between the Account state at the Tenant and the RP.<a href="#section-1.4-2" class="pilcrow">¶</a></p>
<p id="section-1.4-3">If the RP supports the Unauthorize Command, the OP will send the Unauthorize Command if the OP suspects an Account has been taken over by a malicious actor.<a href="#section-1.4-3" class="pilcrow">¶</a></p>
<p id="section-1.4-4">A Tenant with Accounts managed by individuals will typically only support the Metadata, Unauthorize, and Delete Commands.<a href="#section-1.4-4" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="command-request">
<section id="section-2">
<h2 id="name-command-request">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-command-request" class="section-name selfRef">Command Request</a>
</h2>
<p id="section-2-1">The OP uses an HTTP POST to the registered Commands URI
to send Account Commands to the RP. The POST body uses the
<code>application/x-www-form-urlencoded</code> encoding
and must include a <code>command_token</code> parameter
containing a Command Token from the OP for the RP.<a href="#section-2-1" class="pilcrow">¶</a></p>
<p id="section-2-2">The POST body MAY contain other values in addition to
<code>command_token</code>.
Values that are not understood by the implementation MUST be ignored.<a href="#section-2-2" class="pilcrow">¶</a></p>
<p id="section-2-3">The following is a non-normative example of such a Command request
(with most of the Command Token contents omitted for brevity):<a href="#section-2-3" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-2-4">
<pre>POST /commands HTTP/1.1
Host: rp.example.net
Content-Type: application/x-www-form-urlencoded
command_token=eyJhbGci ... .eyJpc3Mi ... .T3BlbklE ...
</pre><a href="#section-2-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="command-response">
<section id="section-3">
<h2 id="name-command-response">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-command-response" class="section-name selfRef">Command Response</a>
</h2>
<p id="section-3-1">If the Command succeeded, the RP MUST respond with HTTP 200 OK.
However, note that some Web frameworks will substitute an HTTP 204 No Content response
for an HTTP 200 OK when the HTTP body is empty.
Therefore, OPs should be prepared to also process an HTTP 204 No Content response as a successful response.<a href="#section-3-1" class="pilcrow">¶</a></p>
<p id="section-3-2">The RP's response MUST include the Cache-Control HTTP response header field with a no-store value, keeping the response from being cached to prevent cached responses from interfering with future Command requests. An example of this is:<a href="#section-3-2" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-3-3">
<pre>Cache-Control: no-store
</pre><a href="#section-3-3" class="pilcrow">¶</a>
</div>
<p id="section-3-4">If there is a response body, it MUST be JSON and use the <code>application/json</code> media type.<a href="#section-3-4" class="pilcrow">¶</a></p>
<p id="section-3-5">If the request is not valid, the RP MUST return an <code>error</code> parameter, and may include a <code>error_description</code> parameter.
Note that the information conveyed in an error response is intended to help debug deployments;
it is not intended that implementations use different <code>error</code> values
to trigger different runtime behaviors.<a href="#section-3-5" class="pilcrow">¶</a></p>
<div id="invalid-request-error">
<section id="section-3.1">
<h3 id="name-invalid-request-error">
<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-invalid-request-error" class="section-name selfRef">Invalid Request Error</a>
</h3>
<p id="section-3.1-1">If there was a problem with the syntax of the Command request, or the Command Token was invalid, the RP MUST return an HTTP 400 Bad Request and include the <code>error</code> parameter with a value of <code>invalid_request</code>.<a href="#section-3.1-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="unrecognized-provider-error">
<section id="section-3.2">
<h3 id="name-unrecognized-provider-error">
<a href="#section-3.2" class="section-number selfRef">3.2. </a><a href="#name-unrecognized-provider-error" class="section-name selfRef">Unrecognized Provider Error</a>
</h3>
<p id="section-3.2-1">If the RP does not recognize the OP identified by the <code>iss</code> value in the Command token, the RP MUST return an HTTP 401 Unauthorized response and include the <code>error</code> parameter with the value of <code>unrecognized_provider</code>.<a href="#section-3.2-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="unsupported-command-error">
<section id="section-3.3">
<h3 id="name-unsupported-command-error">
<a href="#section-3.3" class="section-number selfRef">3.3. </a><a href="#name-unsupported-command-error" class="section-name selfRef">Unsupported Command Error</a>
</h3>
<p id="section-3.3-1">If the RP does not support the Command requested, the RP MUST return an HTTP 400 Bad Request and include the <code>error</code> parameter with the value of <code>unsupported_command</code>.<a href="#section-3.3-1" class="pilcrow">¶</a></p>
<p id="section-3.3-2">Note that the RP may support Commands for some OPs, and not others, and for some Tenants, and not others.<a href="#section-3.3-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="server-error">
<section id="section-3.4">
<h3 id="name-server-error">
<a href="#section-3.4" class="section-number selfRef">3.4. </a><a href="#name-server-error" class="section-name selfRef">Server Error</a>
</h3>
<p id="section-3.4-1">If the RP is unable to process a valid request, the RP MUST respond with a 5xx Server Error status code as defined in RFC 9110 section 15.6.<a href="#section-3.4-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="command-token">
<section id="section-4">
<h2 id="name-command-token">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-command-token" class="section-name selfRef">Command Token</a>
</h2>
<p id="section-4-1">OPs send a JWT similar to an ID Token to RPs called a Command Token
to issue Commands. ID Tokens are defined in Section 2 of {{OpenID.Core}}.<a href="#section-4-1" class="pilcrow">¶</a></p>
<p id="section-4-2">The following Claims are used within the Command Token:<a href="#section-4-2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4-3.1">
<p id="section-4-3.1.1"><strong>iss</strong><br>
REQUIRED.<br>
Issuer Identifier, as specified in Section 2 of {{OpenID.Core}}.<a href="#section-4-3.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-4-3.2">
<p id="section-4-3.2.1"><strong>sub</strong><br>
REQUIRED for Account Commands.<br>
PROHIBITED for Tenant Commands.<a href="#section-4-3.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-4-4">Subject Identifier, as specified in Section 2 of {{OpenID.Core}}.<a href="#section-4-4" class="pilcrow">¶</a></p>
<p id="section-4-5">The combination of the <code>iss</code> and <code>sub</code> Claim uniquely identifies the Account for the Command.<a href="#section-4-5" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4-6.1">
<p id="section-4-6.1.1"><strong>aud</strong><br>
REQUIRED.<br>
Audience(s), as specified in Section 2 of {{OpenID.Core}}.<a href="#section-4-6.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-4-6.2">
<p id="section-4-6.2.1"><strong>iat</strong><br>
REQUIRED.<br>
Issued at time, as specified in Section 2 of {{OpenID.Core}}.<a href="#section-4-6.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-4-6.3">
<p id="section-4-6.3.1"><strong>exp</strong><br>
REQUIRED.<br>
Expiration time, as specified in Section 2 of {{OpenID.Core}}.<a href="#section-4-6.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-4-6.4">
<p id="section-4-6.4.1"><strong>jti</strong><br>
REQUIRED.<br>
Unique identifier for the token, as specified in Section 9 of {{OpenID.Core}}.<a href="#section-4-6.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-4-6.5">
<p id="section-4-6.5.1"><strong>command</strong><br>
REQUIRED.<br>
A JSON string. The Command for the RP to execute. See <a href="#account-commands">Account Commands</a> and <a href="#tenant-commands">Tenant Commands</a> for standard values defined in this document. Other specifications may define additional values as described in <a href="#defining-new-commands">Extensibility</a>.<a href="#section-4-6.5.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-4-6.6">
<p id="section-4-6.6.1"><strong>tenant</strong><br>
REQUIRED.<br>
A JSON string. The Tenant identifier. MAY have the value <code>personal</code>, <code>organization</code> or a stable OP unique value for multi-tenant OPs. The <code>personal</code> value is reserved for when Accounts are managed by individuals. The <code>organization</code> value is reserved for Accounts are managed by an organization.<a href="#section-4-6.6.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-4-7">The combination of <code>iss</code> and <code>tenant</code> uniquely identifies a Tenant.<a href="#section-4-7" class="pilcrow">¶</a></p>
<p id="section-4-8">Commands may define additional REQUIRED or OPTIONAL Claims.
An OP MAY include additional Claims. Any Claims that are not understood by the RP MUST be ignored.<a href="#section-4-8" class="pilcrow">¶</a></p>
<p id="section-4-9">The following Claim MUST NOT be used within the Command Token:<a href="#section-4-9" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-4-10.1">
<strong>nonce</strong><br>
PROHIBITED.<br>
A <code>nonce</code> Claim MUST NOT be present.
Its use is prohibited to prevent misuse of the Command Token. See <a href="#cross-jwt-confusion">Cross-JWT Confusion</a> for details.<a href="#section-4-10.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-4-11">A Command Token MUST be signed.
The same keys an OP uses to sign ID Tokens are used to sign Command Tokens, allowing key discovery using the same mechanism used for ID Tokens.<a href="#section-4-11" class="pilcrow">¶</a></p>
<p id="section-4-12">Command Tokens MUST be explicitly typed.
This is accomplished by including a <code>typ</code> (type) Header Parameter
with a value of <code>command+jwt</code> in the Command Token.
See <a href="#security-considerations">Security Considerations</a> for a discussion of the security and interoperability considerations
of using explicit typing.<a href="#section-4-12" class="pilcrow">¶</a></p>
<blockquote id="section-4-13">
<p id="section-4-13.1">Add example of JWT header to show "typ":"command+jwt"?<a href="#section-4-13.1" class="pilcrow">¶</a></p>
</blockquote>
<p id="section-4-14">A non-normative example JWT Claims Set for the Command Token for an Activate Command follows:<a href="#section-4-14" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-4-15">
<pre>{
"iss": "https://op.example.org",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"iat": 1734003000,
"exp": 1734003060,
"jti": "bWJq",
"command": "activate",
"given_name": "Jane",
"family_name": "Smith",
"email": "jane.smith@example.org",
"email_verified": true,
"tenant": "ff6e7c9",
"groups": [
"b0f4861d",
"88799417"
]
}
</pre><a href="#section-4-15" class="pilcrow">¶</a>
</div>
<p id="section-4-16">A non-normative example JWT Claims Set for the Command Token for an Unauthorize Command follows:<a href="#section-4-16" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-4-17">
<pre>{
"iss": "https://op.example.org",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"iat": 1734004000,
"exp": 1734004060,
"jti": "bWJr",
"command": "unauthorize",
}
</pre><a href="#section-4-17" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="account-commands">
<section id="section-5">
<h2 id="name-account-commands">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-account-commands" class="section-name selfRef">Account Commands</a>
</h2>
<p id="section-5-1">Account Commands that operate on an Account. Support for any Account Command is OPTIONAL. Account Commands are executed on an RP Account identified by the <code>iss</code> and <code>sub</code> Claims in a Command Token. Account Commands include Lifecycle Commands and the Unauthorize Command.<a href="#section-5-1" class="pilcrow">¶</a></p>
<div id="account-lifecycle-states">
<section id="section-5.1">
<h3 id="name-account-lifecycle-states">
<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-account-lifecycle-states" class="section-name selfRef">Account Lifecycle States</a>
</h3>
<p id="section-5.1-1">Lifecycle Commands are defined for each transition defined in ISO 24760-1 (2019-05 edition), Section 7.2 for Accounts in an RP's identity register as defined in {{ISO}} 3.4.5.<a href="#section-5.1-1" class="pilcrow">¶</a></p>
<p id="section-5.1-2">Lifecycle Commands transition the Account between the following states:<a href="#section-5.1-2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.1-3.1">
<p id="section-5.1-3.1.1"><strong>unknown</strong><a href="#section-5.1-3.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-5.1-3.2">
<p id="section-5.1-3.2.1"><strong>active</strong><a href="#section-5.1-3.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-5.1-3.3">
<p id="section-5.1-3.3.1"><strong>suspended</strong><a href="#section-5.1-3.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-5.1-3.4">
<p id="section-5.1-3.4.1"><strong>archived</strong><a href="#section-5.1-3.4.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-5.1-4">Following are the potential state transitions:<a href="#section-5.1-4" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-5.1-5">
<pre> +--------------------------------------- reactivate ---+
| +--- maintain --+ |
| | | |
+---------+ | | +--------+ | +-----------+ |
| | | +-> | | -+ | | -+
| unknown | + ---> | active | -------- suspend ---> | suspended | --------+
| | --- activate --> | | ----+ | | -+ |
+---------+ +-> | | -+ | +-----------+ | |
^ ^ ^ | +--------+ | | | |
| | | | | | +------ archive† ---+ |
| | | | | | | |
| | | | | | | +-----------+ |
| | | | | | +---> | | ----+ |
| | | | | +--- archive ----> | archived | -+ | |
| | | | | | | | | |
| | | | | +-----------+ | | |
| | | | | | | |
| | | +---------------|----------------------- restore ----+ | |
| | | | | |
| | +--------------------- delete ---+ | |
| +------------------------ delete -------------------------------------------+ |
+--------------------------- delete ----------------------------------------------+
</pre><a href="#section-5.1-5" class="pilcrow">¶</a>
</div>
<p id="section-5.1-6">†The transition from <strong>suspended</strong> to <strong>archived</strong> is an extension to the ISO standard.<a href="#section-5.1-6" class="pilcrow">¶</a></p>
</section>
</div>
<div id="success-response">
<section id="section-5.2">
<h3 id="name-success-response">
<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-success-response" class="section-name selfRef">Success Response</a>
</h3>
<p id="section-5.2-1">When an RP successful processes an Account Command, the RP returns an HTTP 200 Ok and a JSON object containing <code>account_state</code> set to the state of the Account after processing.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
<p id="section-5.2-2">Following is a non-normative response to a successful Activate Command:<a href="#section-5.2-2" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-5.2-3">
<pre>{
"account_state": "active"
}
</pre><a href="#section-5.2-3" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="incompatible-state-response">
<section id="section-5.3">
<h3 id="name-incompatible-state-response">
<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-incompatible-state-response" class="section-name selfRef">Incompatible State Response</a>
</h3>
<p id="section-5.3-1">If the Account is in an incompatible state in the identity register for the Account Command, the RP returns an HTTP 409 Conflict and a JSON object containing:<a href="#section-5.3-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-5.3-2.1">
<strong>account_state</strong> where the value is the current state of the Account in the identity register<a href="#section-5.3-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-5.3-2.2">
<strong>error</strong> set to the value <code>incompatible_state</code><a href="#section-5.3-2.2" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-5.3-3">Following is a non-normative response to a unsuccessful Restore Command where the Account was in the <strong>suspended</strong> state:<a href="#section-5.3-3" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-5.3-4">
<pre>{
"account_state": "suspended",
"error": "incompatible_state"
}
</pre><a href="#section-5.3-4" class="pilcrow">¶</a>
</div>
<p id="section-5.3-5">Note that if an Activate Command is sent for an Account that exists, or one of the other Commands are sent for an Account that does not exist,
the Account is incompatible state.<a href="#section-5.3-5" class="pilcrow">¶</a></p>
<p id="section-5.3-6">Following is a non-normative response to an unsuccessful Activate Command for an existing Account in the <strong>active</strong> state:<a href="#section-5.3-6" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-5.3-7">
<pre>{
"account_state": "active",
"error": "incompatible_state"
}
</pre><a href="#section-5.3-7" class="pilcrow">¶</a>
</div>
<p id="section-5.3-8">Following is a non-normative response to an unsuccessful Maintain Command for a non-existing Account:<a href="#section-5.3-8" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-5.3-9">
<pre>{
"account_state": "unknown",
"error": "incompatible_state"
}
</pre><a href="#section-5.3-9" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="activate-command">
<section id="section-5.4">
<h3 id="name-activate-command">
<a href="#section-5.4" class="section-number selfRef">5.4. </a><a href="#name-activate-command" class="section-name selfRef">Activate Command</a>
</h3>
<p id="section-5.4-1">Identified by the <code>activate</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-5.4-1" class="pilcrow">¶</a></p>
<p id="section-5.4-2">The RP MUST create an Account with the included Claims in the identity register. The Account MUST be in the <strong>unknown</strong> state. The Account is in the <strong>active</strong> state after successful processing.<a href="#section-5.4-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="maintain-command">
<section id="section-5.5">
<h3 id="name-maintain-command">
<a href="#section-5.5" class="section-number selfRef">5.5. </a><a href="#name-maintain-command" class="section-name selfRef">Maintain Command</a>
</h3>
<p id="section-5.5-1">Identified by the <code>maintain</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-5.5-1" class="pilcrow">¶</a></p>
<p id="section-5.5-2">The RP MUST update an existing Account in the identity register with the included Claims. The Account MUST be in the <strong>active</strong> state. The Account remains in the <strong>active</strong> state after successful processing.<a href="#section-5.5-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="suspend-command">
<section id="section-5.6">
<h3 id="name-suspend-command">
<a href="#section-5.6" class="section-number selfRef">5.6. </a><a href="#name-suspend-command" class="section-name selfRef">Suspend Command</a>
</h3>
<p id="section-5.6-1">Identified by the <code>suspend</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-5.6-1" class="pilcrow">¶</a></p>
<p id="section-5.6-2">The RP MUST perform the <a href="#unauthorize-functionality">Unauthorize Functionality</a> on the Account and mark the Account as being temporarily unavailable in the identity register. The Account MUST be in the <strong>active</strong> state. The Account is in the <strong>suspended</strong> state after successful processing.<a href="#section-5.6-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="reactivate-command">
<section id="section-5.7">
<h3 id="name-reactivate-command">
<a href="#section-5.7" class="section-number selfRef">5.7. </a><a href="#name-reactivate-command" class="section-name selfRef">Reactivate Command</a>
</h3>
<p id="section-5.7-1">Identified by the <code>reactivate</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-5.7-1" class="pilcrow">¶</a></p>
<p id="section-5.7-2">The RP MUST mark a suspended Account as being active in the identity register. The Account MUST be in the <strong>suspended</strong> state. The Account is in the <strong>active</strong> state after successful processing. The RP SHOULD support the Reactivate Command if it supports the Suspend Command.<a href="#section-5.7-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="archive-command">
<section id="section-5.8">
<h3 id="name-archive-command">
<a href="#section-5.8" class="section-number selfRef">5.8. </a><a href="#name-archive-command" class="section-name selfRef">Archive Command</a>
</h3>
<p id="section-5.8-1">Identified by the <code>archive</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-5.8-1" class="pilcrow">¶</a></p>
<p id="section-5.8-2">The RP MUST perform the <a href="#unauthorize-functionality">Unauthorize Functionality</a> on the Account and remove the Account from the identity register. The Account MUST be in either the <strong>active</strong> or <strong>suspended</strong> state. The Account is in the <strong>archived</strong> state after successful processing.<a href="#section-5.8-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="restore-command">
<section id="section-5.9">
<h3 id="name-restore-command">
<a href="#section-5.9" class="section-number selfRef">5.9. </a><a href="#name-restore-command" class="section-name selfRef">Restore Command</a>
</h3>
<p id="section-5.9-1">Identified by the <code>restore</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-5.9-1" class="pilcrow">¶</a></p>
<p id="section-5.9-2">The RP MUST restore an archived Account to the identity register and mark it as being active. The Account MUST be in the <strong>archived</strong> state. The Account is in the <strong>active</strong> state after successful processing. The RP SHOULD support the Restore Command if it suppSs the chA Comma.<a href="#section-5.9-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="delete-command">
<section id="section-5.10">
<h3 id="name-delete-command">
<a href="#section-5.10" class="section-number selfRef">5.10. </a><a href="#name-delete-command" class="section-name selfRef">Delete Command</a>
</h3>
<p id="section-5.10-1">Identified by the <code>delete</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-5.10-1" class="pilcrow">¶</a></p>
<p id="section-5.10-2">The RP MUST perform the <a href="#unauthorize-functionality">Unauthorize Functionality</a> on the Account, and delete all data associated with an Account. The Account can be in any state except <strong>unknown</strong>. The Account is in the <strong>unknown</strong> state after successful processing.<a href="#section-5.10-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="unauthorize-command">
<section id="section-5.11">
<h3 id="name-unauthorize-command">
<a href="#section-5.11" class="section-number selfRef">5.11. </a><a href="#name-unauthorize-command" class="section-name selfRef">Unauthorize Command</a>
</h3>
<p id="section-5.11-1">Identified by the <code>unauthorize</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-5.11-1" class="pilcrow">¶</a></p>
<p id="section-5.11-2">The RP MUST perform the <a href="#unauthorize-functionality">Unauthorize Functionality</a> on the Account.
The OP sends this Command when it wants the RP to undo the last OpenID Connect login. The OP may send this when it suspects a previous OpenID Connect ID Token issued by the OP was granted to a malicious actor, or if the user's device was compromised.<a href="#section-5.11-2" class="pilcrow">¶</a></p>
<p id="section-5.11-3">The Account MUST be in the <strong>active</strong> state, and remains in the <strong>active</strong> state after executing the Command. If the Account is in any other state, the RP MUST return an <a href="#incompatible-state-response">Incompatible State Response</a>.<a href="#section-5.11-3" class="pilcrow">¶</a></p>
<p id="section-5.11-4">The functionality of the Unauthorize Command is also performed by Suspend, Archive, and Delete Commands to ensure an Account in the <strong>suspended</strong>, <strong>archived</strong>, and <strong>unknown</strong> state no longer has access to resources.<a href="#section-5.11-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="unauthorize-functionality">
<section id="section-5.12">
<h3 id="name-unauthorize-functionality">
<a href="#section-5.12" class="section-number selfRef">5.12. </a><a href="#name-unauthorize-functionality" class="section-name selfRef">Unauthorize Functionality</a>
</h3>
<p id="section-5.12-1">The RP MUST revoke all active sessions and MUST reverse all authorization that may have been granted to applications, including <code>offline_access</code>, for Account resources identified by the <code>sub</code>.<a href="#section-5.12-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="tenant-commands">
<section id="section-6">
<h2 id="name-tenant-commands">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-tenant-commands" class="section-name selfRef">Tenant Commands</a>
</h2>
<p id="section-6-1">Tenant Commands are executed in the context of a Tenant. The RP MUST support the Metadata Command. Support for other Tenant Commands is optional. Command Tokens for Tenant Commands MUST contain the <code>tenant</code> Claim, and are PROHIBITED from containing the <code>sub</code> Claim.<a href="#section-6-1" class="pilcrow">¶</a></p>
<div id="metadata-command">
<section id="section-6.1">
<h3 id="name-metadata-command">
<a href="#section-6.1" class="section-number selfRef">6.1. </a><a href="#name-metadata-command" class="section-name selfRef">Metadata Command</a>
</h3>
<p id="section-6.1-1">Identified by the <code>metadata</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-6.1-1" class="pilcrow">¶</a></p>
<p id="section-6.1-2">The OP sends this Command to exchange metadata with the RP. The OP sends its metadata in the Command Request, and the RP sends its metadata in the Command Response.<a href="#section-6.1-2" class="pilcrow">¶</a></p>
<p id="section-6.1-3">The OP sends this Command to inform the RP of any domains or groups for a Tenant, and any other Tenant metadata the OP wants to share with the RP.<a href="#section-6.1-3" class="pilcrow">¶</a></p>
<p id="section-6.1-4">A Metadata Command replaces any previous metadata provided by the OP to the RP in the Command Request, and any metadata provided by the RP to the OP in the Command Response.<a href="#section-6.1-4" class="pilcrow">¶</a></p>
<p id="section-6.1-5">The Claims set in a Metadata Command Token MUST include the following claim:<a href="#section-6.1-5" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-6.1-6.1">
<p id="section-6.1-6.1.1"><strong>metadata</strong>
REQUIRED.
A JSON object that MAY include the following Claims:<a href="#section-6.1-6.1.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-6.1-6.1.2.1">
<p id="section-6.1-6.1.2.1.1"><strong>domains</strong>
OPTIONAL.
A JSON array of one or more domain names the OP has verified the Tenant controls.<a href="#section-6.1-6.1.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-6.1-6.1.2.2">
<p id="section-6.1-6.1.2.2.1"><strong>groups</strong>
OPTIONAL.
A JSON array of objects that MUST contain:<a href="#section-6.1-6.1.2.2.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-6.1-6.1.2.2.2.1">
<p id="section-6.1-6.1.2.2.2.1.1"><strong>id</strong>
REQUIRED.
The OP unique value for the group.<a href="#section-6.1-6.1.2.2.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-6.1-6.1.2.2.2.2">
<p id="section-6.1-6.1.2.2.2.2.1"><strong>display</strong>
REQUIRED.
The Tenant unique human readable name for the group.<a href="#section-6.1-6.1.2.2.2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<p id="section-6.1-7">The OP sends the <code>domains</code> array for the RP to link any data the RP has to the OP Tenant.<a href="#section-6.1-7" class="pilcrow">¶</a></p>
<p id="section-6.1-8">The OP sends the <code>groups</code> array to provide the display value for each identifier that the OP MAY include in a <code>groups</code> Claim in an ID Token or a Command Token for the Activate and Maintain Commands. This allows an admin at the RP to map centrally managed <code>groups</code> from an OP to roles or entitlements at an RP.<a href="#section-6.1-8" class="pilcrow">¶</a></p>
<p id="section-6.1-9">The OP MAY include any other metadata in the <code>metadata</code> Claim, including metadata defined in OAuth Authorization Server Metadata. <strong>add reference</strong><a href="#section-6.1-9" class="pilcrow">¶</a></p>
<p id="section-6.1-10">Following is a non-normative example of a Claim set in a Command Token for the Metadata Command:<a href="#section-6.1-10" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-6.1-11">
<pre>{
"iss": "https://op.example.org",
"aud": "s6BhdRkqt3",
"iat": 1734006000,
"exp": 1734006060,
"jti": "bWJt",
"command": "metadata",
"tenant": "ff6e7c96",
"metadata": {
"groups": [
{
"id": "b0f4861d",
"display": "Administrators"
},
{
"id": "88799417",
"display": "Finance"
}
],
"domains": ["example.com"],
"claims_supported": [
"sub",
"email",
"email_verified",
"name",
"given_name",
"family_name",
"groups"
]
}
}
</pre><a href="#section-6.1-11" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="metadata-response">
<section id="section-6.2">
<h3 id="name-metadata-response">
<a href="#section-6.2" class="section-number selfRef">6.2. </a><a href="#name-metadata-response" class="section-name selfRef">Metadata Response</a>
</h3>
<p id="section-6.2-1">If the Command Token is valid, the RP responds with an <code>application/json</code> media type that MUST include:<a href="#section-6.2-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-6.2-2.1">
<p id="section-6.2-2.1.1"><strong>context</strong>: a JSON object.<a href="#section-6.2-2.1.1" class="pilcrow">¶</a></p>
<ul class="compact normal">
<li class="compact normal" id="section-6.2-2.1.2.1">
<strong>iss</strong>
REQUIRED. the <code>iss</code> value from the Command Token.<a href="#section-6.2-2.1.2.1" class="pilcrow">¶</a>
</li>
<li class="compact normal" id="section-6.2-2.1.2.2">
<strong>tenant</strong>
REQUIRED. the <code>tenant</code> value from the Command Token.<a href="#section-6.2-2.1.2.2" class="pilcrow">¶</a>
</li>
</ul>
</li>
<li class="normal" id="section-6.2-2.2">
<p id="section-6.2-2.2.1"><strong>commands_supported</strong>: a JSON array of Commands the RP supports. The <code>metadata</code> value MUST be included.<a href="#section-6.2-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-6.2-2.3">
<p id="section-6.2-2.3.1"><strong>commands_uri</strong>: the RP's Commands URI. This is the URL the Command Token was sent to.<a href="#section-6.2-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-6.2-2.4">
<p id="section-6.2-2.4.1"><strong>describe_ttl</strong>: the time in seconds the Command Response to the Metadata Command is valid for.<a href="#section-6.2-2.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-6.2-2.5">
<p id="section-6.2-2.5.1"><strong>client_id</strong>: the <code>client_id</code> for the RP.<a href="#section-6.2-2.5.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-6.2-3">The response MAY also include any OAuth Dynamic Client Registration Metadata <em>TBD <a href="https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata">IANA reference</a></em><a href="#section-6.2-3" class="pilcrow">¶</a></p>
<p id="section-6.2-4">The RP MAY provide a different response for different <strong>iss</strong> Claim values, and for different <code>tenant</code> Claim values.<a href="#section-6.2-4" class="pilcrow">¶</a></p>
<p id="section-6.2-5">Following is a non-normative example of Command Response for a Metadata Command:<a href="#section-6.2-5" class="pilcrow">¶</a></p>
<blockquote id="section-6.2-6">
<p id="section-6.2-6.1">NOTE: we want to include the <code>iss</code> and <code>tenant</code> from the Metadata Command in the Command Response so the OP knows the response from the RP
is really for the correct <code>iss</code> and <code>tenant</code>. We don't want the OP <code>iss</code> at the top level as that would
cause confusion if the Command Response is signed in the future since the <code>iss</code> then would be the RP<a href="#section-6.2-6.1" class="pilcrow">¶</a></p>
</blockquote>
<div class="lang-json sourcecode" id="section-6.2-7">
<pre>{
"context": {
"iss": "https://op.example.org",
"tenant":"73849284748493"
},
"commands_uri": "https://rp.example.net/commands",
"commands_supported":[
"describe",
"unauthorize",
"suspend",
"reactivate",
"delete",
"audit"
],
"commands_ttl": 86400,
"claims_supported": [
"sub",
"email",
"email_verified",
"name",
"groups"
],
"client_id": "s6BhdRkqt3",
"client_name": "Example RP",
"logo_uri": "https://rp.example.net/logo.png",
"policy_uri": "https://rp.example.net/privacy-policy.html",
"tos_uri": "https://rp.example.net/terms-of-service.html",
"jwks_uri": "https://rp.example.net/jwks",
"initiate_login_uri": "https://rp.example.net/initiate-login",
"redirect_uris": [
"https://rp.example.net/response"
]
}
</pre><a href="#section-6.2-7" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="streaming-request">
<section id="section-6.3">
<h3 id="name-streaming-request">
<a href="#section-6.3" class="section-number selfRef">6.3. </a><a href="#name-streaming-request" class="section-name selfRef">Streaming Request</a>
</h3>
<p id="section-6.3-1">All Tenant Commands besides the Metadata Command use <a href="https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events">Server-Side Events</a> (SSE) for the RP to transfer the Command Response. When performing a Streaming Request, the OP MUST include the following HTTP headers when sending the Command Request:<a href="#section-6.3-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-6.3-2.1">
<code>Accept</code> with the value of <code>text/event-stream</code> to indicate support for Server-Sent Events.<a href="#section-6.3-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-6.3-2.2">
<code>Cache-Control</code> with the value of <code>no-cache</code> to signal to intermediaries to not cache the response.<a href="#section-6.3-2.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-6.3-2.3">
<code>Connection</code> with the value of <code>keep-alive</code> to keep the connection open.<a href="#section-6.3-2.3" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-6.3-3">It is RECOMMENDED the OP accept compression of the response by sending the <code>Accept-Encoding</code> HTTP header with the value of <code>gzip</code>, or <code>gzip, br</code>.<a href="#section-6.3-3" class="pilcrow">¶</a></p>
<p id="section-6.3-4">The following is a non-normative example of a Streaming Request:
(with most of the Command Token contents omitted for brevity):<a href="#section-6.3-4" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-6.3-5">
<pre>POST /commands HTTP/1.1
Host: rp.example.net
Content-Type: application/x-www-form-urlencoded
Accept: text/event-stream
Cache-Control: no-cache
Connection: keep-alive
Accept-Encoding: gzip, br
command_token=eyJhbGci ... .eyJpc3Mi ... .T3BlbklE ...
</pre><a href="#section-6.3-5" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="streaming-response">
<section id="section-6.4">
<h3 id="name-streaming-response">
<a href="#section-6.4" class="section-number selfRef">6.4. </a><a href="#name-streaming-response" class="section-name selfRef">Streaming Response</a>
</h3>
<p id="section-6.4-1">The RP sends a Streaming Response to a Streaming Request. In a Streaming Response, the RP uses SSE to stream the Command Response as a sequence of events. If the RP receives a valid Command, it MUST sent the <code>HTTP/1.1 200 OK</code> response, followed by the following headers:<a href="#section-6.4-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-6.4-2.1">
<code>Content-Type</code> with the <code>text/event-stream</code> value<a href="#section-6.4-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-6.4-2.2">
<code>Cache-Control</code> with the <code>no-cache</code> value<a href="#section-6.4-2.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-6.4-2.3">
<code>Connection</code> with the <code>keep-alive</code> value<a href="#section-6.4-2.3" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-6.4-3">If the OP sent a <code>Content-Encoding</code> header in the request with a compression the RP understands, the RP MAY include a <code>Content-Encoding</code> header with one of the OP provided values.<a href="#section-6.4-3" class="pilcrow">¶</a></p>
<p id="section-6.4-4">Per SSE, the body of the response is a series of events. In addition to the required field name <code>data</code>, each event MUST include the <code>id</code> field with a unique value for each event, and the <code>event</code> field with a value of either <code>account-state</code>, or <code>command-complete</code>. The RP sends an <code>account-state</code> event for each Account at the RP for the <code>iss</code>, and <code>org</code> if sent, in the Audit Tenant Command. When all <code>account-state</code> events have been sent, the RP sends an <code>command-complete</code> event.<a href="#section-6.4-4" class="pilcrow">¶</a></p>
<p id="section-6.4-5">The <code>data</code> parameter of the <code>account-state</code> event MUST contain the following:<a href="#section-6.4-5" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-6.4-6.1">
<code>sub</code> representing the Account<a href="#section-6.4-6.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-6.4-6.2">
<code>account_state</code> representing the current state for the Account from the states supported by the RP.<a href="#section-6.4-6.2" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-6.4-7">The <code>data</code> parameter MAY include other Claims as defined by the Tenant Command.<a href="#section-6.4-7" class="pilcrow">¶</a></p>
<p id="section-6.4-8">The <code>data</code> parameter of the <code>command-complete</code> event MUST include the <code>total_accounts</code> property with a value for the total number of <code>account-state</code> events the RP has sent.<a href="#section-6.4-8" class="pilcrow">¶</a></p>
<p id="section-6.4-9">If there are no Accounts for the Tenant at the RP, the RP responds with only the <code>command-complete</code> event with <code>total-accounts</code> having a value of <code>0</code>.<a href="#section-6.4-9" class="pilcrow">¶</a></p>
<p id="section-6.4-10">The following is a non-normative example of a Streaming Response for an Audit Tenant Command:<a href="#section-6.4-10" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-6.4-11">
<pre>HTTP/1.1 200 OK
Content-Type: text/event-stream
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
id: 1
event: account-state
data: {
"sub": "248289761001",
"email": "janes.smith@example.com",
"given_name": "Jane",
"family_name": "Smith",
"groups": [
"b0f4861d-f3d6-4f76-be2f-e467daddc6f6",
"88799417-c72f-48fc-9e63-f012d8822ad1"
],
"account_state": "active"
}
id: 2
event: account-state
data: {
"sub": "98765412345",
"email": "john.doe@example.com",
"given_name": "John",
"family_name": "Doe",
"groups": [
"88799417-c72f-48fc-9e63-f012d8822ad1"
],
"account_state": "suspended"
}
id: 3
event: command-complete
data: {
"total_accounts": 2
}
</pre><a href="#section-6.4-11" class="pilcrow">¶</a>
</div>
<p id="section-6.4-12">If the connection is lost during a Streaming Response, The OP SHOULD generate a new Command Token and send a Streaming Request include the HTTP header <code>Last-Event-Id</code> with the last event <code>id</code> property received per SSE.<a href="#section-6.4-12" class="pilcrow">¶</a></p>
<p id="section-6.4-13">Following is a non-normative example of a Streaming Request sent after a connection was lost:<a href="#section-6.4-13" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-6.4-14">
<pre>POST /commands HTTP/1.1
Host: rp.example.net
Content-Type: application/x-www-form-urlencoded
Accept: text/event-stream
Cache-Control: no-cache
Connection: keep-alive
Accept-Encoding: gzip, br
Last-Event-Id: 3
command_token=eyJhbGci ... .eyJpc3Mi ... .T3BlbklE ...
</pre><a href="#section-6.4-14" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="audit-tenant-command">
<section id="section-6.5">
<h3 id="name-audit-tenant-command">
<a href="#section-6.5" class="section-number selfRef">6.5. </a><a href="#name-audit-tenant-command" class="section-name selfRef">Audit Tenant Command</a>
</h3>
<p id="section-6.5-1">Sent in a Streaming Request and identified by the <code>audit_tenant</code> value in the <code>command</code> Claim in a Command Token.<a href="#section-6.5-1" class="pilcrow">¶</a></p>
<p id="section-6.5-2">The OP sends the Audit Tenant Command to learn the state of Accounts for a Tenant at an RP.<a href="#section-6.5-2" class="pilcrow">¶</a></p>
<p id="section-6.5-3">The following is a non-normative example of the Claims Set in the Command Token of an Audit Tenant Command:<a href="#section-6.5-3" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-6.5-4">
<pre>{
"iss": "https://op.example.org",
"aud": "s6BhdRkqt3",
"iat": 1734003000,
"exp": 1734003060,
"jti": "bWJz",
"command": "audit_tenant",
"tenant": "ff6e7c9"
}
</pre><a href="#section-6.5-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="audit-tenant-response">
<section id="section-6.6">
<h3 id="name-audit-tenant-response">
<a href="#section-6.6" class="section-number selfRef">6.6. </a><a href="#name-audit-tenant-response" class="section-name selfRef">Audit Tenant Response</a>
</h3>
<p id="section-6.6-1">The RP sends a Streaming Response if it received a valid Suspend Tenant Command.<a href="#section-6.6-1" class="pilcrow">¶</a></p>
<p id="section-6.6-2">The RP MUST include any Claims for an Account that the RP has retained that were provided by the OP in the event <code>data</code> parameter JSON string. If the Claim values have been modified at the RP, the modified values should be returned.<a href="#section-6.6-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="suspend-tenant-command">
<section id="section-6.7">
<h3 id="name-suspend-tenant-command">
<a href="#section-6.7" class="section-number selfRef">6.7. </a><a href="#name-suspend-tenant-command" class="section-name selfRef">Suspend Tenant Command</a>
</h3>
<p id="section-6.7-1">Sent in a Streaming Request and identified by the <code>suspend_tenant</code> value in the <code>command</code> Claim in a Command Token.
Upon receiving this Command, the RP MUST suspend all Accounts in the active state for the Tenant identified by the <code>tenant</code> Claim in the Command Token.<a href="#section-6.7-1" class="pilcrow">¶</a></p>
<p id="section-6.7-2">The RP sends a Streaming Response if it received a valid Suspend Tenant Command.<a href="#section-6.7-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="archive-tenant-command">
<section id="section-6.8">
<h3 id="name-archive-tenant-command">
<a href="#section-6.8" class="section-number selfRef">6.8. </a><a href="#name-archive-tenant-command" class="section-name selfRef">Archive Tenant Command</a>
</h3>
<p id="section-6.8-1">Sent in a Streaming Request and identified by the <code>archive_tenant</code> value in the <code>command</code> Claim in a Command Token.
Upon receiving this Command, the RP MUST suspend all Accounts in the active and suspended state for the Tenant identified by the <code>tenant</code> Claim in the Command Token.<a href="#section-6.8-1" class="pilcrow">¶</a></p>
<p id="section-6.8-2">The RP sends a Streaming Response if it received a valid Archive Tenant Command.<a href="#section-6.8-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="delete-tenant-command">
<section id="section-6.9">
<h3 id="name-delete-tenant-command">
<a href="#section-6.9" class="section-number selfRef">6.9. </a><a href="#name-delete-tenant-command" class="section-name selfRef">Delete Tenant Command</a>
</h3>
<p id="section-6.9-1">Sent in a Streaming Request and identified by the <code>delete_tenant</code> value in the <code>command</code> Claim in a Command Token.
Upon receiving this Command, the RP MUST delete all Accounts for the Tenant identified by the <code>tenant</code> Claim in the Command Token.<a href="#section-6.9-1" class="pilcrow">¶</a></p>
<p id="section-6.9-2">The RP sends a Streaming Response if it received a valid Delete Tenant Command. If the Delete Tenant Command was successful, the RP will send only a <code>command_completed</code> event with a <code>data</code> parameter containing the JSON string <code>{"total_accounts":0}</code>.<a href="#section-6.9-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="unauthorize-tenant-command">
<section id="section-6.10">
<h3 id="name-unauthorize-tenant-command">
<a href="#section-6.10" class="section-number selfRef">6.10. </a><a href="#name-unauthorize-tenant-command" class="section-name selfRef">Unauthorize Tenant Command</a>
</h3>
<p id="section-6.10-1">Sent in a Streaming Request and identified by the <code>unauthorize_tenant</code> value in the <code>command</code> Claim in a Command Token.
Upon receiving this Command, the RP MUST perform the <a href="#unauthorize-functionality">Unauthorize Functionality</a> on all Accounts in the <strong>active</strong> state for the Tenant identified by the <code>tenant</code> Claim in the Command Token.<a href="#section-6.10-1" class="pilcrow">¶</a></p>
<p id="section-6.10-2">The RP sends a Streaming Response if it received a valid Unauthorize Tenant Command.<a href="#section-6.10-2" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="extensibility">
<section id="section-7">
<h2 id="name-extensibility">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-extensibility" class="section-name selfRef">Extensibility</a>
</h2>
<div id="defining-new-commands">
<section id="section-7.1">
<h3 id="name-defining-new-commands">
<a href="#section-7.1" class="section-number selfRef">7.1. </a><a href="#name-defining-new-commands" class="section-name selfRef">Defining New Commands</a>
</h3>
<p id="section-7.1-1">New Commands can be defined in one of two ways: registered in the OpenID Provider Commands
registry, or by using a unique absolute URI as its name.<a href="#section-7.1-1" class="pilcrow">¶</a></p>
<p id="section-7.1-2">Types utilizing a URI name SHOULD be limited to vendor-specific
implementations that are not commonly applicable, and are specific to
the implementation details of the resource server where they are
used.<a href="#section-7.1-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="defining-new-tenant-metadata">
<section id="section-7.2">
<h3 id="name-defining-new-tenant-metadat">
<a href="#section-7.2" class="section-number selfRef">7.2. </a><a href="#name-defining-new-tenant-metadat" class="section-name selfRef">Defining New Tenant Metadata</a>
</h3>
<p id="section-7.2-1"><em>To be completed.</em><a href="#section-7.2-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="defining-new-relying-party-metadata">
<section id="section-7.3">
<h3 id="name-defining-new-relying-party-">
<a href="#section-7.3" class="section-number selfRef">7.3. </a><a href="#name-defining-new-relying-party-" class="section-name selfRef">Defining New Relying Party Metadata</a>
</h3>
<p id="section-7.3-1"><em>To be completed.</em><a href="#section-7.3-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="openid-provider-command-support">
<section id="section-8">
<h2 id="name-openid-provider-command-sup">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-openid-provider-command-sup" class="section-name selfRef">OpenID Provider Command Support</a>
</h2>
<p id="section-8-1">Relying Parties supporting OpenID Provider Commands register a Commands URI with the OP as part of their client registration.<a href="#section-8-1" class="pilcrow">¶</a></p>
<p id="section-8-2">The Commands URI MUST be an absolute URI as defined by
Section 4.3 of {{RFC3986}}.
The Commands URI MAY include an
<code>application/x-www-form-urlencoded</code> formatted
query component, per Section 3.4 of {{RFC3986}}.
The Commands URI MUST NOT include a fragment component.<a href="#section-8-2" class="pilcrow">¶</a></p>
<p id="section-8-3">If the RP supports
<a href="#OpenID.Registration">OpenID Connect Dynamic Client Registration 1.0</a>,
it uses this metadata value to register the OpenID Provider Commands URI:<a href="#section-8-3" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-8-4.1">
<strong>commands_uri</strong><br>
OPTIONAL.<br>
RP URL that will receive OpenID Provider Commands from the OP.
This URL MUST use the <code>https</code> scheme
and MAY contain path, and query parameter components.<a href="#section-8-4.1" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
<div id="implementation-considerations">
<section id="section-9">
<h2 id="name-implementation-consideratio">
<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-implementation-consideratio" class="section-name selfRef">Implementation Considerations</a>
</h2>
<p id="section-9-1">This specification defines features used by both Relying Parties and
OpenID Providers that choose to implement OpenID Provider Commands.
All of these Relying Parties and OpenID Providers
MUST implement the features that are listed
in this specification as being "REQUIRED" or are described with a "MUST".
No other implementation considerations for implementations of
OpenID Provider Commands are defined by this specification.<a href="#section-9-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="security-considerations">
<section id="section-10">
<h2 id="name-security-considerations">
<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
</h2>
<p id="section-10-1">The signed Command Token is required in the Command Request to prevent
denial of service attacks by enabling the RP to verify that
the Command Request is coming from a legitimate party.<a href="#section-10-1" class="pilcrow">¶</a></p>
<p id="section-10-2">OPs are encouraged to use short expiration times in Command Tokens,
preferably at most two minutes in the future,
to prevent captured Command Tokens from being replayed.<a href="#section-10-2" class="pilcrow">¶</a></p>
<div id="cross-jwt-confusion">
<section id="section-10.1">
<h3 id="name-cross-jwt-confusion">
<a href="#section-10.1" class="section-number selfRef">10.1. </a><a href="#name-cross-jwt-confusion" class="section-name selfRef">Cross-JWT Confusion</a>
</h3>
<p id="section-10.1-1">As described in Section 2.8 of {{RFC8725}},
attackers may attempt to use a JWT issued for one purpose in a context that it was not intended for.
The mitigations described for these attacks can be applied to Command Tokens.<a href="#section-10.1-1" class="pilcrow">¶</a></p>
<p id="section-10.1-2">One way that an attacker might attempt to repurpose a Command Token
is to try to use it as an ID Token.
As described in <a href="#command-token">Command Token</a>,
inclusion of a <code>nonce</code> Claim in a Command Token
is prohibited to prevent its misuse as an ID Token.<a href="#section-10.1-2" class="pilcrow">¶</a></p>
<p id="section-10.1-3">Another way to prevent cross-JWT confusion is to use explicit typing,
as described in Section 3.11 of {{!RFC8725}} and as required in [#command-token].<a href="#section-10.1-3" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="privacy-considerations">
<section id="section-11">
<h2 id="name-privacy-considerations">
<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-privacy-considerations" class="section-name selfRef">Privacy Considerations</a>
</h2>
<p id="section-11-1"><em>To be completed.</em><a href="#section-11-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="iana-considerations">
<section id="section-12">
<h2 id="name-iana-considerations">
<a href="#section-12" class="section-number selfRef">12. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
</h2>
<p id="section-12-1"><em>Not all entries have been added.</em><a href="#section-12-1" class="pilcrow">¶</a></p>
<div id="json-web-token-claims">
<section id="section-12.1">
<h3 id="name-json-web-token-claims">
<a href="#section-12.1" class="section-number selfRef">12.1. </a><a href="#name-json-web-token-claims" class="section-name selfRef">JSON Web Token Claims</a>
</h3>
<p id="section-12.1-1">This specification registers the following JSON web token claim definitions
in the IANA "JSON Web Token Claims" registry
<a href="#IANA.JSON.Web.Token.Claims">IANA JSON Web Token Claims</a>
established by <a href="#RFC7519">RFC7519</a>.<a href="#section-12.1-1" class="pilcrow">¶</a></p>
<div id="registry-contents">
<section id="section-12.1.1">
<h4 id="name-registry-contents">
<a href="#section-12.1.1" class="section-number selfRef">12.1.1. </a><a href="#name-registry-contents" class="section-name selfRef">Registry Contents</a>
</h4>
<ul class="compact">
<li class="compact" id="section-12.1.1-1.1">
<strong>Claim Name:</strong> <code>command</code><a href="#section-12.1.1-1.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-12.1.1-2"><strong>Claim Description:</strong>
An instruction from the <code>iss</code> to the <code>aud</code> of a token.<a href="#section-12.1.1-2" class="pilcrow">¶</a></p>
<p id="section-12.1.1-3"><strong>Change Controller:</strong> OpenID Foundation<a href="#section-12.1.1-3" class="pilcrow">¶</a></p>
<p id="section-12.1.1-4"><strong>Specification Document(s):</strong> This document<a href="#section-12.1.1-4" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-12.1.1-5.1">
<strong>Claim Name:</strong> <code>tenant</code><a href="#section-12.1.1-5.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-12.1.1-6"><strong>Claim Description:</strong>
A logically isolated entity within the party identified by the <code>iss</code> of the token.<a href="#section-12.1.1-6" class="pilcrow">¶</a></p>
<p id="section-12.1.1-7"><strong>Change Controller:</strong> OpenID Foundation<a href="#section-12.1.1-7" class="pilcrow">¶</a></p>
<p id="section-12.1.1-8"><strong>Specification Document(s):</strong> This document<a href="#section-12.1.1-8" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-12.1.1-9.1">
<strong>Claim Name:</strong> <code>metadata</code><a href="#section-12.1.1-9.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-12.1.1-10"><strong>Claim Description:</strong>
Metadata about the party identified by the <code>iss</code> of the token.<a href="#section-12.1.1-10" class="pilcrow">¶</a></p>
<p id="section-12.1.1-11"><strong>Change Controller:</strong> OpenID Foundation<a href="#section-12.1.1-11" class="pilcrow">¶</a></p>
<p id="section-12.1.1-12"><strong>Specification Document(s):</strong> This document<a href="#section-12.1.1-12" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="oauth-dynamic-client-registration-metadata-registration">
<section id="section-12.2">
<h3 id="name-oauth-dynamic-client-regist">
<a href="#section-12.2" class="section-number selfRef">12.2. </a><a href="#name-oauth-dynamic-client-regist" class="section-name selfRef">OAuth Dynamic Client Registration Metadata Registration</a>
</h3>
<p id="section-12.2-1">This specification registers the following client metadata definitions
in the IANA "OAuth Dynamic Client Registration Metadata" registry
<a href="#IANA.OAuth.Parameters">IANA OAuth Parameters</a>
established by <a href="#RFC7591">RFC7591</a>.<a href="#section-12.2-1" class="pilcrow">¶</a></p>
<div id="registry-contents-1">
<section id="section-12.2.1">
<h4 id="name-registry-contents-2">
<a href="#section-12.2.1" class="section-number selfRef">12.2.1. </a><a href="#name-registry-contents-2" class="section-name selfRef">Registry Contents</a>
</h4>
<ul class="compact">
<li class="compact" id="section-12.2.1-1.1">
<strong>Client Metadata Name:</strong> <code>commands_uri</code><a href="#section-12.2.1-1.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-12.2.1-2"><strong>Client Metadata Description:</strong>
RP URL that will receive OpenID Provider Commands from the OP<a href="#section-12.2.1-2" class="pilcrow">¶</a></p>
<p id="section-12.2.1-3"><strong>Change Controller:</strong> OpenID Foundation<a href="#section-12.2.1-3" class="pilcrow">¶</a></p>
<p id="section-12.2.1-4"><strong>Specification Document(s):</strong> This document<a href="#section-12.2.1-4" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="media-type-registration">
<section id="section-12.3">
<h3 id="name-media-type-registration">
<a href="#section-12.3" class="section-number selfRef">12.3. </a><a href="#name-media-type-registration" class="section-name selfRef">Media Type Registration</a>
</h3>
<p id="section-12.3-1">This specification registers the <code>application/command+jwt</code> media type as per {{!RFC6838}}.<a href="#section-12.3-1" class="pilcrow">¶</a></p>
<p id="section-12.3-2"><em>To be completed.</em><a href="#section-12.3-2" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="references">
<section id="section-13">
<h2 id="name-references">
<a href="#section-13" class="section-number selfRef">13. </a><a href="#name-references" class="section-name selfRef">References</a>
</h2>
<div id="normative-references">
<section id="section-13.1">
<h3 id="name-normative-references">
<a href="#section-13.1" class="section-number selfRef">13.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
</h3>
<p id="section-13.1-1"><em>To be completed.</em><a href="#section-13.1-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="informative-references">
<section id="section-13.2">
<h3 id="name-informative-references">
<a href="#section-13.2" class="section-number selfRef">13.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
</h3>
<p id="section-13.2-1"><em>To be completed.</em><a href="#section-13.2-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="acknowledgements">
<section id="section-14">
<h2 id="name-acknowledgements">
<a href="#section-14" class="section-number selfRef">14. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
</h2>
<p id="section-14-1">The authors would like to thank early feedback provided by Tim Cappalli, Pam Dingle, George Fletcher, Michael Jones, Aaron Parecki, Dean Saxe, and Rifaat Shekh-Yusef.<a href="#section-14-1" class="pilcrow">¶</a></p>
<p id="section-14-2"><em>To be updated.</em><a href="#section-14-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="notices">
<section id="section-15">
<h2 id="name-notices">
<a href="#section-15" class="section-number selfRef">15. </a><a href="#name-notices" class="section-name selfRef">Notices</a>
</h2>
<p id="section-15-1"><em>To be completed.</em><a href="#section-15-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="document-history">
<section id="section-16">
<h2 id="name-document-history">
<a href="#section-16" class="section-number selfRef">16. </a><a href="#name-document-history" class="section-name selfRef">Document History</a>
</h2>
<p id="section-16-1">[[ To be removed from the final specification ]]<a href="#section-16-1" class="pilcrow">¶</a></p>
<p id="section-16-2">-00<a href="#section-16-2" class="pilcrow">¶</a></p>
<p id="section-16-3">initial draft<a href="#section-16-3" class="pilcrow">¶</a></p>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
toc.classList.remove("active");
});
</script>
</body>
</html>