Skip to content

Describe Client Authentication with Automatic Registration #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
selfissued merged 6 commits into from
Sep 3, 2025
Merged

Describe Client Authentication with Automatic Registration #232

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3137fda
Describe Client Authentication with Automatic Registration
selfissued Jun 29, 2025
701a751
Also talk about OP metadata
selfissued Jun 30, 2025
971880c
Applied Guiseppe's suggestion
selfissued Jul 1, 2025
d5e0650
Merge branch 'main' into mbj-auto-client-auth
selfissued Jul 15, 2025
4ecea55
Use token_endpoint_auth_methods_supported for all AS endpoints
selfissued Sep 2, 2025
ab069fb
Resolved merge conflict
selfissued Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 32 additions & 1 deletion openid-federation-1_0.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@
</address>
</author>

<date day="30" month="August" year="2025"/>
<date day="1" month="September" year="2025"/>

<workgroup>OpenID Connect Working Group</workgroup>

Expand Down Expand Up @@ -6355,6 +6355,33 @@ HTTP/1.1 302 Found
]]></artwork>
</figure>
</section>

<section title="Automatic Registration and Client Authentication"
anchor="AutoClientAuth">
<t>
Note that when using Automatic Registration,
the client authentication methods that the client can use
are declared to the OP using RP Metadata parameters: either the
<spanx style="verb">token_endpoint_auth_methods_supported</spanx>
parameter defined in <xref target="OpenID.RP.Choices"/> or the
<spanx style="verb">token_endpoint_auth_method</spanx> parameter.
Those that the OP can use are likewise
declared to the RP using OP Metadata parameters.
However, if there are multiple methods supported by both
the RP and the OP, the OP does not know which one the RP will pick
in advance of it being used,
since this isn't declared at the time the Automatic Registration occurs.
</t>
<t>
OPs SHOULD accept any client authentication method that is mutually supported
and RPs MUST only use mutually supported methods.
Because some OPs may be coded in such a way that
they expect the RP to always the same client authentication method
for subsequent interactions, note that
interoperability may be improved by the RP doing so.
</t>
</section>

<section title="Possible Other Uses of Automatic Registration" anchor="AutomaticRegistrationOtherUses">
<t>
Automatic Registration is designed to be able to be
Expand Down Expand Up @@ -10532,6 +10559,10 @@ Host: op.umu.se
<list style="symbols">
<t>
Corrected location of Constraints in Trust Chain Example figure.
</t>
<t>
Fixed #147: Added a note about client authentication methods
and Automatic Registration.
</t>
</list>
</t>
Expand Down