Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Ideas for OpenID Connect Metadata
/*
* DISCLAIMER: Currently this is in the "brainstorming" phase..
* I'm adding properties as I read through the spec.
*
* Author: Andreas Åkre Solberg, andreas.solberg@uninett.no - http://rnd.feide.no
*/
/*
* TODO: How to handle the combination of local confiration (in metaata) with public information
* And possibly also assertions about an entity asserted by a third party.
* Probably the metadata document may be separated into up to three parts, and then define rules for how to merge.
*/
/*
* Typical example of Metadata for an OpenID Connect Consumer
*/
consumer1 = {
'descr': {
'name': 'A Sample Service',
'descr': 'A Cool service that allows users to do cool stuff.',
'privacy_url': 'https://consumer.example.org/privacy.html',
'icon': 'https://consumer.example.org/logo',
'support': {
'email': 'support@example.org',
'web': 'https://consumer.example.org/helpdesk'
}
},
'metadata': {
'endpoint': 'https://consumer.example.org/',
'formats': {'json', 'jwt'}
},
// Client identifier. MUST be URI.
'client_id': 'https://consumer.example.org',
// Redirection URL, to receive responses using the HTTP redirect binding.
'redirection_url': 'https://consumer.example.org/callback',
'request_object': {
'supported': true,
'supported_members': []
},
// If an entity includes this property, it indicates support of the
// OpenID Connect Session Management specification.
'session_management': {
// Which audiences is this consumer trusted to be part of.
'id_token_audience': ['https://example.org'],
// which members of the ID Token JWT does this client accept, beyond what is defined
// in the 1.0 versino of the spec. Provider shoud never send members that are not part
// of the spec nor listed here.
'id_token_supported_members': []
}
// User Info Supported Schemas
'userinfo': {
'supported_schemas': ['openid', 'shac', 'eduPerson'],
'support_aggregated_claims': true,
'support_distributed_claims': false
},
// Token types supported, as mentioned in OAuth 2.0 Section 7.1.
'supported_token_types': ['jwt', 'basic'],
// This part is very incomplete at the moment.
'crypto': {
'requires_signature': true,
'outgoing_signature': {
'algs': ['HS256', 'HS512'],
'secret': '2837462398482098A78923647896B23432FDE3239'
}
'incomming_encryption': {
// Public keys in the format specified in the:
// JSON Web Key (JWK) draft-jones-json-web-key-01
// http://self-issued.info/docs/draft-jones-json-web-key.html
'keyvalues': [
{
"algorithm":"EC",
"curve":"P-256",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"use":"encryption",
"keyid":"1"
},
{
"algorithm":"RSA",
"modulus": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cb......awapJzKnqDKgw",
"exponent":"AQAB",
"keyid":"2011-04-29"
}
]
}
},
// How can this client authenticate on the OAuth Token endpoint.
'client_authentication': {
'basic': {
'secret': '1237981273981273981273A293874B230DF'
},
'jwt': null
}
};
/*
* Typical example of Metadata for an OpenID Connect Provider
*/
provider1 = {
// Provider Identifer (JWT Issuer Identifier) - REQUIRED
'iss': 'https://provider.example.org',
'metadata': {
'endpoint': 'https://consumer.example.org/',
'formats': {'json', 'jwt'}
},
// Authorization endpoints - REQUIRED
'authorization': {
'endpoint': 'https://provider.example.org/auth',
'request_object': {
'supported': true,
'required': false,
'supported_members': []
},
// Supported Response types. - OPTIONAL
'supported_response_types': ['code', 'token', 'id_token'],
},
// Token endpoint - REQUIRED
'token': {
'endpoint': 'https://provider.example.org/token',
}
// User Info endpoint - OPTIONAL
// Not including this property, does indicate that the provider does not support the
// User Info service.
'userinfo': {
'endpoint': 'http://provider.example.org/userinfo',
// User Info Supported Schemas - OPTIONAL
'supported_schemas': ['openid', 'shac', 'eduPerson'],
'support_aggregated_claims': true,
'support_distributed_claims': false
},
'crypto': {
'supported_algs': ['HS256', 'HS512']
},
// If an entity includes this property, it indicates support of the
// OpenID Connect Session Management specification.
'session_management': {
// By listing endpoint types here, indicate support for the specific parts of
// the session management spec.
'refresh_session_endpoint': 'https://provider.example.org/session/refresh',
'check_session_endpoint': 'https://provider.example.org/session/check',
'end_session_endpoint': 'https://provider.example.org/session/end',
// which members of the ID Token JWT does this client accept, beyond what is defined
// in the 1.0 versino of the spec. Provider shoud never send members that are not part
// of the spec nor listed here.
'id_token_supported_members': [],
'supported_formats': ['json', 'jwt']
},
// Presence of this property indicates that the provider supports dynamic client registration.
'client_registration': {
'endpoint': 'https://provider.example.org/register'
}
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment