XML
HTML
Plain text
Registries included below
Specification Required
Hannes Tschofenig
| Name | Additional Endpoint Response Parameters | HTTP Authentication Scheme(s) | Change Controller | Reference |
|---|---|---|---|---|
| Bearer | Bearer | IETF | [RFC6750] |
Specification Required
Hannes Tschofenig
Specification Required
Hannes Tschofenig
| Name | Usage Location | Protocol Extension | Change Controller | Reference |
|---|---|---|---|---|
| invalid_request | resource access error response | bearer access token type | IETF | [RFC6750] |
| invalid_token | resource access error response | bearer access token type | IETF | [RFC6750] |
| insufficient_scope | resource access error response | bearer access token type | IETF | [RFC6750] |
| unsupported_token_type | revocation endpoint error response | token revocation endpoint | IETF | [RFC7009] |
| interaction_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| login_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| session_selection_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| consent_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| invalid_request_uri | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| invalid_request_object | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| request_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| request_uri_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| registration_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
Specification Required
Hannes Tschofenig
| Name | Parameter Usage Location | Change Controller | Reference |
|---|---|---|---|
| client_id | authorization request, token request | IETF | [RFC6749] |
| client_secret | token request | IETF | [RFC6749] |
| response_type | authorization request | IETF | [RFC6749] |
| redirect_uri | authorization request, token request | IETF | [RFC6749] |
| scope | authorization request, authorization response, token request, token response | IETF | [RFC6749] |
| state | authorization request, authorization response | IETF | [RFC6749] |
| code | authorization response, token request | IETF | [RFC6749] |
| error | authorization response, token response | IETF | [RFC6749] |
| error_description | authorization response, token response | IETF | [RFC6749] |
| error_uri | authorization response, token response | IETF | [RFC6749] |
| grant_type | token request | IETF | [RFC6749] |
| access_token | authorization response, token response | IETF | [RFC6749] |
| token_type | authorization response, token response | IETF | [RFC6749] |
| expires_in | authorization response, token response | IETF | [RFC6749] |
| username | token request | IETF | [RFC6749] |
| password | token request | IETF | [RFC6749] |
| refresh_token | token request, token response | IETF | [RFC6749] |
| nonce | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| display | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| prompt | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| max_age | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| ui_locales | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| claims_locales | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| id_token_hint | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| login_hint | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| acr_values | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| claims | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| registration | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| request | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| request_uri | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| id_token | authorization response, access token response | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| session_state | authorization response, access token response | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-session-1_0.html] |
| assertion | token request | IESG | [RFC7521] |
| client_assertion | token request | IESG | [RFC7521] |
| client_assertion_type | token request | IESG | [RFC7521] |
| code_verifier | token request | IESG | [RFC7636] |
| code_challenge | authorization request | IESG | [RFC7636] |
| code_challenge_method | authorization request | IESG | [RFC7636] |
Specification Required with mandatory two-week mailing list review
Unassigned
| Hint Value | Change Controller | Reference |
|---|---|---|
| access_token | IETF | [RFC7009] |
| refresh_token | IETF | [RFC7009] |
Specification Required
Hannes Tschofenig
Prefix: urn:ietf:params:oauth
| URN | Common Name | Change Controller | Reference |
|---|---|---|---|
| urn:ietf:params:oauth:grant-type:jwt-bearer | JWT Bearer Token Grant Type Profile for OAuth 2.0 | IESG | [RFC7523] |
| urn:ietf:params:oauth:client-assertion-type:jwt-bearer | JWT Bearer Token Profile for OAuth 2.0 Client Authentication | IESG | [RFC7523] |
| urn:ietf:params:oauth:grant-type:saml2-bearer | SAML 2.0 Bearer Assertion Grant Type Profile for OAuth 2.0 | IESG | [RFC7522] |
| urn:ietf:params:oauth:client-assertion-type:saml2-bearer | SAML 2.0 Bearer Assertion Profile for OAuth 2.0 Client Authentication | IESG | [RFC7522] |
| urn:ietf:params:oauth:token-type:jwt | JSON Web Token (JWT) Token Type | IESG | [RFC7519] |
Specification Required
Justin Richer
See [RFC7591]for mailing list information.
| Client Metadata Name | Client Metadata Description | Change Controller | Reference |
|---|---|---|---|
| redirect_uris | Array of redirection URIs for use in redirect-based flows | IESG | [RFC7591] |
| token_endpoint_auth_method | Requested authentication method for the token endpoint | IESG | [RFC7591] |
| grant_types | Array of OAuth 2.0 grant types that the client may use | IESG | [RFC7591] |
| response_types | Array of the OAuth 2.0 response types that the client may use | IESG | [RFC7591] |
| client_name | Human-readable name of the client to be presented to the user | IESG | [RFC7591] |
| client_uri | URL of a web page providing information about the client | IESG | [RFC7591] |
| logo_uri | URL that references a logo for the client | IESG | [RFC7591] |
| scope | Space-separated list of OAuth 2.0 scope values | IESG | [RFC7591] |
| contacts | Array of strings representing ways to contact people responsible for this client, typically email addresses | IESG | [RFC7591] |
| tos_uri | URL that points to a human-readable terms of service document for the client | IESG | [RFC7591] |
| policy_uri | URL that points to a human-readable policy document for the client | IESG | [RFC7591] |
| jwks_uri | URL referencing the client's JSON Web Key Set [RFC7517] document representing the client's public keys | IESG | [RFC7591] |
| jwks | Client's JSON Web Key Set [RFC7517] document representing the client's public keys | IESG | [RFC7591] |
| software_id | Identifier for the software that comprises a client | IESG | [RFC7591] |
| software_version | Version identifier for the software that comprises a client | IESG | [RFC7591] |
| client_id | Client identifier | IESG | [RFC7591] |
| client_secret | Client secret | IESG | [RFC7591] |
| client_id_issued_at | Time at which the client identifier was issued | IESG | [RFC7591] |
| client_secret_expires_at | Time at which the client secret will expire | IESG | [RFC7591] |
| registration_access_token | OAuth 2.0 Bearer Token used to access the client configuration endpoint | IESG | [RFC7592] |
| registration_client_uri | Fully qualified URI of the client registration endpoint | IESG | [RFC7592] |
| application_type | Kind of the application -- "native" or "web" | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| sector_identifier_uri | URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| subject_type | subject_type requested for responses to this Client -- "pairwise" or "public" | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| id_token_signed_response_alg | JWS alg algorithm REQUIRED for signing the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| id_token_encrypted_response_alg | JWE alg algorithm REQUIRED for encrypting the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| id_token_encrypted_response_enc | JWE enc algorithm REQUIRED for encrypting the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| userinfo_signed_response_alg | JWS alg algorithm REQUIRED for signing UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| userinfo_encrypted_response_alg | JWE alg algorithm REQUIRED for encrypting UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| userinfo_encrypted_response_enc | JWE enc algorithm REQUIRED for encrypting UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| request_object_signing_alg | JWS alg algorithm that MUST be used for signing Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| request_object_encryption_alg | JWE alg algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| request_object_encryption_enc | JWE enc algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| token_endpoint_auth_signing_alg | JWS alg algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| default_max_age | Default Maximum Authentication Age | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| require_auth_time | Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| default_acr_values | Default requested Authentication Context Class Reference values | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| initiate_login_uri | URI using the https scheme that a third party can use to initiate a login by the RP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| request_uris | Array of request_uri values that are pre-registered by the RP for use at the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
Specification Required
Justin Richer
See [RFC7591]for mailing list information.
| Token Endpoint Authentication Method Name | Change Controller | Reference |
|---|---|---|
| none | IESG | [RFC7591] |
| client_secret_post | IESG | [RFC7591] |
| client_secret_basic | IESG | [RFC7591] |
| client_secret_jwt | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0] |
| private_key_jwt | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0] |
Specification Required
Unassigned
| Code Challenge Method Parameter Name | Change Controller | Reference |
|---|---|---|
| plain | IESG | [Section 4.2 of RFC7636] |
| S256 | IESG | [Section 4.2 of RFC7636] |
Specification Required
Unassigned
| Name | Description | Change Controller | Reference |
|---|---|---|---|
| active | Token active status | IESG | [RFC7662, Section 2.2] |
| username | User identifier of the resource owner | IESG | [RFC7662, Section 2.2] |
| client_id | Client identifier of the client | IESG | [RFC7662, Section 2.2] |
| scope | Authorized scopes of the token | IESG | [RFC7662, Section 2.2] |
| token_type | Type of the token | IESG | [RFC7662, Section 2.2] |
| exp | Expiration timestamp of the token | IESG | [RFC7662, Section 2.2] |
| iat | Issuance timestamp of the token | IESG | [RFC7662, Section 2.2] |
| nbf | Timestamp which the token is not valid before | IESG | [RFC7662, Section 2.2] |
| sub | Subject of the token | IESG | [RFC7662, Section 2.2] |
| aud | Audience of the token | IESG | [RFC7662, Section 2.2] |
| iss | Issuer of the token | IESG | [RFC7662, Section 2.2] |
| jti | Unique identifier of the token | IESG | [RFC7662, Section 2.2] |
| ID | Name | Contact URI | Last Updated |
|---|---|---|---|
| [OpenID_Foundation_Artifact_Binding_Working_Group] | OpenID Foundation Artifact Binding Working Group | mailto:openid-specs-ab&lists.openid.net | 2015-12-03 |