package oidc.discovery.v1

Get desktop application:
View/edit binary Protocol Buffers messages

MTLSEndpoints contains endpoints for mTLS Client Authentication https://www.rfc-editor.org/rfc/rfc8705.html

Used in: ServerMetadata

• string token_endpoint = 1

• string revocation_endpoint = 2

• string introspection_endpoint = 3

• string pushed_authorization_request_endpoint = 4

• string device_authorization_endpoint = 5

ProtectedResourceMetadata describes the Protected Resource Metadata properties. https://www.ietf.org/id/draft-ietf-oauth-resource-metadata-00.html#name-protected-resource-metadata

• string resource = 1

  REQUIRED. The protected resource's resource identifier, which is a URL that uses the https scheme and has no fragment components.

• repeated string authorization_servers = 2

  OPTIONAL. JSON array containing a list of OAuth authorization server issuer identifiers, as defined in [OAuth.AuthorizationMetadata], for authorization servers that can be used with this protected resource. Protected resources MAY choose not to advertise some supported authorization servers even when this parameter is used. In some use cases, the set of authorization servers will not be enumerable, in which case this metadata parameter would not be used.

• optional string jwks_uri = 3

  OPTIONAL. URL of the protected resource's JWK Set [JWK] document. This contains keys belonging to the protected resource. For instance, this JWK Set MAY contain encryption key(s) that are used to encrypt access tokens to the protected resource. When both signing and encryption keys are made available, a use (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.

• repeated string scopes_provided = 4

  RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that are used in authorization requests to request access to this protected resource. Protected resources MAY choose not to advertise some scope values provided even when this parameter is used.

• repeated string bearer_methods_supported = 5

  OPTIONAL. JSON array containing a list of the OAuth 2.0 Bearer Token [RFC6750] presentation methods that this protected resource supports. Defined values are ["header", "fragment", "query"], corresponding to Sections 2.1, 2.2, and 2.3 of RFC 6750.

• repeated string resource_signing_alg_values_supported = 6

  OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the protected resource for signed content. The value none MAY be included.

• repeated string resource_encryption_alg_values_supported = 7

  OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the protected resource for encrypted content.

• repeated string resource_encryption_enc_values_supported = 8

  OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the protected resource for encrypted content.

• optional string resource_documentation = 9

  OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the protected resource.

• optional string resource_policy_uri = 10

  OPTIONAL. URL that the protected resource provides to read about the protected resource's requirements on how the client can use the data provided by the protected resource.

• optional string resource_tos_uri = 11

  OPTIONAL. URL that the protected resource provides to read about the protected resource's terms of service.

• optional string signed_metadata = 12

  OPTIONAL. A JWT containing metadata values about the protected resource as claims. This is a string value consisting of the entire signed JWT. A signed_metadata metadata value SHOULD NOT appear as a claim in the JWT.

• string issuer = 1

  REQUIRED. The authorization server's issuer identifier, which is a URL that uses the "https" scheme and has no query or fragment components. Authorization server metadata is published at a location that is ".well-known" according to RFC 5785 [RFC5785] derived from this issuer identifier, as described in Section 3. The issuer identifier is used to prevent authorization server mix- up attacks, as described in "OAuth 2.0 Mix-Up Mitigation" [MIX-UP].

• string authorization_endpoint = 2

  URL of the authorization server's authorization endpoint [RFC6749]. This is REQUIRED unless no grant types are supported that use the authorization endpoint.

• string token_endpoint = 3

  URL of the authorization server's token endpoint [RFC6749]. This is REQUIRED unless only the implicit grant type is supported.

• string jwks_uri = 4

  OPTIONAL. URL of the authorization server's JWK Set [JWK] document. The referenced document contains the signing key(s) the client uses to validate signatures from the authorization server. This URL MUST use the "https" scheme. The JWK Set MAY also contain the server's encryption key or keys, which are used by clients to encrypt requests to the server. When both signing and encryption keys are made available, a "use" (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.

• string userinfo_endpoint = 5

  RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.

• string registration_endpoint = 6

  OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591].

• repeated string scopes_supported = 7

  RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] "scope" values that this authorization server supports. Servers MAY choose not to advertise some supported scope values even when this parameter is used.

• repeated string response_types_supported = 8

  REQUIRED. JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports. The array values used are the same as those used with the "response_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591].

• repeated string response_modes_supported = 9

  OPTIONAL. JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports, as specified in "OAuth 2.0 Multiple Response Type Encoding Practices" [OAuth.Responses]. If omitted, the default is "["query", "fragment"]". The response mode value "form_post" is also defined in "OAuth 2.0 Form Post Response Mode" [OAuth.Post].

• repeated string grant_types_supported = 10

  OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the "grant_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591]. If omitted, the default value is "["authorization_code", "implicit"]".

• repeated string acr_values_supported = 11

  OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports.

• repeated string subject_types_supported = 12

  REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public.

• repeated string id_token_signing_alg_values_supported = 13

  REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow).

• repeated string id_token_encryption_alg_values_supported = 14

  OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT].

• repeated string id_token_encryption_enc_values_supported = 15

  OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT].

• repeated string userinfo_signing_alg_values_supported = 16

  OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included.

• repeated string userinfo_encryption_alg_values_supported = 17

  OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].

• repeated string userinfo_encryption_enc_values_supported = 18

  OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].

• repeated string request_object_signing_alg_values_supported = 19

  OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support none and RS256.

• repeated string request_object_encryption_alg_values_supported = 20

  OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference.

• repeated string request_object_encryption_enc_values_supported = 21

  OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference.

• repeated string token_endpoint_auth_methods_supported = 22

  OPTIONAL. JSON array containing a list of client authentication methods supported by this token endpoint. Client authentication method values are used in the "token_endpoint_auth_method" parameter defined in Section 2 of [RFC7591]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].

• repeated string token_endpoint_auth_signing_alg_values_supported = 23

  OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the token endpoint for the signature on the JWT [JWT] used to authenticate the client at the token endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "token_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. Servers SHOULD support "RS256". The value "none" MUST NOT be used.

• repeated string display_values_supported = 24

  OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core].

• repeated string claim_types_supported = 25

  OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims.

• repeated string claims_supported = 26

  RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.

• string service_documentation = 27

  OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the authorization server. In particular, if the authorization server does not support Dynamic Client Registration, then information on how to register clients needs to be provided in this documentation.

• repeated string claims_locales_supported = 28

  OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.

• repeated string ui_locales_supported = 29

  OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of language tag values from BCP 47 [RFC5646]. If omitted, the set of supported languages and scripts is unspecified.

• bool claims_parameter_supported = 30

  OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false.

• bool request_parameter_supported = 31

  OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. If omitted, the default value is false.

• bool request_uri_parameter_supported = 32

  OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. If omitted, the default value is true.

• bool require_request_uri_registration = 33

  OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the default value is false.

• string op_policy_uri = 34

  OPTIONAL. URL that the authorization server provides to the person registering the client to read about the authorization server's requirements on how the client can use the data provided by the authorization server. The registration process SHOULD display this URL to the person registering the client if it is given. As described in Section 5, despite the identifier "op_policy_uri" appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect.

• string op_tos_uri = 35

  OPTIONAL. URL that the authorization server provides to the person registering the client to read about the authorization server's terms of service. The registration process SHOULD display this URL to the person registering the client if it is given. As described in Section 5, despite the identifier "op_tos_uri", appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect.

• string revocation_endpoint = 36

  OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint [RFC7009].

• repeated string revocation_endpoint_auth_methods_supported = 37

  OPTIONAL. JSON array containing a list of client authentication methods supported by this revocation endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].

• repeated string revocation_endpoint_auth_signing_alg_values_supported = 38

  OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.

• string introspection_endpoint = 39

  OPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662].

• repeated string introspection_endpoint_auth_methods_supported = 40

  OPTIONAL. JSON array containing a list of client authentication methods supported by this introspection endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means.

• repeated string introspection_endpoint_auth_signing_alg_values_supported = 41

  OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.

• repeated string code_challenge_methods_supported = 42

  OPTIONAL. JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported by this authorization server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE.

• string pushed_authorization_request_endpoint = 43

  The URL of the pushed authorization request endpoint at which the client can post an authorization request and get a request URI in exchange. https://tools.ietf.org/html/draft-lodderstedt-oauth-par-01#section-5

• repeated string pushed_authorization_request_endpoint_auth_methods_supported = 44

• optional MTLSEndpoints mtls_endpoint_aliases = 45

  https://www.rfc-editor.org/rfc/rfc8705.html#section-5

• string device_authorization_endpoint = 46

  https://tools.ietf.org/html/rfc8628#section-4

• repeated string dpop_signing_alg_values_supported = 47

  OPTIONAL. JSON array containing a list of the JWS algorithms supported for DPoP proof JWTs. https://www.ietf.org/id/draft-ietf-oauth-dpop-01.html#section-10.7

• bool tls_client_certificate_bound_access_tokens = 48

  OPTIONAL. Boolean value indicating server support for mutual-TLS client certificate-bound access tokens. If omitted, the default value is false. https://www.rfc-editor.org/rfc/rfc8705.html#section-3.3

• repeated string authorization_signing_alg_values_supported = 49

  OPTIONAL. JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.

• repeated string authorization_encryption_alg_values_supported = 50

  OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.

• repeated string authorization_encryption_enc_values_supported = 51

  OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.

• bool authorization_response_iss_parameter_supported = 52

  OPTIONAL. Boolean parameter indicating whether the authorization server provides the "iss" parameter in the authorization response as defined in Section 2. If omitted, the default value is false. https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-02.html#name-authorization-server-metada

• repeated string introspection_signing_alg_values_supported = 53

  OPTIONAL. JSON array containing a list of the JWS [RFC7515] signing algorithms ("alg" values) as defined in JWA [RFC7518] supported by the introspection endpoint to sign the response. https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-10#section-7

• repeated string introspection_encryption_alg_values_supported = 54

  OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms ("alg" values) as defined in JWA [RFC7518] supported by the introspection endpoint to encrypt the content encryption key for introspection responses (content key encryption). https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-10#section-7

• repeated string introspection_encryption_enc_values_supported = 55

  OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms ("enc" values) as defined in JWA [RFC7518] supported by the introspection endpoint to encrypt the response (content encryption). https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-10#section-7

• string signed_metadata = 56

  OPTIONAL. A JWT containing metadata values about the authorization server as claims. This is a string value consisting of the entire signed JWT. A "signed_metadata" metadata value SHOULD NOT appear as a claim in the JWT. https://tools.ietf.org/html/rfc8414#section-2.1