Table of Contents - X.1285 (05/2025) - OpenID Connect Core 1.0 - Errata Set 2
1 Scope
2 References
3 Definitions
3.1 Terms defined elsewhere
3.2 Terms defined in this Recommendation
4 Abbreviations and acronyms
5 Conventions
6 Introduction
7 ID Token
8 Authentication
8.1 Authentication using the Authorization Code Flow
8.2 Authentication using the Implicit Flow
8.3 Authentication using the Hybrid Flow
9 Initiating Login from a Third Party
10 Claims
10.1 Standard Claims
10.2 Claims languages and scripts
10.3 UserInfo Endpoint
10.4 Requesting Claims using Scope Values
10.5 Requesting Claims using the "claims" Request Parameter
10.6 Claim Types
10.7 Claim Stability and Uniqueness
11 Passing Request Parameters as JWTs
11.1 Passing a Request Object by Value
11.2 Passing a Request Object by Reference
11.3 Validating JWT-Based Requests
12 Self-Issued OpenID Provider
12.1 Self-Issued OpenID Provider Discovery
12.2 Self-Issued OpenID Provider Registration
12.3 Self-Issued OpenID Provider Request
12.4 Self-Issued OpenID Provider Response
12.5 Self-Issued ID Token Validation
13 Subject Identifier Types
13.1 Pairwise Identifier Algorithm
14 Client Authentication
15 Signatures and Encryption
15.1 Signing
Page
15.2 Encryption
16 Offline Access
17 Using Refresh Tokens
17.1 Refresh Request
17.2 Successful Refresh Response
17.3 Refresh Error Response
18 Serializations
18.1 Query String Serialization
18.2 Form Serialization
18.3 JSON Serialization
19 String Operations
20 Implementation Considerations
20.1 Mandatory to Implement Features for All OpenID Providers
20.2 Mandatory to Implement Features for Dynamic OpenID Providers
20.3 Discovery and Registration
20.4 Mandatory to Implement Features for Relying Parties
20.5 Implementation notes
20.6 Compatibility notes
20.7 Related specifications and implementer's guides
21 Security considerations
21.1 Request disclosure
21.2 Server masquerading
21.3 Token manufacture/modification
21.4 Access Token disclosure
21.5 Server response disclosure
21.6 Server response repudiation
21.7 Request repudiation
21.8 Access Token redirect
21.9 Token reuse
21.10 Eavesdropping or leaking Authorization Codes (secondary Authenticator capture)
21.11 Token substitution
21.12 Timing attack
21.13 Other crypto related attacks
21.14 Signing and encryption order
21.15 Issuer identifier
21.16 Implicit flow threats
21.17 TLS requirements
21.18 Lifetimes of Access Tokens and Refresh Tokens
Page
21.19 Symmetric key entropy
21.20 Need for signed requests
21.21 Need for encrypted requests
21.22 HTTP 307 redirects
21.23 Custom URI schemes on iOS
22 Privacy considerations
22.1 Personally Identifiable Information
22.2 Data access monitoring
22.3 Correlation
22.4 Offline access
23 IANA considerations
23.1 JSON Web Token Claims Registration
23.2 OAuth parameters registration
23.3 OAuth extensions error registration
23.4 URI scheme registration
Appendix I – Authorization examples
I.1 Example using response_type=code
I.2 Example using response_type=id_token
I.3 Example using response_type=id_token token
I.4 Example using response_type=code id_token
I.5 Example using response_type=code token
I.6 Example using response_type=code id_token token
I.7 RSA key used in examples
Bibliography
|