jspωiki
Self-Issued OpenID Provider

Overview#

Self-Issued OpenID Provider (SIOP) OpenID Connect supports personal, self-hosted OpenID Connect Providers that issue self-signed Id_tokens which use the special Issuer Identifier https://self-issued.me.

Self-Issued OpenID Provider messages used to communicate with Self-Issued OpenID Providers are mostly the same as those used to communicate with other OpenID Connect Providers.

Self-Issued OpenID Provider is defined in OpenID Connect Core 1.0

The following sites will be hosted on an experimental basis. Production Implementations should not take a dependency upon it without a subsequent commitment by the OpenID Foundation to host the site in a manner intended for Production tier use.

Self-Issued OpenID Provider Discovery#

If the input identifier for the discovery process contains the domain self-issued.me, dynamic discovery is not performed. Instead, then the following static configuration values are used: (https://self-issued.me/.well-known/openid-configuration])
  
{
   "authorization_endpoint":
     "openid:",
   "issuer": "https://self-issued.me",
   "scopes_supported": ["openid", "profile", "email", "address", "phone"],
   "response_types_supported": ["id_token"],
   "subject_types_supported": ["pairwise"],
   "id_token_signing_alg_values_supported": ["RS256"],
   "request_object_signing_alg_values_supported": ["none", "RS256"]
  }
The OpenID Foundation plans to host the OpenID Provider site https://self-issued.me/, including its WebFinger service, so that performing discovery on it returns the above static discovery information, enabling RPs to not need any special processing for discovery of the Self-Issued OP. This site will be hosted on an experimental basis. Production Implementations should not take a dependency upon it without a subsequent commitment by the OpenID Foundation to host the site in a manner intended for Production tier use.

Self-Issued OpenID Provider Registration#

When using a Self-Issued OP, registration is not required. The OAuth Client can proceed without registration as if it had registered with the OP and obtained the following OAuth 2.0 Client Registration Response:
client_id
redirect_uri value of the Client.
client_secret_expires_at 0
The OpenID Foundation plans to host the (stateless) endpoint https://self-issued.me/registration/1.0/ that returns the response above, enabling RPs to not need any special processing for registration with the Self-Issued OP.

Self-Issued OpenID Provider [Response]#

The Self-Issued OpenID Provider response is the same as the normal Implicit Flow response with the following refinements. Since it is an Implicit Flow response, the response parameters will be returned in the URL fragment component, unless a different Response Mode was specified.
  • The iss (issuer) Claim Value is https://self-issued.me.
  • A sub_jwk Claim is present, with its value being the public key used to check the signature of the ID Token.
  • The sub (subject) Claim value is the base64url encoded representation of the thumbprint of the key in the sub_jwk Claim. This thumbprint value is computed as the SHA-256 hash of the octets of the UTF-8 representation of a JWK constructed containing only the REQUIRED members to represent the key, with the member names sorted into lexicographic order, and with no white space or line breaks. For instance, when the kty value is RSA, the member names e, kty, and n are * the ones present in the constructed JWK used in the thumbprint computation and appear in that order; when the kty value is EC, the member names crv, kty, x, and y are present in that order. Note that this thumbprint calculation is the same as that defined in the JWK Thumbprint JWK.Thumbprint specification.
  • No Access_token is returned for accessing a Userinfo_endpoint, so all Claims returned MUST be in the Id_token.

More Information#

There might be more information for this subject on one of the following: