Skip to content

Describe Client Authentication with Automatic Registration #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
selfissued merged 6 commits into from
Sep 3, 2025
Merged

Describe Client Authentication with Automatic Registration #232

Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3137fda
Describe Client Authentication with Automatic Registration
selfissued Jun 29, 2025
701a751
Also talk about OP metadata
selfissued Jun 30, 2025
971880c
Applied Guiseppe's suggestion
selfissued Jul 1, 2025
d5e0650
Merge branch 'main' into mbj-auto-client-auth
selfissued Jul 15, 2025
4ecea55
Use token_endpoint_auth_methods_supported for all AS endpoints
selfissued Sep 2, 2025
ab069fb
Resolved merge conflict
selfissued Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 36 additions & 2 deletions openid-federation-1_0.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@

<front>
<title abbrev="OpenID Federation">OpenID Federation 1.0 -
draft 43
draft 44
</title>

<author fullname="Roland Hedberg" initials="R." role="editor"
Expand Down Expand Up @@ -76,7 +76,7 @@
</address>
</author>

<date day="2" month="June" year="2025"/>
<date day="30" month="June" year="2025"/>

<workgroup>OpenID Connect Working Group</workgroup>

Expand Down Expand Up @@ -6334,6 +6334,30 @@ HTTP/1.1 302 Found
]]></artwork>
</figure>
</section>

<section title="Automatic Registration and Client Authentication"
anchor="AutoClientAuth">
<t>
Note that when using Automatic Registration,
the client authentication methods that the client can use
are declared to the OP using RP Metadata parameters.
Those that the OP can use are likewise
declared to the RP using OP Metadata parameters.
However, if there are multiple methods supported by both
the RP and the OP, the OP does not know which one the RP will pick
in advance of it being used,
since this isn't declared at the time the Automatic Registration occurs.
</t>
<t>
OPs SHOULD accept any client authentication method that is mutually supported
and RPs SHOULD only use mutually supported methods.
Because some OPs may be coded in such a way that
they expect the RP to always the same client authentication method
for subsequent interactions, note that
interoperability may be improved by the RP doing so.
</t>
</section>

<section title="Possible Other Uses of Automatic Registration" anchor="AutomaticRegistrationOtherUses">
<t>
Automatic Registration is designed to be able to be
Expand Down Expand Up @@ -10506,6 +10530,16 @@ Host: op.umu.se
<section anchor="History" title="Document History">
<t>[[ To be removed from the final specification ]]</t>

<t>
-44
<list style="symbols">
<t>
Fixed #147: Added a note about client authentication methods
and Automatic Registration.
</t>
</list>
</t>

<t>
-43
<list style="symbols">
Expand Down