| TOC |
|
OpenID Authentication 2.0 defines the method to move Authentication and associated extension requests among the User, Relying Party, and the OpenID provider through HTTP POST or GET, i.e., it defines the POST and GET binding for OpenID messaging. This specification defines the Artifact Binding that sends the OpenID message directly from the Relying Party to the OpenID Provider and passes only a small reference data called Artifact through the browser so that large payload can be moved between the Relying Party and the OpenID Provider without hitting the browser URL and HTTP header size limitation.
1.
Requirements Notation and Conventions
2.
Terminology
3.
Protocol Overview
4.
Data Formats
5.
Communication Types
6.
Generating Signatures
7.
Protocol
7.1.
Initiation and Discovery
7.2.
Establishing Associations
7.3.
Direct Authencitaction Request
7.4.
Direct Authentication Request Response
7.5.
Artifact Authentication Request
7.6.
Artifact Authentication Response
7.7.
Direct Assertion Request
7.8.
Direct Assertion Response
7.9.
Verifying Assertions
8.
Extensions
9.
Discovering OpenID Relying Parties
10.
Security Considerations
Appendix A.
Acknowledgements
11.
Normative References
§
Author's Address
| TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, B., “Key words for use in RFCs to Indicate Requirement Levels,” .).
Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value.
| TOC |
In addition to the terminology used in [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.), following terms are used.
- Artifact:
- An Artifact is a small text associated with the larger payload that identifies the payload.
| TOC |
A Typical sequence can be depicted as follows:
| TOC |
Data Format is the same as in [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.) section 4.
| TOC |
Communication Types are the same as in [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.) section 5. In addition to those defined, the Artifact Binding uses Direct Communication for sendin and receiving authentication message.
| TOC |
Signature Generation is the same as in [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.) section 6.
| TOC |
| TOC |
Initiation and Discovery is the same as in [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.) section 7.
| TOC |
It is the same as in [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.) section 8.
| TOC |
Once the Relying Party has successfully performed discovery and (optionally) created an association with the discovered OP Endpoint URL, it can send an authentication request to the OP to obtain an assertion. When requesting authentication, the Relying Party MUST send the request in direct communication to the OP. Upon receipt of a valid request, OP MUST return a unique short string less than 400 characters called an Artifact to identify this request. The Artifact value must include the string constructed from a cryptographically strong random or pseudorandom number sequence [RFC1750] generated by the OP. The Artifact is subsequently used over an indirect request, the Artifact Authentication Request.
Parameters sent are as follows:
As specified in Section 4.1.2 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.).
Value: "checkid_immediate", "checkid_setup", "direct_checkid_immediate" or "direct_checkid_setup"
Note: If the Relying Party wishes the end user to be able to interact with the OP, "checkid_setup" should be used. An example of a situation where interaction between the end user and the OP is not desired is when the authentication request is happening asynchronously in JavaScript.
Value: (optional) The Claimed Identifier.
"openid.claimed_id" and "openid.identity" SHALL be either both present or both absent. If neither value is present, the assertion is not about an identifier, and will contain other information in its payload, using extensions (Extensions).
It is RECOMMENDED that OPs accept XRI identifiers with or without the "xri://" prefix, as specified in the Normalization (Initiation and Discovery) section.
Value: (optional) The OP-Local Identifier.
If a different OP-Local Identifier is not specified, the claimed identifier MUST be used as the value for openid.identity.
Note: If this is set to the special value "http://specs.openid.net/auth/2.0/identifier_select" then the OP SHOULD choose an Identifier that belongs to the end user. This parameter MAY be omitted if the request is not about an identifier (for instance if an extension is in use that makes the request meaningful without it; see openid.claimed_id above).
Value: (optional) A handle for an association between the Relying Party and the OP that SHOULD be used to sign the response.
Note: If no association handle is sent, the transaction will take place in Stateless Mode.
Value: (optional) URL to which the OP SHOULD return the User-Agent with the response indicating the status of the request.
Note: If this value is not sent in the request it signifies that the Relying Party does not wish for the end user to be returned.
Note: The return_to URL MAY be used as a mechanism for the Relying Party to attach context about the authentication request to the authentication response. This document does not define a mechanism by which the RP can ensure that query parameters are not modified by outside parties; such a mechanism can be defined by the RP itself.
Value: (optional) URL pattern the OP SHOULD ask the end user to trust. See "Realms" in OpenID Authentication 2.0. This value MUST be sent if openid.return_to is omitted.
Default: return_to URL
Value: Comma-separated list of signed fields.
Note: This entry consists of the fields without the "openid." prefix that the signature covers. This list MUST contain at least "op_endpoint", "return_to" "response_nonce" and "assoc_handle", and if present in the response, "claimed_id" and "identity". Additional keys MAY be signed as part of the message. See Generating Signatures (Generating Signatures).
For example, "op_endpoint,identity,claimed_id,return_to,assoc_handle,response_nonce".
Value: Base 64 encoded signature calculated as specified in Section 6 (Generating Signatures).
| TOC |
When Direct Authentication Request is received successfully, the OP performs request validation. Request validation includes Return URL Verification as in [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.) section 9.2 as well as the signature validation.
If the request is valid, the OP returns the following fields in the HTTP response body.
As specified in Section 4.1.2 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.).
Value: direct_checkid_accepted
Value: A unique short string less than 400 characters. This value includes a string that is constructed from a cryptographically strong random or pseudorandom number sequence [RFC1750] generated by the OP. The Artifact may be used over an indirect request, the Artifact Authentication Request, subsequently.
Value: Comma-separated list of signed fields.
Note: This entry consists of the fields without the "openid." prefix that the signature covers. This list MUST contain at least "op_endpoint", "return_to" "response_nonce" and "assoc_handle", and if present in the response, "claimed_id" and "identity". Additional keys MAY be signed as part of the message. See Generating Signatures (Generating Signatures).
For example, "op_endpoint,identity,claimed_id,return_to,assoc_handle,response_nonce".
Value: Base 64 encoded signature calculated as specified in Section 6 (Generating Signatures).
| TOC |
Upon receipt of the Artifact, RP should send the Artifact Authentication Request to the OP. Fields are as follows:
As specified in Section 4.1.2 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.).
Value: art_req
Value: The Artifact value returned by OP on Section 7.4 (Direct Authentication Request Response).
| TOC |
Upon receipt of the Artifact Authentication Request, the OP MUST determine that an authorized end user wishes to complete the authentication in the manner described in Section 10 of the [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.). Once it is determined, the OP creates either positive or negative assertion and associated artifact and returns the response as follows:
As specified in Section 4.1.2 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.).
Value: "art_res"
Value: The Artifact value corresponding to the Assertion created. It may or may not be the same as the value in the request. If the Artifact was not found at the OP, it MUST be a string "INVALID".
No other parameter should be returned.
| TOC |
If valid openid.artifact was returned, the RP SHOULD request the OP in direct communication with the following parameters:
As specified in Section 4.1.2 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.).
Value: "direct_assertion_req"
Value: The Artifact value received in the Section 7.6 (Artifact Authentication Response) Artifact Authentication Response.
Value: Comma-separated list of fields in this request.
Value: Base 64 encoded signature calculated as specified in Section 6 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.).
On receipt of such request, the OP should return the assertion created previously as the payload of the response to this request.
| TOC |
Upon receipt of the Direct Assertion Request, OP MUST return either Positive or Negative Assertion as defined in [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.) in the HTTP/S response body.
| TOC |
Assertion verification is done as in Section 11 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.).
| TOC |
Extensions are as defined in Section 12 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.). In addition, this specification adds “artifact” in the disallowed aliases.
| TOC |
Relying Party Discovery is as in Section 13 of [OpenID.authentication‑2.0] (specs@openid.net, “OpenID Authentication 2.0,” 2007.).
| TOC |
| TOC |
As a binding of OpenID Authentication, this specification heavily relies on OpenID Authentication 2.0. Please refer to Appendix C of OpenID Authentication 2.0 for the full list of the contributors for OpenID Authentication 2.0.
In addition, the OpenID Community would like to thank the following people for the work they've done in the drafting and editing of this specification. If you want to know the nitty gritty of who actually wrote what, feel free to look at our BitBucket repository.
Breno de Madiros (breno@gmail.com)
Hideki Nara (hideki.nara@gmail.com)
Nat Sakimura (sakimura@gmail.com) <author/editor>
| TOC |
| [FIPS180-2] | U.S. Department of Commerce and National Institute of Standards
and Technology, “Secure Hash Signature Standard,” FIPS 180-2. Defines Secure Hash Algorithm 256 (SHA256) |
| [HTML401] | W3C, “HTML 4.01 Specification.” |
| [OpenID.authentication-2.0] | specs@openid.net, “OpenID Authentication 2.0,” 2007 (TXT, HTML). |
| [RFC1750] | Eastlake, D., Crocker, S., and J. Schiller, “Randomness Recommendations for Security,” RFC 1750. |
| [RFC2104] | Krawczyk, H., Bellare, M., and R. Canetti, “HMAC: Keyed-Hashing for Message Authentication,” RFC 2104. |
| [RFC2119] | Bradner, B., “Key words for use in RFCs to Indicate Requirement Levels,” RFC 2119. |
| [RFC2616] | Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” RFC 2616. |
| [RFC2631] | Rescorla, E., “Diffie-Hellman Key Agreement Method,” RFC 2631. |
| [RFC3548] | Josefsson, S., “The Base16, Base32, and Base64 Data Encodings,” RFC 3548. |
| [RFC3629] | Yergeau, F., “UTF-8, a transformation format of Unicode and ISO 10646,” RFC 3629. |
| [RFC3986] | Berners-Lee, T., “Uniform Resource Identifiers (URI): Generic Syntax,” RFC 3986. |
| TOC |
| specs@openid.net |