RelyingPartyMetadata
Constructors
Properties
OID JARM: JWE (RFC7516) alg algorithm JWA (RFC7518). REQUIRED for encrypting authorization responses. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in JWT (RFC7519). The default, if omitted, is that no encryption is performed.
OpenID4VP: OPTIONAL. Non-empty array of strings, where each string is a JWE RFC7516 enc algorithm that can be used as the content encryption algorithm for encrypting the Response. When a response_mode requiring encryption of the Response (such as dc_api.jwt or direct_post.jwt) is specified, this MUST be present for anything other than the default single value of A128GCM. Otherwise, this SHOULD be absent.
OpenID4VP: OPTIONAL. Non-empty array of strings, where each string is a JWE RFC7516 enc algorithm that can be used as the content encryption algorithm for encrypting the Response. When a response_mode requiring encryption of the Response (such as dc_api.jwt or direct_post.jwt) is specified, this MUST be present for anything other than the default single value of A128GCM. Otherwise, this SHOULD be absent.
OIDC Registration: OPTIONAL. JWE alg algorithm REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.
OIDC Registration: OPTIONAL. JWE alg algorithm REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT. The default, if omitted, is that no encryption is performed.
OIDC Registration: OPTIONAL. JWE enc algorithm REQUIRED for encrypting the ID Token issued to this Client. If idTokenEncryptedResponseAlg is specified, the default value is JweEncryption.A128CBC_HS256. When idTokenEncryptedResponseEncoding is included, idTokenEncryptedResponseAlg MUST also be provided.
OIDC Registration: OPTIONAL. JWE enc algorithm REQUIRED for encrypting the ID Token issued to this Client. If idTokenEncryptedResponseAlg is specified, the default value is A128CBC-HS256. When idTokenEncryptedResponseEncoding is included, idTokenEncryptedResponseAlg MUST also be provided.
OIDC Registration: OPTIONAL. JWS alg algorithm REQUIRED for signing the ID Token issued to this Client. The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted, is JwsAlgorithm.Signature.RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0.
OIDC Registration: OPTIONAL. JWS alg algorithm REQUIRED for signing the ID Token issued to this Client. The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0.
OIDC Registration: OPTIONAL. Client's JWK Set document, passed by value. The semantics of the jwks parameter are the same as the jsonWebKeySetUrl parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jsonWebKeySetUrl parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jsonWebKeySetUrl, it MUST NOT use jsonWebKeySet. One significant downside of jsonWebKeySet is that it does not enable key rotation (which jsonWebKeySetUrl does, as described in Section 10 of OpenID Connect Core 1.0). The jsonWebKeySetUrl and jsonWebKeySet parameters MUST NOT be used together. The JWK Set MUST NOT contain private or symmetric key values.
OIDC Registration: OPTIONAL. URL for the Client's JWK Set document, which MUST use the https scheme. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. The JWK Set MUST NOT contain private or symmetric key values.
OIDC Registration: REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request, with the matching performed as described in Section 6.2.1 of (RFC3986) (Simple String Comparison).
OIDC SIOPv2: REQUIRED. A JSON array of strings representing URI scheme identifiers and optionally method names of supported Subject Syntax Types. Valid values include urn:ietf:params:oauth:jwk-thumbprint, did:example and others.
OID4VP 1.0: REQUIRED. An object containing a list of name/value pairs, where the name is a Credential Format Identifier and the value defines format-specific parameters that a Verifier supports. For specific values that can be used, see Appendix B. Deployments can extend the formats supported, provided Issuers, Holders and Verifiers all understand the new format.