Ideas for OpenID Connect Metadata

openidconnect-metadata.js

/*
 * DISCLAIMER: Currently this is in the "brainstorming" phase..
 *  I'm adding properties as I read through the spec.
 *
 * Author: Andreas Åkre Solberg, andreas.solberg@uninett.no - http://rnd.feide.no
 */


/*
 * TODO: How to handle the combination of local confiration  (in metaata) with public information
 * And possibly also assertions about an entity asserted by a third party.
 * Probably the metadata document may be separated into up to three parts, and then define rules for how to merge.
 */


/*
 * Typical example of Metadata for an OpenID Connect Consumer
 */
consumer1 = {
	
	'descr': {
		'name': 'A Sample Service',
		'descr': 'A Cool service that allows users to do cool stuff.',
		'privacy_url': 'https://consumer.example.org/privacy.html',
		'icon': 'https://consumer.example.org/logo',
		'support': {
			'email': 'support@example.org',
			'web': 'https://consumer.example.org/helpdesk'
		}
	},
	
	'metadata': {
		'endpoint': 'https://consumer.example.org/',
		'formats': {'json', 'jwt'}
	},
	
	// Client identifier. MUST be URI.
	'client_id': 'https://consumer.example.org',
	
	// Redirection URL, to receive responses using the HTTP redirect binding.
	'redirection_url': 'https://consumer.example.org/callback',
	
	'request_object': {
		'supported': true,
		'supported_members': []
	},
	
	// If an entity includes this property, it indicates support of the
	// OpenID Connect Session Management specification.
	'session_management': {

		// Which audiences is this consumer trusted to be part of.
		'id_token_audience': ['https://example.org'],

		// which members of the ID Token JWT does this client accept, beyond what is defined 
		// in the 1.0 versino of the spec. Provider shoud never send members that are not part
		// of the spec nor listed here.
		'id_token_supported_members': []
		
	}
	
	
	// User Info Supported Schemas 
	'userinfo': {
		'supported_schemas': ['openid', 'shac', 'eduPerson'],
		'support_aggregated_claims': true,
		'support_distributed_claims': false
	},

	
	
	// Token types supported, as mentioned in OAuth 2.0 Section 7.1.
	'supported_token_types': ['jwt', 'basic'],
	

	// This part is very incomplete at the moment.
	'crypto': {
		'requires_signature': true,
		'outgoing_signature': {
			'algs': ['HS256', 'HS512'],
			'secret': '2837462398482098A78923647896B23432FDE3239'
		}
		'incomming_encryption': {
			// Public keys in the format specified in the:
			// JSON Web Key (JWK) draft-jones-json-web-key-01
			//  http://self-issued.info/docs/draft-jones-json-web-key.html
			'keyvalues': [
				{
					"algorithm":"EC",
					"curve":"P-256",
					"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
					"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
					"use":"encryption",
					"keyid":"1"
				},
				{
					"algorithm":"RSA",
					"modulus": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cb......awapJzKnqDKgw",
					"exponent":"AQAB",
					"keyid":"2011-04-29"
				}
		   ]
		}
	},
	
	// How can this client authenticate on the OAuth Token endpoint.
	'client_authentication': {
		'basic': {
			'secret': '1237981273981273981273A293874B230DF'
		},
		'jwt': null
	}
	
};

/*
 * Typical example of Metadata for an OpenID Connect Provider
 */
provider1 = {

	// Provider Identifer (JWT Issuer Identifier) - REQUIRED
	'iss': 'https://provider.example.org',
	
	'metadata': {
		'endpoint': 'https://consumer.example.org/',
		'formats': {'json', 'jwt'}
	},
	
	// Authorization endpoints - REQUIRED
	'authorization': {
		'endpoint': 'https://provider.example.org/auth',
		'request_object': {
			'supported': true,
			'required': false,
			'supported_members': []
		},
		// Supported Response types. - OPTIONAL
		'supported_response_types': ['code', 'token', 'id_token'],
	},
	
	// Token endpoint - REQUIRED
	'token': {
		'endpoint':	'https://provider.example.org/token',
	}
	
	// User Info endpoint - OPTIONAL
	// Not including this property, does indicate that the provider does not support the 
	//  User Info service.

	'userinfo': {
		'endpoint':  'http://provider.example.org/userinfo',
		// User Info Supported Schemas - OPTIONAL
		'supported_schemas': ['openid', 'shac', 'eduPerson'],
		'support_aggregated_claims': true,
		'support_distributed_claims': false

	},

	'crypto': {
		'supported_algs': ['HS256', 'HS512']
	},
	
	// If an entity includes this property, it indicates support of the
	// OpenID Connect Session Management specification.
	'session_management': {
		
		// By listing endpoint types here, indicate support for the specific parts of
		// the session management spec.
		'refresh_session_endpoint': 'https://provider.example.org/session/refresh',
		'check_session_endpoint': 'https://provider.example.org/session/check',
		'end_session_endpoint': 'https://provider.example.org/session/end',

		// which members of the ID Token JWT does this client accept, beyond what is defined 
		// in the 1.0 versino of the spec. Provider shoud never send members that are not part
		// of the spec nor listed here.
		'id_token_supported_members': [],
		
		'supported_formats': ['json', 'jwt']
		
	},
	
	// Presence of this property indicates that the provider supports dynamic client registration.
	'client_registration': {
		'endpoint': 'https://provider.example.org/register'
	}
	
	

};