<!DOCTYPE html>
<!-- saved from url=(0079)https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html -->
<html lang="en" class="Internet-Draft"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>IPSIE SL1 OpenID Connect Profile</title>
<meta content="Aaron Parecki" name="author">
<meta content="
The IPSIE SL1 OpenID Connect Profile is a profile of OpenID Connect intended to meet the security and interoperability requirements of enterprise integrations using OpenID Connect.
" name="description">
<meta content="xml2rfc 3.28.0" name="generator">
<meta content="openid" name="keyword">
<meta content="ipsie" name="keyword">
<meta content="draft-openid-ipsie-sl1-profile-latest" name="ietf.draft">
<!-- Generator version information:
xml2rfc 3.28.0
Python 3.12.9
ConfigArgParse 1.7
google-i18n-address 3.1.1
intervaltree 3.1.0
Jinja2 3.1.5
lxml 5.3.0
platformdirs 4.3.6
pycountry 24.6.1
PyYAML 6.0.2
requests 2.32.3
setuptools 70.3.0
wcwidth 0.2.13
-->
<link href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.xml" rel="alternate" type="application/rfc+xml">
<link href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#copyright" rel="license">
<style type="text/css">@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 600;
font-display: swap;
src: local('Lora SemiBold'), local('Lora-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-semibold-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Oxygen Mono';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Oxygen Mono';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C8A, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-cyrillic.woff2') format('woff2');
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-greek.woff2') format('woff2');
unicode-range: U+0370-0377, U+037A-037F, U+0384-038A, U+038C, U+038E-03A1, U+03A3-03FF;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-latin-ext.woff2') format('woff2');
unicode-range: U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C8A, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-cyrillic.woff2') format('woff2');
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-greek.woff2') format('woff2');
unicode-range: U+0370-0377, U+037A-037F, U+0384-038A, U+038C, U+038E-03A1, U+03A3-03FF;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-latin-ext.woff2') format('woff2');
unicode-range: U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
:root {
color-scheme: light dark;
--background-color: #fff;
--text-color: #222;
--title-color: #191919;
--link-color: #2a6496;
--highlight-color: #f9f9f9;
--line-color: #eee;
--pilcrow-weak: #ddd;
--pilcrow-strong: #bbb;
--small-font-size: 14.5px;
--font-mono: 'Oxygen Mono', monospace;
--font-title: "Sofia Sans Semi Condensed", sans-serif;
scrollbar-color: #bbb #eee;
}
body {
max-width: 600px;
margin: 75px auto;
padding: 0 5px;
color: var(--text-color);
background-color: var(--background-color);
font: 16px/22px "Lora", serif;
scroll-behavior: smooth;
}
.ears {
display: none;
}
/* headings */
section {
clear: both;
}
.section-number {
padding-right: 0.5em;
}
h1, h2, h3, h4, h5, h6 {
font-family: var(--font-title);
font-weight: 680;
margin: 0.8em 0 0.3em;
font-size-adjust: 0.5;
color: var(--title-color);
}
h1#title {
font-size: 32px;
line-height: 40px;
clear: both;
}
h1#title, h1#rfcnum {
margin: 1.5em 0 0.2em;
}
h1#rfcnum + h1#title {
margin: 0.2em 0;
}
h1, h2, h3 {
font-size: 22px;
line-height: 27px;
}
h4, h5, h6 {
font-size: 20px;
line-height: 24px;
}
/* general structure */
.author {
padding-bottom: 0.3em;
vertical-align: top;
}
#abstract+p {
font-size: 18px;
line-height: 24px;
}
#abstract+p code, #abstract+p samp, #abstract+p tt {
font-size: 16px;
line-height: 0;
}
p {
padding: 0;
margin: 0.5em 0;
text-align: left;
}
div {
margin: 0;
}
.alignRight.art-text {
background-color: var(--highlight-color);
border: 1px solid var(--line-color);
border-radius: 3px;
padding: 0.5em 1em 0;
margin-bottom: 0.5em;
}
.alignRight.art-text pre {
padding: 0;
width: auto;
}
.alignRight {
margin: 1em 0;
}
.alignRight > *:first-child {
border: none;
margin: 0;
float: right;
clear: both;
}
.alignRight > *:nth-child(2) {
clear: both;
display: block;
border: none;
}
svg {
display: block;
}
/* font-family isn't space-separated, but =~ will have to do */
svg[font-family~="monospace" i], svg [font-family~="monospace" i] {
font-family: var(--font-mono);
}
.alignCenter.art-text {
background-color: var(--highlight-color);
border: 1px solid var(--line-color);
border-radius: 3px;
padding: 0.5em 1em 0;
margin-bottom: 0.5em;
}
.alignCenter.art-text pre {
padding: 0;
width: auto;
}
.alignCenter {
margin: 1em 0;
}
.alignCenter > *:first-child {
border: none;
/* this isn't optimal, but it's an existence proof. PrinceXML doesn't
support flexbox yet.
*/
display: table;
margin: 0 auto;
}
/* lists */
ol, ul {
padding: 0;
margin: 0 0 0.5em 2em;
& :is(ol, ul) {
margin-left: 1em;
}
}
li {
margin: 0 0 0.25em 0;
}
ul.empty, .ulEmpty {
list-style-type: none;
& li {
margin-top: 0.5em;
}
}
:is(ul, ol).compact, .ulCompact, .olCompact {
margin: 0 0 0 2em;
& li {
margin: 0;
& :first-child { margin-top: 0; }
& :last-child { margin-bottom: 0; }
}
}
/* definition lists */
dl {
clear: left;
--indent: 3ch;
/* --indent: attr(indent ch); not supported in any browser, but we can dream */
&.olPercent {
--indent: 5ch;
& > dt {
min-width: calc(var(--indent) - 2ch);
}
}
&.olPercent > dt {
float: none;
}
dl > dd > & {
margin-top: 0.5em;
margin-bottom: 0;
}
}
dl:not(.dlNewline) > dt {
float: left;
margin-right: 2ch;
min-width: 8ch;
}
dl > dd {
margin-bottom: .8em;
margin-left: var(--indent) !important; /* stupid element overrides */
min-height: 2ex;
}
:is(dl.compact, .dlCompact) > dd {
margin-bottom: 0;
& > :is(:first-child, .break:first-child + *) {
margin-top: 0;
}
& > :is(:last-child) {
margin-bottom: 0;
}
}
:is(dd, span).break {
display: none;
}
/* links */
a, a[href].selfRef:hover {
text-decoration: none;
}
a[href] {
color: var(--link-color);
}
a[href].selfRef, .iref + a[href].internal {
color: var(--text-color);
}
a[href]:hover {
text-decoration: underline;
}
a[href].selfRef:hover {
background-color: var(--highlight-color);
}
a.xref:is(.cite, .auto), :is(#status-of-memo, #copyright) a {
white-space: nowrap;
}
/* Figures */
tt, code, pre {
background-color: var(--highlight-color);
font: 14px/22px var(--font-mono);
}
tt, code {
/* changing the font for inline elements leads to different ascender
and descender heights; as we want to retain baseline alignment,
remove leading to avoid altering the final height of lines
note: this fails if these blocks take an entire line,
a different solution would be great */
line-height: 0;
}
:is(h1, h2, h3, h4, h5, h6) :is(tt, code) {
font-size: 84%;
}
pre {
border: 1px solid var(--line-color);
font-size: 13.5px;
line-height: 16px;
letter-spacing: -0.2px;
margin: 5px;
padding: 5px;
}
img {
max-width: 100%;
}
figure {
margin: 0.5em 0;
padding: 0;
}
figure blockquote {
margin: 0.8em 0.4em 0.4em;
}
figcaption, caption {
font-style: italic;
margin: 0.5em 1.5em;
text-align: left;
caption-side: bottom;
}
@media screen {
/* Auto-collapse boilerplate. */
:is(#status-of-memo, #copyright) p {
margin: -2px 0;
max-height: 0;
transition: max-height 2s ease, margin 0.5s ease 0.5s;
overflow: hidden;
}
:is(#status-of-memo, #copyright):hover p,
:is(#status-of-memo, #copyright) h2:target ~ p {
margin: 0.5em 0;
max-height: 500px;
overflow: auto;
}
pre, svg {
display: inline-block;
/* In the horizontal direction, sometimes people make over-sized figures.
Scrollbars for those is therefore necessary: auto adds them as necessary..
In the vertical direction, the line-height can combine with the font
asender/descender height to produce scrollbars: hidden avoids that. */
overflow: auto hidden;
}
pre {
max-width: 100%;
width: calc(100% - 22px - 1em);
}
svg {
max-width: calc(100% - 22px - 1em);
}
figure pre {
display: block;
width: calc(100% - 25px);
}
:is(pre, svg) + .pilcrow {
display: inline-block;
vertical-align: text-bottom;
padding-bottom: 8px;
}
}
/* aside, blockquote */
aside, blockquote {
margin-left: 0;
padding: 0 2em;
font-style: italic;
}
blockquote {
margin: 1em 0;
}
cite {
display: block;
text-align: right;
font-style: italic;
}
/* tables */
table {
width: auto;
max-width: 100%;
margin: 0 0 1em;
border-collapse: collapse;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
table.left {
margin-right: auto;
}
table .text-left {
text-align: left;
}
table .text-center {
text-align: center;
}
table .text-right {
text-align: right;
}
thead, tbody {
border: 1px solid var(--line-color);
}
th, td {
text-align: left;
vertical-align: top;
padding: 5px 10px;
}
th {
background-color: var(--line-color);
}
:is(tr:nth-child(2n), thead+tbody > tr:nth-child(2n+1)) > td {
background-color: var(--background-color);
}
:is(tr:nth-child(2n+1), thead+tbody > tr:nth-child(2n)) > td {
background-color: var(--highlight-color);
}
table caption {
margin: 0;
padding: 3px 0 3px 1em;
}
table p {
margin: 0;
}
/* pilcrow */
a.pilcrow {
margin-left: 3px;
opacity: 0.2;
user-select: none;
&[href] {
color: var(--pilcrow-weak);
&:hover { text-decoration: none; }
}
}
@media not print {
:hover > a.pilcrow {
opacity: 1;
}
a.pilcrow[href]:hover {
color: var(--pilcrow-strong);
background-color: transparent;
}
}
@media print {
a.pilcrow {
display: none;
}
}
/* misc */
hr {
border: 0;
border-top: 1px solid var(--line-color);
}
.bcp14 {
font-variant: small-caps;
font-weight: 600;
font-size: var(--small-font-size);
}
.role {
font-variant: all-small-caps;
}
sub, sup {
line-height: 1;
font-size: 80%;
}
/* info block */
#identifiers {
margin: 0;
font-size: var(--small-font-size);
line-height: 18px;
--identifier-width: 15ch;
& dt {
width: var(--identifier-width);
min-width: var(--identifier-width);
clear: left;
float: left;
text-align: right;
margin-right: 1ch;
}
& dd {
margin: 0;
margin-left: calc(1em + var(--identifier-width)) !important;
min-width: 5em;
}
& .authors {
& .author {
display: inline-block;
margin-right: 1.5em;
}
& .org {
font-style: italic;
}
}
}
/* The prepared/rendered info at the very bottom of the page */
.docInfo {
color: #999;
font-size: 0.9em;
font-style: italic;
margin-top: 2em;
}
.docInfo .prepared {
float: right;
}
/* table of contents */
#toc {
padding: 0.75em 0 2em 0;
margin-bottom: 1em;
& nav {
& ul {
margin: 0 0.5em 0 0;
padding: 0;
list-style: none;
}
& li {
line-height: 1.3em;
margin: 2px 0;
padding-left: 1.2em;
text-indent: -1.2em;
}
}
& a.xref {
white-space: normal;
}
}
.references {
& > dt {
text-align: right;
font-weight: bold;
min-width: 10ch;
margin-right: 1.5ch;
&:target::before {
content: "⇒";
margin: 0 10px 0 -25px;
}
}
& > dd {
margin-left: 12ch !important;
overflow: visible;
& .refInstance {
margin-bottom: 0.8em;
}
& .ascii {
margin-bottom: 0.25em;
}
}
}
#rfc\.index\.index + ul {
margin-left: 0;
}
/* authors */
address.vcard {
font-style: normal;
max-width: 20em;
margin: 1em auto 1em 0;
& .nameRole {
font-weight: 700;
margin-left: 0;
}
& .label {
margin: 0.5em 0;
}
& .type {
display: none;
}
& .alternative-contact {
margin: 0.5em 0 0.25em 0;
}
& .non-ascii {
margin: 0 0 0 2em;
}
& div.left {
text-align: left;
}
& div.right {
text-align: right;
}
}
hr.addr {
border-top: 1px dashed;
margin: 0;
color: #ddd;
max-width: calc(100% - 16px);
}
@media (min-width: 500px) {
#authors-addresses > section {
column-count: 2;
column-gap: 20px;
}
#authors-addresses > section > h2 {
column-span: all;
}
/* hack for break-inside: avoid-column */
#authors-addresses address {
display: inline-block;
break-inside: avoid-column;
}
}
/* Comments */
.rfcEditorRemove p:first-of-type {
font-style: italic;
}
.cref {
background-color: rgba(249, 232, 105, 0.3);
padding: 2px 4px;
}
.crefSource {
font-style: italic;
}
@media screen {
#toc nav {
font-family: var(--font-title);
font-weight: 360;
& > ul { margin-bottom: 2em; }
& ul {
margin: 0 0 0 4px;
& :is(p, li) {
margin: 2px 0;
}
}
}
#toc a.toplink {
float: right;
}
}
@media not screen {
#toc a.toplink {
display: none;
}
}
/* TOC layout for smaller screens */
@media screen and (max-width: 929px) {
#toc {
position: fixed;
z-index: 2;
top: 0;
right: 0;
padding: 1px 0 0 0;
margin: 0;
border-bottom: 1px solid #ccc;
opacity: 0.6;
}
#toc h2 {
margin: 0;
padding: 2px 0 2px 6px;
padding-right: 1em;
font-size: 18px;
line-height: 24px;
min-width: 190px;
text-align: right;
background-color: #444;
color: white;
cursor: pointer;
&::before { /* css hamburger */
float: right;
position: relative;
width: 1em;
height: 1px;
left: -164px;
margin: 8px 0 0 0;
background: white none repeat scroll 0 0;
box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
content: "";
}
}
#toc nav {
display: none;
background-color: var(--background-color);
padding: 0.5em 1em 1em;
overflow: auto;
overscroll-behavior: contain;
height: calc(100vh - 48px);
border-left: 1px solid #ddd;
}
#toc.active {
opacity: 1;
& nav { display: block; }
}
/* Make the collapsed ToC header render white on gray also when it's a link */
#toc h2 a,
#toc h2 a:is(:link, :focus, :hover),
#toc a.toplink,
#toc a.toplink:hover {
color: white;
background-color: #444;
text-decoration: none;
}
#toc a.toplink {
margin: 2px 0.5em 0;
}
}
/* TOC layout for wide screens */
@media screen and (min-width: 930px) {
body {
padding-right: 360px;
padding-right: calc(min(180px + 20%, 500px));
}
#toc {
position: fixed;
bottom: 0;
right: 0;
right: calc(50vw - 480px);
width: 312px;
margin: 0;
padding: 0;
z-index: 1;
}
#toc h2 {
margin: 0;
padding: 0.25em 1em 1em 0;
}
#toc nav {
display: block;
height: calc(90vh - 84px);
bottom: 0;
padding: 0.5em 0 2em;
overflow: auto;
overscroll-behavior: contain;
scrollbar-width: thin;
}
img { /* future proofing */
max-width: 100%;
height: auto;
}
#toc a.toplink {
margin: 8px 0.5em 0;
}
}
/* pagination */
@media print {
body {
width: 100%;
}
p {
orphans: 3;
widows: 3;
}
#n-copyright-notice {
border-bottom: none;
}
#toc, #n-introduction {
page-break-before: always;
}
#toc {
border-top: none;
padding-top: 0;
}
figure, pre, .vcard {
page-break-inside: avoid;
}
h1, h2, h3, h4, h5, h6 {
page-break-after: avoid;
}
:is(h2, h3, h4, h5, h6)+*, dd {
page-break-before: avoid;
}
pre {
white-space: pre-wrap;
word-wrap: break-word;
font-size: 10pt;
}
table {
border: 1px solid #ddd;
}
td {
border-top: 1px solid #ddd;
}
}
@page :first {
padding-top: 0;
@top-left {
content: normal;
border: none;
}
@top-center {
content: normal;
border: none;
}
@top-right {
content: normal;
border: none;
}
}
@page {
size: A4;
margin-bottom: 45mm;
padding-top: 20px;
}
/* Dark mode. */
@media (prefers-color-scheme: dark) {
:root {
--background-color: #121212;
--text-color: #f0f0f0;
--title-color: #fff;
--link-color: #4da4f0;
--highlight-color: #282828;
--line-color: #444;
--pilcrow-weak: #444;
--pilcrow-strong: #666;
scrollbar-color: #777 #333;
}
}
/* SVG Trick: a prefix match works because only black and white are allowed */
svg :is([stroke="black"], [stroke^="#000"]) {
stroke: var(--text-color);
}
svg :is([stroke="white"], [stroke^="#fff"]) {
stroke: var(--background-color);
}
svg :is([fill="black"], [fill^="#000"], :not([fill])) {
fill: var(--text-color);
}
svg :is([fill="white"], [fill^="#fff"]) {
fill: var(--background-color);
}
</style>
</head>
<body class="xml2rfc">
<table class="ears">
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">IPSIE SL1</td>
<td class="right">March 2025</td>
</tr></thead>
<tfoot><tr>
<td class="left">Parecki</td>
<td class="center">Expires 8 September 2025</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">IPSIE Working Group</dd>
<dt class="label-internet-draft">Internet-Draft:</dt>
<dd class="internet-draft">draft-openid-ipsie-sl1-profile-latest</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2025-03-07" class="published">7 March 2025</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Informational</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2025-09-08">8 September 2025</time></dd>
<dt class="label-authors">Author:</dt>
<dd class="authors">
<div class="author">
<div class="author-name">A. Parecki</div>
<div class="org">Okta</div>
</div>
</dd>
</dl>
</div>
<h1 id="title">IPSIE SL1 OpenID Connect Profile</h1>
<section id="section-abstract">
<h2 id="abstract"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">The IPSIE SL1 OpenID Connect Profile is a profile of OpenID Connect intended to meet the security and interoperability requirements of enterprise integrations using OpenID Connect.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<section class="note rfcEditorRemove" id="section-note.1">
<h2 id="name-about-this-document">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-about-this-document" class="section-name selfRef">About This Document</a>
</h2>
<p id="section-note.1-1">This note is to be removed before publishing as an RFC.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-note.1-1" class="pilcrow">¶</a></p>
<p id="section-note.1-2">
The latest revision of this draft can be found at <span><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html">https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html</a></span>.
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-note.1-2" class="pilcrow">¶</a></p>
<p id="section-note.1-3">
Discussion of this document takes place on the
IPSIE Working Group mailing list (<span><a href="mailto:openid-specs-ipsie@lists.openid.net">mailto:openid-specs-ipsie@lists.openid.net</a></span>),
which is archived at <span><a href="https://openid.net/wg/ipsie/">https://openid.net/wg/ipsie/</a></span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-note.1-3" class="pilcrow">¶</a></p>
<p id="section-note.1-4">Source for this draft and an issue tracker can be found at
<span><a href="https://github.com/aaronpk/ipsie-openid-sl1">https://github.com/aaronpk/ipsie-openid-sl1</a></span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-note.1-4" class="pilcrow">¶</a></p>
</section>
<div id="copyright">
<section id="section-boilerplate.2">
<h2 id="name-copyright-notice">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
</h2>
<p id="section-boilerplate.2-1">
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
</h2>
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
<p id="section-toc.1-1.1.1" class="keepWithNext"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-1" class="auto internal xref">1</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-introduction" class="internal xref">Introduction</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
<p id="section-toc.1-1.2.1" class="keepWithNext"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-2" class="auto internal xref">2</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-conventions-and-definitions" class="internal xref">Conventions and Definitions</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1">
<p id="section-toc.1-1.2.2.1.1" class="keepWithNext"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-2.1" class="auto internal xref">2.1</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-roles" class="internal xref">Roles</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
<p id="section-toc.1-1.3.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3" class="auto internal xref">3</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-profile" class="internal xref">Profile</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
<p id="section-toc.1-1.3.2.1.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1" class="auto internal xref">3.1</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-network-layer-requirements" class="internal xref">Network Layer Requirements</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1.2.1">
<p id="section-toc.1-1.3.2.1.2.1.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.1" class="auto internal xref">3.1.1</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-all-endpoi" class="internal xref">Requirements for all endpoints</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1.2.2">
<p id="section-toc.1-1.3.2.1.2.2.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.2" class="auto internal xref">3.1.2</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-endpoints-" class="internal xref">Requirements for endpoints not used by web browsers</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1.2.3">
<p id="section-toc.1-1.3.2.1.2.3.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.3" class="auto internal xref">3.1.3</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-endpoints-u" class="internal xref">Requirements for endpoints used by web browsers</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2">
<p id="section-toc.1-1.3.2.2.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2" class="auto internal xref">3.2</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-cryptography-and-secrets" class="internal xref">Cryptography and Secrets</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3">
<p id="section-toc.1-1.3.2.3.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3" class="auto internal xref">3.3</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-openid-connect" class="internal xref">OpenID Connect</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3.2.1">
<p id="section-toc.1-1.3.2.3.2.1.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1" class="auto internal xref">3.3.1</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-openid-pro" class="internal xref">Requirements for OpenID Providers</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3.2.2">
<p id="section-toc.1-1.3.2.3.2.2.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2" class="auto internal xref">3.3.2</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-openid-rel" class="internal xref">Requirements for OpenID Relying Parties</a></p>
</li>
</ul>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
<p id="section-toc.1-1.4.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-4" class="auto internal xref">4</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-security-considerations" class="internal xref">Security Considerations</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
<p id="section-toc.1-1.5.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-5" class="auto internal xref">5</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-iana-considerations" class="internal xref">IANA Considerations</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
<p id="section-toc.1-1.6.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-6" class="auto internal xref">6</a>. <a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-normative-references" class="internal xref">Normative References</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
<p id="section-toc.1-1.7.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#appendix-A" class="auto internal xref"></a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-acknowledgments" class="internal xref">Acknowledgments</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
<p id="section-toc.1-1.8.1"><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#appendix-B" class="auto internal xref"></a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-authors-address" class="internal xref">Author's Address</a></p>
</li>
</ul>
</nav>
</section>
</div>
<div id="introduction">
<section id="section-1">
<h2 id="name-introduction">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-1" class="section-number selfRef">1. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-introduction" class="section-name selfRef">Introduction</a>
</h2>
<p id="section-1-1">TODO Introduction<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-1-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="conventions-and-definitions">
<section id="section-2">
<h2 id="name-conventions-and-definitions">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-2" class="section-number selfRef">2. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-conventions-and-definitions" class="section-name selfRef">Conventions and Definitions</a>
</h2>
<p id="section-2-1">The keywords "shall", "shall not", "should", "should not", "may", and "can" in
this document are to be interpreted as described in ISO Directive Part 2
[ISODIR2]. These keywords are not used as dictionary terms such that any
occurrence of them shall be interpreted as keywords and are not to be
interpreted with their natural language meanings.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-2-1" class="pilcrow">¶</a></p>
<div id="roles">
<section id="section-2.1">
<h3 id="name-roles">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-2.1" class="section-number selfRef">2.1. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-roles" class="section-name selfRef">Roles</a>
</h3>
<p id="section-2.1-1">This document uses the term "Identity Provider" to refer to the "OpenID Provider" in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID" class="cite xref">OpenID</a>]</span> and the "Authorization Server" in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-2.1-1" class="pilcrow">¶</a></p>
<p id="section-2.1-2">This document uses the term "Application" to refer to the "Relying Party" in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID" class="cite xref">OpenID</a>]</span> and the "Client" in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-2.1-2" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="profile">
<section id="section-3">
<h2 id="name-profile">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3" class="section-number selfRef">3. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-profile" class="section-name selfRef">Profile</a>
</h2>
<div id="network-layer-requirements">
<section id="section-3.1">
<h3 id="name-network-layer-requirements">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1" class="section-number selfRef">3.1. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-network-layer-requirements" class="section-name selfRef">Network Layer Requirements</a>
</h3>
<div id="requirements-for-all-endpoints">
<section id="section-3.1.1">
<h4 id="name-requirements-for-all-endpoi">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.1" class="section-number selfRef">3.1.1. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-all-endpoi" class="section-name selfRef">Requirements for all endpoints</a>
</h4>
<p id="section-3.1.1-1">To protect against network attacks, clients, authorization servers, and resource servers<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.1.1-2.1">
<p id="section-3.1.1-2.1.1">shall only offer TLS protected endpoints and shall establish connections to other servers using TLS;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.1-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1.1-2.2">
<p id="section-3.1.1-2.2.1">shall set up TLS connections using TLS version 1.2 or later;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.1-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1.1-2.3">
<p id="section-3.1.1-2.3.1">shall follow the recommendations for Secure Use of Transport Layer Security in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#BCP195" class="cite xref">BCP195</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.1-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1.1-2.4">
<p id="section-3.1.1-2.4.1">should use DNSSEC to protect against DNS spoofing attacks that can lead to the issuance of rogue domain-validated TLS certificates; and<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.1-2.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1.1-2.5">
<p id="section-3.1.1-2.5.1">shall perform a TLS server certificate check, as per <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9525" class="cite xref">RFC9525</a>]</span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.1-2.5.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="requirements-for-endpoints-not-used-by-web-browsers">
<section id="section-3.1.2">
<h4 id="name-requirements-for-endpoints-">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.2" class="section-number selfRef">3.1.2. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-endpoints-" class="section-name selfRef">Requirements for endpoints not used by web browsers</a>
</h4>
<p id="section-3.1.2-1">For server-to-server communication endpoints that are not used by web browsers, the following requirements apply:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.2-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.1.2-2.1">
<p id="section-3.1.2-2.1.1">When using TLS 1.2, servers shall only permit the cipher suites recommended in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#BCP195" class="cite xref">BCP195</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.2-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1.2-2.2">
<p id="section-3.1.2-2.2.1">When using TLS 1.2, clients should only permit the cipher suites recommended in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#BCP195" class="cite xref">BCP195</a>]</span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.2-2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="requirements-for-endpoints-used-by-web-browsers">
<section id="section-3.1.3">
<h4 id="name-requirements-for-endpoints-u">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.3" class="section-number selfRef">3.1.3. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-endpoints-u" class="section-name selfRef">Requirements for endpoints used by web browsers</a>
</h4>
<p id="section-3.1.3-1">For endpoints that are used by web browsers, the following additional requirements apply:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.3-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.1.3-2.1">
<p id="section-3.1.3-2.1.1">Servers shall use methods to ensure that connections cannot be downgraded using TLS stripping attacks. A preloaded [preload] HTTP Strict Transport Security policy <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6797" class="cite xref">RFC6797</a>]</span> can be used for this purpose. Some top-level domains, like .bank and .insurance, have set such a policy and therefore protect all second-level domains below them.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.3-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1.3-2.2">
<p id="section-3.1.3-2.2.1">When using TLS 1.2, servers shall only use cipher suites allowed in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#BCP195" class="cite xref">BCP195</a>]</span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.3-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1.3-2.3">
<p id="section-3.1.3-2.3.1">Servers shall not support [CORS] for the authorization endpoint, as clients must perform an HTTP redirect rather than access this endpoint directly.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.1.3-2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
</section>
</div>
<div id="cryptography-and-secrets">
<section id="section-3.2">
<h3 id="name-cryptography-and-secrets">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2" class="section-number selfRef">3.2. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-cryptography-and-secrets" class="section-name selfRef">Cryptography and Secrets</a>
</h3>
<p id="section-3.2-1">The following requirements apply to cryptographic operations and secrets:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.2-2.1">
<p id="section-3.2-2.1.1">Authorization servers, clients, and resource servers when creating or processing JWTs shall:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2-2.1.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.2-2.1.2.1">
<p id="section-3.2-2.1.2.1.1">adhere to <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC8725" class="cite xref">RFC8725</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2-2.1.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2-2.1.2.2">
<p id="section-3.2-2.1.2.2.1">use PS256, ES256, or EdDSA (using the Ed25519 variant) algorithms; and<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2-2.1.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2-2.1.2.3">
<p id="section-3.2-2.1.2.3.1">not use or accept the <code>none</code> algorithm.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2-2.1.2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="normal" id="section-3.2-2.2">
<p id="section-3.2-2.2.1">RSA keys shall have a minimum length of 2048 bits.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2-2.3">
<p id="section-3.2-2.3.1">Elliptic curve keys shall have a minimum length of 224 bits.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2-2.4">
<p id="section-3.2-2.4.1">Credentials not intended for handling by end-users (e.g., access tokens, refresh tokens, authorization codes, etc.) shall be created with at least 128 bits of entropy such that an attacker correctly guessing the value is computationally infeasible (<span><a href="https://rfc-editor.org/rfc/rfc6749#section-10.10" class="relref">Section 10.10</a> of [<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span>).<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.2-2.4.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="openid-connect">
<section id="section-3.3">
<h3 id="name-openid-connect">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3" class="section-number selfRef">3.3. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-openid-connect" class="section-name selfRef">OpenID Connect</a>
</h3>
<p id="section-3.3-1">In the following, a profile of the following technologies is defined:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3-2.1">
<p id="section-3.3-2.1.1">OpenID Connect Core 1.0 incorporating errata set 2 <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID.Discovery" class="cite xref">OpenID.Discovery</a>]</span><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.2">
<p id="section-3.3-2.2.1">OpenID Connect Discovery <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID.Discovery" class="cite xref">OpenID.Discovery</a>]</span><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.3">
<p id="section-3.3-2.3.1">OAuth 2.0 Authorization Framework <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.4">
<p id="section-3.3-2.4.1">Proof Key for Code Exchange (PKCE) <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC7636" class="cite xref">RFC7636</a>]</span><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3-2.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.5">
<p id="section-3.3-2.5.1">OAuth 2.0 Authorization Server Metadata <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC8414" class="cite xref">RFC8414</a>]</span><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3-2.5.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.6">
<p id="section-3.3-2.6.1">OAuth 2.0 Demonstrating Proof of Possession (DPoP) <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9449" class="cite xref">RFC9449</a>]</span><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3-2.6.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.7">
<p id="section-3.3-2.7.1">OAuth 2.0 Authorization Server Issuer Identification <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9207" class="cite xref">RFC9207</a>]</span><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3-2.7.1" class="pilcrow">¶</a></p>
</li>
</ul>
<div id="requirements-for-openid-providers">
<section id="section-3.3.1">
<h4 id="name-requirements-for-openid-pro">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1" class="section-number selfRef">3.3.1. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-openid-pro" class="section-name selfRef">Requirements for OpenID Providers</a>
</h4>
<p id="section-3.3.1-1">OpenID Providers:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3.1-2.1">
<p id="section-3.3.1-2.1.1">shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID.Discovery" class="cite xref">OpenID.Discovery</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-2.2">
<p id="section-3.3.1-2.2.1">shall reject requests using the resource owner password credentials grant;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-2.3">
<p id="section-3.3.1-2.3.1">shall only support confidential clients as defined in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-2.4">
<p id="section-3.3.1-2.4.1">shall authenticate clients using <code>private_key_jwt</code> as specified in Section 9 of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID" class="cite xref">OpenID</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-2.5">
<p id="section-3.3.1-2.5.1">shall only issue sender-constrained access tokens using DPoP <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9449" class="cite xref">RFC9449</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.5.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-2.6">
<p id="section-3.3.1-2.6.1">shall not expose open redirectors <span><a href="https://rfc-editor.org/rfc/rfc9700#section-4.11" class="relref">Section 4.11</a> of [<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9700" class="cite xref">RFC9700</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.6.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-2.7">
<p id="section-3.3.1-2.7.1">shall only accept its issuer identifier value (as defined in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC8414" class="cite xref">RFC8414</a>]</span>) as a string in the <code>aud</code> claim received in client authentication assertions;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.7.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-2.8">
<p id="section-3.3.1-2.8.1">shall issue authorization codes with a maximum lifetime of 60 seconds;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.8.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-2.9">
<p id="section-3.3.1-2.9.1">shall require clients to be preregistered, and shall not support unauthenticated Dynamic Client Registration requests (see Note 1);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-2.9.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-3.3.1-3">ID Tokens issued by OpenID Providers:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-3" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3.1-4.1">
<p id="section-3.3.1-4.1.1">shall contain the OAuth Client ID of the RP as a single audience value as a string (see Note 2);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-4.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-4.2">
<p id="section-3.3.1-4.2.1">shall contain <code>acr</code> claim as a string that identifies the Authentication Context Class that the authentication performed satisfied, as described in Section 2 of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID" class="cite xref">OpenID</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-4.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-4.3">
<p id="section-3.3.1-4.3.1">shall contain the <code>amr</code> claim as an array of strings indicating identifiers for authentication methods used in the authentication from those registered in the IANA Authentication Method Reference Values registry, as described in Section 2 of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID" class="cite xref">OpenID</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-4.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-4.4">
<p id="section-3.3.1-4.4.1">shall indicate the expected lifetime of the RP session in the <code>session_lifetime</code> claim in seconds (see Note 3);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-4.4.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-3.3.1-5">Note 1: The requirement for preregistered clients corresponds to Section 3.4 "Trust Agreements" of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#NIST.FAL" class="cite xref">NIST.FAL</a>]</span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-5" class="pilcrow">¶</a></p>
<p id="section-3.3.1-6">Note 2: The audience value must be a single string to meet the audience restriction of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#NIST.FAL" class="cite xref">NIST.FAL</a>]</span>.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-6" class="pilcrow">¶</a></p>
<p id="section-3.3.1-7">Note 3: This claim is not currently defined in OpenID Connect, this maybe should be pulled out into its own spec in OpenID Core instead of being defined here.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-7" class="pilcrow">¶</a></p>
<p id="section-3.3.1-8">For the authorization code flow, OpenID Providers:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-8" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3.1-9.1">
<p id="section-3.3.1-9.1.1">shall require the value of <code>response_type</code> described in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span> to be <code>code</code>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.2">
<p id="section-3.3.1-9.2.1">shall require PKCE <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC7636" class="cite xref">RFC7636</a>]</span> with S256 as the code challenge method (see Note 1 below);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.3">
<p id="section-3.3.1-9.3.1">shall issue authorization codes with a maximum lifetime of 60 seconds;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.4">
<p id="section-3.3.1-9.4.1">shall support "Authorization Code Binding to DPoP Key" (as required by <span><a href="https://rfc-editor.org/rfc/rfc9449#section-10.1" class="relref">Section 10.1</a> of [<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9449" class="cite xref">RFC9449</a>]</span>);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.5">
<p id="section-3.3.1-9.5.1">shall return an iss parameter in the authorization response according to <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9207" class="cite xref">RFC9207</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.5.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.6">
<p id="section-3.3.1-9.6.1">shall not transmit authorization responses over unencrypted network connections, and, to this end, shall not allow redirect URIs that use the "http" scheme except for native clients that use loopback interface Redirection as described in Section 7.3 of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC8252" class="cite xref">RFC8252</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.6.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.7">
<p id="section-3.3.1-9.7.1">shall reject an authorization code (Section 1.3.1 of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span>) if it has been previously used;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.7.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.8">
<p id="section-3.3.1-9.8.1">shall not use the HTTP 307 status code when redirecting a request that contains user credentials to avoid forwarding the credentials to a third party accidentally (see <span><a href="https://rfc-editor.org/rfc/rfc9700#section-4.12" class="relref">Section 4.12</a> of [<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9700" class="cite xref">RFC9700</a>]</span>);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.8.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.9">
<p id="section-3.3.1-9.9.1">should use the HTTP 303 status code when redirecting the user agent using status codes;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.9.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-9.10">
<p id="section-3.3.1-9.10.1">shall support <code>nonce</code> parameter values up to 64 characters in length, may reject <code>nonce</code> values longer than 64 characters.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-9.10.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-3.3.1-10">TBD: Should PAR be required at level SL1?<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-10" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3.1-11.1">
<p id="section-3.3.1-11.1.1">shall support client-authenticated pushed authorization requests according to <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9126" class="cite xref">RFC9126</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-11.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-11.2">
<p id="section-3.3.1-11.2.1">shall reject authorization requests sent without <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9126" class="cite xref">RFC9126</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-11.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-11.3">
<p id="section-3.3.1-11.3.1">shall reject pushed authorization requests without client authentication;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-11.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.1-11.4">
<p id="section-3.3.1-11.4.1">shall issue pushed authorization requests request_uri with expires_in values of less than 600 seconds;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-11.4.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-3.3.1-12">Note 1: while both nonce and PKCE can provide protection from authorization code injection, nonce relies on the client (RP) to implement and enforce the check, and the IdP is unable to verify that it has been implemented correctly, and only stops the attack after tokens have already been issued. Instead, PKCE is enforced by the IdP and stops the attack before tokens are issued.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.1-12" class="pilcrow">¶</a></p>
</section>
</div>
<div id="requirements-for-openid-relying-parties">
<section id="section-3.3.2">
<h4 id="name-requirements-for-openid-rel">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2" class="section-number selfRef">3.3.2. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-requirements-for-openid-rel" class="section-name selfRef">Requirements for OpenID Relying Parties</a>
</h4>
<p id="section-3.3.2-1">OpenID Relying Parties:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3.2-2.1">
<p id="section-3.3.2-2.1.1">shall support third-party initiated login as defined in Section 4 of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID" class="cite xref">OpenID</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-2.2">
<p id="section-3.3.2-2.2.1">shall support client authentication using <code>private_key_jwt</code> as specified in Section 9 of <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID" class="cite xref">OpenID</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-2.3">
<p id="section-3.3.2-2.3.1">shall use the authorization server's issuer identifier value (as defined in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC8414" class="cite xref">RFC8414</a>]</span>) in the <code>aud</code> claim in client authentication assertions. The issuer identifier value shall be sent as a string not as an item in an array;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-2.4">
<p id="section-3.3.2-2.4.1">shall not expose open redirectors (see <span><a href="https://rfc-editor.org/rfc/rfc9700#section-4.11" class="relref">Section 4.11</a> of [<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9700" class="cite xref">RFC9700</a>]</span>);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-2.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-2.5">
<p id="section-3.3.2-2.5.1">shall only use authorization server metadata (such as the authorization endpoint) retrieved from the metadata document as specified in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#OpenID.Discovery" class="cite xref">OpenID.Discovery</a>]</span> and <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC8414" class="cite xref">RFC8414</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-2.5.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-2.6">
<p id="section-3.3.2-2.6.1">shall ensure that the issuer URL used as the basis for retrieving the authorization server metadata is obtained from an authoritative source and using a secure channel, such that it cannot be modified by an attacker;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-2.6.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-2.7">
<p id="section-3.3.2-2.7.1">shall ensure that this issuer URL and the issuer value in the obtained metadata match;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-2.7.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-3.3.2-3">OpenID Relying Parties making resource requests to the OpenID Provider:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-3" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3.2-4.1">
<p id="section-3.3.2-4.1.1">shall support sender-constrined access tokens using DPoP as described in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9449" class="cite xref">RFC9449</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-4.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-4.2">
<p id="section-3.3.2-4.2.1">shall support the server provided nonce mechanism (as defined in <span><a href="https://rfc-editor.org/rfc/rfc9449#section-8" class="relref">Section 8</a> of [<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9449" class="cite xref">RFC9449</a>]</span>);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-4.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-4.3">
<p id="section-3.3.2-4.3.1">shall send access tokens in the HTTP header as described in <span><a href="https://rfc-editor.org/rfc/rfc9449#section-7.1" class="relref">Section 7.1</a> of [<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9449" class="cite xref">RFC9449</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-4.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-4.4">
<p id="section-3.3.2-4.4.1">shall support refresh tokens and their rotation;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-4.4.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-3.3.2-5">For the authorization code flow, Relying Parties:<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-5" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3.2-6.1">
<p id="section-3.3.2-6.1.1">shall use the authorization code grant described in <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-6.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-6.2">
<p id="section-3.3.2-6.2.1">shall use PKCE <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC7636" class="cite xref">RFC7636</a>]</span> with S256 as the code challenge method;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-6.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-6.3">
<p id="section-3.3.2-6.3.1">shall generate the PKCE challenge specifically for each authorization request and securely bind the challenge to the client and the user agent in which the flow was started;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-6.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-6.4">
<p id="section-3.3.2-6.4.1">shall check the iss parameter in the authorization response according to <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9207" class="cite xref">RFC9207</a>]</span> to prevent mix-up attacks;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-6.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-6.5">
<p id="section-3.3.2-6.5.1">should not use <code>nonce</code> parameter values longer than 64 characters;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-6.5.1" class="pilcrow">¶</a></p>
</li>
</ul>
<p id="section-3.3.2-7">TBD: Should PAR be required at level SL1?<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-7" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3.2-8.1">
<p id="section-3.3.2-8.1.1">shall use Pushed Authorization Requests according to <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9126" class="cite xref">RFC9126</a>]</span>;<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-8.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3.2-8.2">
<p id="section-3.3.2-8.2.1">shall only send <code>client_id</code> and <code>request_uri</code> request parameters to the authorization endpoint (all other authorization request parameters are sent in the pushed authorization request according to <span>[<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#RFC9126" class="cite xref">RFC9126</a>]</span>);<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-3.3.2-8.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="security-considerations">
<section id="section-4">
<h2 id="name-security-considerations">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-4" class="section-number selfRef">4. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-security-considerations" class="section-name selfRef">Security Considerations</a>
</h2>
</section>
</div>
<div id="iana-considerations">
<section id="section-5">
<h2 id="name-iana-considerations">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-5" class="section-number selfRef">5. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
</h2>
<p id="section-5-1">This document has no IANA actions.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-5-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="sec-normative-references">
<section id="section-6">
<h2 id="name-normative-references">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#section-6" class="section-number selfRef">6. </a><a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-normative-references" class="section-name selfRef">Normative References</a>
</h2>
<dl class="references">
<dt id="BCP195">[BCP195]</dt>
<dd>
<div class="refInstance">Best Current Practice 195, <span><<a href="https://www.rfc-editor.org/info/bcp195">https://www.rfc-editor.org/info/bcp195</a>></span>.<br><span>At the time of writing, this BCP comprises the following:</span>
</div>
<div class="refInstance" id="RFC8996">
<span class="refAuthor">Moriarty, K.</span> and <span class="refAuthor">S. Farrell</span>, <span class="refTitle">"Deprecating TLS 1.0 and TLS 1.1"</span>, <span class="seriesInfo">BCP 195</span>, <span class="seriesInfo">RFC 8996</span>, <span class="seriesInfo">DOI 10.17487/RFC8996</span>, <time datetime="2021-03" class="refDate">March 2021</time>, <span><<a href="https://www.rfc-editor.org/info/rfc8996">https://www.rfc-editor.org/info/rfc8996</a>></span>. </div>
<div class="refInstance" id="RFC9325">
<span class="refAuthor">Sheffer, Y.</span>, <span class="refAuthor">Saint-Andre, P.</span>, and <span class="refAuthor">T. Fossati</span>, <span class="refTitle">"Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)"</span>, <span class="seriesInfo">BCP 195</span>, <span class="seriesInfo">RFC 9325</span>, <span class="seriesInfo">DOI 10.17487/RFC9325</span>, <time datetime="2022-11" class="refDate">November 2022</time>, <span><<a href="https://www.rfc-editor.org/info/rfc9325">https://www.rfc-editor.org/info/rfc9325</a>></span>. </div>
</dd>
<dd class="break"></dd>
<dt id="NIST.FAL">[NIST.FAL]</dt>
<dd>
<span class="refTitle">"NIST SP 800-63 Digital Identity Guidelines Federation Assurance Level (FAL)"</span>, <time datetime="2024-08" class="refDate">August 2024</time>, <span><<a href="https://pages.nist.gov/800-63-4/sp800-63c/fal/">https://pages.nist.gov/800-63-4/sp800-63c/fal/</a>></span>. </dd>
<dd class="break"></dd>
<dt id="OpenID">[OpenID]</dt>
<dd>
<span class="refAuthor">Sakimura, N.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Jones, M.</span>, <span class="refAuthor">de Medeiros, B.</span>, and <span class="refAuthor">C. Mortimore</span>, <span class="refTitle">"OpenID Connect Core 1.0 incorporating errata set 2"</span>, <time datetime="2023-12" class="refDate">December 2023</time>, <span><<a href="https://openid.net/specs/openid-connect-core-1_0.html">https://openid.net/specs/openid-connect-core-1_0.html</a>></span>. </dd>
<dd class="break"></dd>
<dt id="OpenID.Discovery">[OpenID.Discovery]</dt>
<dd>
<span class="refAuthor">Sakimura, N.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Jones, M.</span>, and <span class="refAuthor">E. Jay</span>, <span class="refTitle">"OpenID Connect Discovery 1.0 incorporating errata set 2"</span>, <time datetime="2023-12" class="refDate">December 2023</time>, <span><<a href="https://openid.net/specs/openid-connect-discovery-1_0.html">https://openid.net/specs/openid-connect-discovery-1_0.html</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC6749">[RFC6749]</dt>
<dd>
<span class="refAuthor">Hardt, D., Ed.</span>, <span class="refTitle">"The OAuth 2.0 Authorization Framework"</span>, <span class="seriesInfo">RFC 6749</span>, <span class="seriesInfo">DOI 10.17487/RFC6749</span>, <time datetime="2012-10" class="refDate">October 2012</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc6749">https://www.rfc-editor.org/rfc/rfc6749</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC6750">[RFC6750]</dt>
<dd>
<span class="refAuthor">Jones, M.</span> and <span class="refAuthor">D. Hardt</span>, <span class="refTitle">"The OAuth 2.0 Authorization Framework: Bearer Token Usage"</span>, <span class="seriesInfo">RFC 6750</span>, <span class="seriesInfo">DOI 10.17487/RFC6750</span>, <time datetime="2012-10" class="refDate">October 2012</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc6750">https://www.rfc-editor.org/rfc/rfc6750</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC6797">[RFC6797]</dt>
<dd>
<span class="refAuthor">Hodges, J.</span>, <span class="refAuthor">Jackson, C.</span>, and <span class="refAuthor">A. Barth</span>, <span class="refTitle">"HTTP Strict Transport Security (HSTS)"</span>, <span class="seriesInfo">RFC 6797</span>, <span class="seriesInfo">DOI 10.17487/RFC6797</span>, <time datetime="2012-11" class="refDate">November 2012</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc6797">https://www.rfc-editor.org/rfc/rfc6797</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7636">[RFC7636]</dt>
<dd>
<span class="refAuthor">Sakimura, N., Ed.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">N. Agarwal</span>, <span class="refTitle">"Proof Key for Code Exchange by OAuth Public Clients"</span>, <span class="seriesInfo">RFC 7636</span>, <span class="seriesInfo">DOI 10.17487/RFC7636</span>, <time datetime="2015-09" class="refDate">September 2015</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc7636">https://www.rfc-editor.org/rfc/rfc7636</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8252">[RFC8252]</dt>
<dd>
<span class="refAuthor">Denniss, W.</span> and <span class="refAuthor">J. Bradley</span>, <span class="refTitle">"OAuth 2.0 for Native Apps"</span>, <span class="seriesInfo">BCP 212</span>, <span class="seriesInfo">RFC 8252</span>, <span class="seriesInfo">DOI 10.17487/RFC8252</span>, <time datetime="2017-10" class="refDate">October 2017</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8252">https://www.rfc-editor.org/rfc/rfc8252</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8414">[RFC8414]</dt>
<dd>
<span class="refAuthor">Jones, M.</span>, <span class="refAuthor">Sakimura, N.</span>, and <span class="refAuthor">J. Bradley</span>, <span class="refTitle">"OAuth 2.0 Authorization Server Metadata"</span>, <span class="seriesInfo">RFC 8414</span>, <span class="seriesInfo">DOI 10.17487/RFC8414</span>, <time datetime="2018-06" class="refDate">June 2018</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8414">https://www.rfc-editor.org/rfc/rfc8414</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8725">[RFC8725]</dt>
<dd>
<span class="refAuthor">Sheffer, Y.</span>, <span class="refAuthor">Hardt, D.</span>, and <span class="refAuthor">M. Jones</span>, <span class="refTitle">"JSON Web Token Best Current Practices"</span>, <span class="seriesInfo">BCP 225</span>, <span class="seriesInfo">RFC 8725</span>, <span class="seriesInfo">DOI 10.17487/RFC8725</span>, <time datetime="2020-02" class="refDate">February 2020</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8725">https://www.rfc-editor.org/rfc/rfc8725</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9126">[RFC9126]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Sakimura, N.</span>, <span class="refAuthor">Tonge, D.</span>, and <span class="refAuthor">F. Skokan</span>, <span class="refTitle">"OAuth 2.0 Pushed Authorization Requests"</span>, <span class="seriesInfo">RFC 9126</span>, <span class="seriesInfo">DOI 10.17487/RFC9126</span>, <time datetime="2021-09" class="refDate">September 2021</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9126">https://www.rfc-editor.org/rfc/rfc9126</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9207">[RFC9207]</dt>
<dd>
<span class="refAuthor">Meyer zu Selhausen, K.</span> and <span class="refAuthor">D. Fett</span>, <span class="refTitle">"OAuth 2.0 Authorization Server Issuer Identification"</span>, <span class="seriesInfo">RFC 9207</span>, <span class="seriesInfo">DOI 10.17487/RFC9207</span>, <time datetime="2022-03" class="refDate">March 2022</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9207">https://www.rfc-editor.org/rfc/rfc9207</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9449">[RFC9449]</dt>
<dd>
<span class="refAuthor">Fett, D.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Jones, M.</span>, and <span class="refAuthor">D. Waite</span>, <span class="refTitle">"OAuth 2.0 Demonstrating Proof of Possession (DPoP)"</span>, <span class="seriesInfo">RFC 9449</span>, <span class="seriesInfo">DOI 10.17487/RFC9449</span>, <time datetime="2023-09" class="refDate">September 2023</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9449">https://www.rfc-editor.org/rfc/rfc9449</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9525">[RFC9525]</dt>
<dd>
<span class="refAuthor">Saint-Andre, P.</span> and <span class="refAuthor">R. Salz</span>, <span class="refTitle">"Service Identity in TLS"</span>, <span class="seriesInfo">RFC 9525</span>, <span class="seriesInfo">DOI 10.17487/RFC9525</span>, <time datetime="2023-11" class="refDate">November 2023</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9525">https://www.rfc-editor.org/rfc/rfc9525</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9700">[RFC9700]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Labunets, A.</span>, and <span class="refAuthor">D. Fett</span>, <span class="refTitle">"Best Current Practice for OAuth 2.0 Security"</span>, <span class="seriesInfo">BCP 240</span>, <span class="seriesInfo">RFC 9700</span>, <span class="seriesInfo">DOI 10.17487/RFC9700</span>, <time datetime="2025-01" class="refDate">January 2025</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9700">https://www.rfc-editor.org/rfc/rfc9700</a>></span>. </dd>
<dd class="break"></dd>
</dl>
</section>
</div>
<div id="acknowledgments">
<section id="appendix-A">
<h2 id="name-acknowledgments">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-acknowledgments" class="section-name selfRef">Acknowledgments</a>
</h2>
<p id="appendix-A-1">TODO acknowledge.<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#appendix-A-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="appendix-B">
<h2 id="name-authors-address">
<a href="https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html#name-authors-address" class="section-name selfRef">Author's Address</a>
</h2>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Aaron Parecki</span></div>
<div dir="auto" class="left"><span class="org">Okta</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:aaron@parecki.com" class="email">aaron@parecki.com</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
toc.classList.remove("active");
});
</script>
</body></html>