Created
August 22, 2011 18:21
-
-
Save andreassolberg/1163089 to your computer and use it in GitHub Desktop.
Ideas for OpenID Connect Metadata
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* DISCLAIMER: Currently this is in the "brainstorming" phase.. | |
* I'm adding properties as I read through the spec. | |
* | |
* Author: Andreas Åkre Solberg, andreas.solberg@uninett.no - http://rnd.feide.no | |
*/ | |
/* | |
* TODO: How to handle the combination of local confiration (in metaata) with public information | |
* And possibly also assertions about an entity asserted by a third party. | |
* Probably the metadata document may be separated into up to three parts, and then define rules for how to merge. | |
*/ | |
/* | |
* Typical example of Metadata for an OpenID Connect Consumer | |
*/ | |
consumer1 = { | |
'descr': { | |
'name': 'A Sample Service', | |
'descr': 'A Cool service that allows users to do cool stuff.', | |
'privacy_url': 'https://consumer.example.org/privacy.html', | |
'icon': 'https://consumer.example.org/logo', | |
'support': { | |
'email': 'support@example.org', | |
'web': 'https://consumer.example.org/helpdesk' | |
} | |
}, | |
'metadata': { | |
'endpoint': 'https://consumer.example.org/', | |
'formats': {'json', 'jwt'} | |
}, | |
// Client identifier. MUST be URI. | |
'client_id': 'https://consumer.example.org', | |
// Redirection URL, to receive responses using the HTTP redirect binding. | |
'redirection_url': 'https://consumer.example.org/callback', | |
'request_object': { | |
'supported': true, | |
'supported_members': [] | |
}, | |
// If an entity includes this property, it indicates support of the | |
// OpenID Connect Session Management specification. | |
'session_management': { | |
// Which audiences is this consumer trusted to be part of. | |
'id_token_audience': ['https://example.org'], | |
// which members of the ID Token JWT does this client accept, beyond what is defined | |
// in the 1.0 versino of the spec. Provider shoud never send members that are not part | |
// of the spec nor listed here. | |
'id_token_supported_members': [] | |
} | |
// User Info Supported Schemas | |
'userinfo': { | |
'supported_schemas': ['openid', 'shac', 'eduPerson'], | |
'support_aggregated_claims': true, | |
'support_distributed_claims': false | |
}, | |
// Token types supported, as mentioned in OAuth 2.0 Section 7.1. | |
'supported_token_types': ['jwt', 'basic'], | |
// This part is very incomplete at the moment. | |
'crypto': { | |
'requires_signature': true, | |
'outgoing_signature': { | |
'algs': ['HS256', 'HS512'], | |
'secret': '2837462398482098A78923647896B23432FDE3239' | |
} | |
'incomming_encryption': { | |
// Public keys in the format specified in the: | |
// JSON Web Key (JWK) draft-jones-json-web-key-01 | |
// http://self-issued.info/docs/draft-jones-json-web-key.html | |
'keyvalues': [ | |
{ | |
"algorithm":"EC", | |
"curve":"P-256", | |
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", | |
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", | |
"use":"encryption", | |
"keyid":"1" | |
}, | |
{ | |
"algorithm":"RSA", | |
"modulus": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cb......awapJzKnqDKgw", | |
"exponent":"AQAB", | |
"keyid":"2011-04-29" | |
} | |
] | |
} | |
}, | |
// How can this client authenticate on the OAuth Token endpoint. | |
'client_authentication': { | |
'basic': { | |
'secret': '1237981273981273981273A293874B230DF' | |
}, | |
'jwt': null | |
} | |
}; | |
/* | |
* Typical example of Metadata for an OpenID Connect Provider | |
*/ | |
provider1 = { | |
// Provider Identifer (JWT Issuer Identifier) - REQUIRED | |
'iss': 'https://provider.example.org', | |
'metadata': { | |
'endpoint': 'https://consumer.example.org/', | |
'formats': {'json', 'jwt'} | |
}, | |
// Authorization endpoints - REQUIRED | |
'authorization': { | |
'endpoint': 'https://provider.example.org/auth', | |
'request_object': { | |
'supported': true, | |
'required': false, | |
'supported_members': [] | |
}, | |
// Supported Response types. - OPTIONAL | |
'supported_response_types': ['code', 'token', 'id_token'], | |
}, | |
// Token endpoint - REQUIRED | |
'token': { | |
'endpoint': 'https://provider.example.org/token', | |
} | |
// User Info endpoint - OPTIONAL | |
// Not including this property, does indicate that the provider does not support the | |
// User Info service. | |
'userinfo': { | |
'endpoint': 'http://provider.example.org/userinfo', | |
// User Info Supported Schemas - OPTIONAL | |
'supported_schemas': ['openid', 'shac', 'eduPerson'], | |
'support_aggregated_claims': true, | |
'support_distributed_claims': false | |
}, | |
'crypto': { | |
'supported_algs': ['HS256', 'HS512'] | |
}, | |
// If an entity includes this property, it indicates support of the | |
// OpenID Connect Session Management specification. | |
'session_management': { | |
// By listing endpoint types here, indicate support for the specific parts of | |
// the session management spec. | |
'refresh_session_endpoint': 'https://provider.example.org/session/refresh', | |
'check_session_endpoint': 'https://provider.example.org/session/check', | |
'end_session_endpoint': 'https://provider.example.org/session/end', | |
// which members of the ID Token JWT does this client accept, beyond what is defined | |
// in the 1.0 versino of the spec. Provider shoud never send members that are not part | |
// of the spec nor listed here. | |
'id_token_supported_members': [], | |
'supported_formats': ['json', 'jwt'] | |
}, | |
// Presence of this property indicates that the provider supports dynamic client registration. | |
'client_registration': { | |
'endpoint': 'https://provider.example.org/register' | |
} | |
}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment