This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Self-Issued OpenID Provider
Self-Issued OpenID Provider

Version management

Difference between version and

At line 1 added 45 lines
!!! Overview
[{$pagename}] ([SIOP]) [OpenID Connect] supports personal, self-hosted [OpenID Connect Providers] that issue [self-signed] [Id_tokens] which use the special [Issuer Identifier|Iss] https://self-issued.me.[{$pagename}] [messages] used to communicate with [{$pagename}]s are mostly the same as those used to communicate with other [OpenID Connect Providers].[{$pagename}] is defined in [OpenID Connect Core 1.0]%%error
The following sites will be hosted on an experimental basis. [Production Implementations] should not take a dependency upon it without a subsequent commitment by the [OpenID Foundation] to host the site in a manner intended for [Production tier] use.
%%
!! [{$pagename}] [Discovery|OpenID Connect Discovery]
If the input identifier for the discovery process contains the domain self-issued.me, dynamic discovery is not performed. Instead, then the following static configuration values are used: ([https://self-issued.me/.well-known/openid-configuration|https://self-issued.me/.well-known/openid-configuration|target='_blank']])
{{{
{
"authorization_endpoint":
"openid:",
"issuer": "https://self-issued.me",
"scopes_supported": ["openid", "profile", "email", "address", "phone"],
"response_types_supported": ["id_token"],
"subject_types_supported": ["pairwise"],
"id_token_signing_alg_values_supported": ["RS256"],
"request_object_signing_alg_values_supported": ["none", "RS256"]
}
}}}
%%information
The [OpenID Foundation] plans to host the OpenID Provider site [https://self-issued.me/|https://self-issued.me/|target='_blank'], including its [WebFinger] service, so that performing discovery on it returns the above static discovery information, enabling RPs to not need any special processing for discovery of the Self-Issued OP. This site will be hosted on an experimental basis. [Production Implementations] should not take a dependency upon it without a subsequent commitment by the [OpenID Foundation] to host the site in a manner intended for [Production tier] use.
%%
!! [{$pagename}] [Registration]
When using a Self-Issued OP, registration is not required. The [OAuth Client] can proceed without registration as if it had registered with the OP and obtained the following [OAuth 2.0 Client Registration] Response:
{{{client_id
redirect_uri value of the Client.
client_secret_expires_at 0
}}}
%%information
The [OpenID Foundation] plans to host the (stateless) endpoint [https://self-issued.me/registration/1.0/|https://self-issued.me/registration/1.0/|target='_blank'] that returns the response above, enabling RPs to not need any special processing for registration with the Self-Issued OP.
%%!! [{$pagename}] [[Response]
The Self-Issued OpenID Provider response is the same as the normal [Implicit Flow] response with the following refinements. Since it is an Implicit Flow response, the response parameters will be returned in the URL fragment component, unless a different Response Mode was specified.
* The [iss] (issuer) Claim Value is https://self-issued.me.
* A [sub_jwk] Claim is present, with its value being the public key used to check the signature of the ID Token.
* The [sub] (subject) Claim value is the base64url encoded representation of the [thumbprint] of the key in the [sub_jwk] Claim. This thumbprint value is computed as the SHA-256 hash of the octets of the UTF-8 representation of a JWK constructed containing only the REQUIRED members to represent the key, with the member names sorted into lexicographic order, and with no white space or line breaks. For instance, when the kty value is RSA, the member names e, kty, and n are * the ones present in the constructed JWK used in the thumbprint computation and appear in that order; when the kty value is EC, the member names crv, kty, x, and y are present in that order. Note that this thumbprint calculation is the same as that defined in the JWK Thumbprint [JWK.Thumbprint] specification.
* No [Access_token] is returned for accessing a [Userinfo_endpoint], so all [Claims] returned [MUST] be in the [Id_token].!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Self-Issued OpenID Provider|https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued|target='_blank'] - based on information obtained 2019-10-14
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop