Internet-Draft IPSIE SL1 April 2025
Parecki Expires 31 October 2025 [Page]
Workgroup:
IPSIE Working Group
Internet-Draft:
draft-openid-ipsie-sl1-profile-latest
Published:
Intended Status:
Informational
Expires:
Author:
A. Parecki
Okta

IPSIE SL1 OpenID Connect Profile

Abstract

The IPSIE SL1 OpenID Connect Profile is a profile of OpenID Connect intended to meet the security and interoperability requirements of enterprise integrations using OpenID Connect.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://openid.github.io/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-openid-ipsie-sl1-profile/.

Discussion of this document takes place on the IPSIE Working Group mailing list (mailto:openid-specs-ipsie@lists.openid.net), which is archived at https://openid.net/wg/ipsie/.

Source for this draft and an issue tracker can be found at https://github.com/openid/ipsie-openid-sl1.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 31 October 2025.

Table of Contents

1. Introduction

TODO Introduction

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 RFC2119 [RFC8174] when, and only when, they appear in all capitals, as shown here.

2.1. Roles

This document uses the term "Identity Provider" to refer to the "OpenID Provider" in [OpenID] and the "Authorization Server" in [RFC6749].

This document uses the term "Application" to refer to the "Relying Party" in [OpenID] and the "Client" in [RFC6749].

3. Profile

3.1. Network Layer Requirements

3.1.1. Requirements for all endpoints

To protect against network attacks, clients, authorization servers, and resource servers

  • MUST only offer TLS protected endpoints and MUST establish connections to other servers using TLS;

  • MUST set up TLS connections using TLS version 1.2 or later;

  • MUST follow the recommendations for Secure Use of Transport Layer Security in [BCP195];

  • SHOULD use DNSSEC to protect against DNS spoofing attacks that can lead to the issuance of rogue domain-validated TLS certificates; and

  • MUST perform a TLS server certificate check, as per [RFC9525].

3.1.2. Requirements for endpoints not used by web browsers

For server-to-server communication endpoints that are not used by web browsers, the following requirements apply:

  • When using TLS 1.2, servers MUST only permit the cipher suites recommended in [BCP195];

  • When using TLS 1.2, clients SHOULD only permit the cipher suites recommended in [BCP195].

3.1.3. Requirements for endpoints used by web browsers

For endpoints that are used by web browsers, the following additional requirements apply:

  • Servers MUST use methods to ensure that connections cannot be downgraded using TLS stripping attacks. A preloaded [preload] HTTP Strict Transport Security policy [RFC6797] can be used for this purpose. Some top-level domains, like .bank and .insurance, have set such a policy and therefore protect all second-level domains below them.

  • When using TLS 1.2, servers MUST only use cipher suites allowed in [BCP195].

  • Servers MUST NOT support [CORS] for the authorization endpoint, as clients must perform an HTTP redirect rather than access this endpoint directly.

3.2. Cryptography and Secrets

The following requirements apply to cryptographic operations and secrets:

  • Authorization servers, clients, and resource servers when creating or processing JWTs:

    • MUST adhere to [RFC8725];

    • MUST use PS256, ES256, or EdDSA (using the Ed25519 variant) algorithms; and

    • MUST NOT use or accept the none algorithm.

  • RSA keys MUST have a minimum length of 2048 bits.

  • Elliptic curve keys MUST have a minimum length of 224 bits.

  • Credentials not intended for handling by end-users (e.g., access tokens, refresh tokens, authorization codes, etc.) MUST be created with at least 128 bits of entropy such that an attacker correctly guessing the value is computationally infeasible (Section 10.10 of [RFC6749]).

3.3. OpenID Connect

In the following, a profile of the following technologies is defined:

3.3.1. Requirements for OpenID Providers

OpenID Providers:

  • MUST distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in [OpenID.Discovery];

  • MUST reject requests using the resource owner password credentials grant;

  • MUST support public clients as defined in [RFC6749];

  • MUST NOT expose open redirectors Section 4.11 of [RFC9700];

  • MUST only accept its issuer identifier value (as defined in [RFC8414]) as a string in the aud claim received in client authentication assertions;

  • MUST issue authorization codes with a maximum lifetime of 60 seconds;

  • MUST require clients to be preregistered, and MUST NOT support unauthenticated Dynamic Client Registration requests (see Note 1);

  • MUST require clients to pre-register their redirect URIs

Access Tokens issued by OpenID Providers:

  • MUST only be used by the RP to retrieve identity claims at the OpenID Provider;

  • MUST only issue sender-constrained access tokens using DPoP [RFC9449];

ID Tokens issued by OpenID Providers:

  • MUST contain the OAuth Client ID of the RP as a single audience value as a string (see Note 2);

  • MUST contain the acr claim as a string that identifies the Authentication Context Class that the authentication performed satisfied, as described in Section 2 of [OpenID];

  • MUST contain the amr claim as an array of strings indicating identifiers for authentication methods used in the authentication from those registered in the IANA Authentication Method Reference Values registry, as described in Section 2 of [OpenID];

  • MUST indicate the expected lifetime of the RP session in the session_lifetime claim in seconds (see Note 3);

Note 1: The requirement for preregistered clients corresponds to Section 3.4 "Trust Agreements" of [NIST.FAL].

Note 2: The audience value must be a single string to meet the audience restriction of [NIST.FAL].

Note 3: This claim is not currently defined in OpenID Connect, and should be pulled out into its own spec in OpenID Core instead of being defined here.

For the authorization code flow, OpenID Providers:

  • MUST require the value of response_type described in [RFC6749] to be code;

  • MUST require PKCE [RFC7636] with S256 as the code challenge method (see Note 1 below);

  • MUST require an exact match of a registered redirect URI as described in Section 2.1 of [RFC9700];

  • MUST issue authorization codes with a maximum lifetime of 60 seconds;

  • MUST support "Authorization Code Binding to DPoP Key" (as required by Section 10.1 of [RFC9449]);

  • MUST return an iss parameter in the authorization response according to [RFC9207];

  • MUST NOT transmit authorization responses over unencrypted network connections, and, to this end, MUST NOT allow redirect URIs that use the http scheme;

  • MUST reject an authorization code (Section 1.3.1 of [RFC6749]) if it has been previously used;

  • MUST NOT use the HTTP 307 status code when redirecting a request that contains user credentials to avoid forwarding the credentials to a third party accidentally (see Section 4.12 of [RFC9700]);

  • SHOULD use the HTTP 303 status code when redirecting the user agent using status codes;

  • MUST support nonce parameter values up to 64 characters in length, and MAY reject nonce values longer than 64 characters.

Note 1: while both nonce and PKCE can provide protection from authorization code injection, nonce relies on the client (RP) to implement and enforce the check, and the IdP is unable to verify that it has been implemented correctly, and only stops the attack after tokens have already been issued. Instead, PKCE is enforced by the IdP and stops the attack before tokens are issued.

3.3.2. Requirements for OpenID Relying Parties

OpenID Relying Parties:

  • MUST support third-party initiated login as defined in Section 4 of [OpenID];

  • MUST use the authorization server's issuer identifier value (as defined in [RFC8414]) in the aud claim in client authentication assertions. The issuer identifier value shall be sent as a string not as an item in an array;

  • MUST NOT expose open redirectors (see Section 4.11 of [RFC9700]);

  • MUST only use authorization server metadata (such as the authorization endpoint) retrieved from the metadata document as specified in [OpenID.Discovery] and [RFC8414];

  • MUST ensure that the issuer URL used as the basis for retrieving the authorization server metadata is obtained from an authoritative source and using a secure channel, such that it cannot be modified by an attacker;

  • MUST ensure that this issuer URL and the issuer value in the obtained metadata match;

OpenID Relying Parties making resource requests to the OpenID Provider:

  • MUST support sender-constrined access tokens using DPoP as described in [RFC9449];

  • MUST support the server-provided nonce mechanism (as defined in Section 8 of [RFC9449]);

  • MUST send access tokens in the HTTP header as described in Section 7.1 of [RFC9449];

  • MUST support refresh tokens and their rotation;

For the authorization code flow, Relying Parties:

  • MUST use the authorization code grant described in [RFC6749];

  • MUST use PKCE [RFC7636] with S256 as the code challenge method;

  • MUST generate the PKCE challenge specifically for each authorization request and securely bind the challenge to the client and the user agent in which the flow was started;

  • MUST check the iss parameter in the authorization response according to [RFC9207] to prevent mix-up attacks;

  • SHOULD NOT use nonce parameter values longer than 64 characters;

In addition to the ID Token validation requirements described in Section 3.1.37 of [OpenID], Relying Parties:

  • MUST validate that the aud claim is a single string and matches the OAuth Client ID of the RP;

  • MUST set the session lifetime of the session created to match the session_lifetime claim (see Note 1);

Note 1: This claim is not currently defined in OpenID Connect, and should be pulled out into its own spec in OpenID Core instead of being defined here.

4. Security Considerations

5. IANA Considerations

This document has no IANA actions.

6. Normative References

[BCP195]
Best Current Practice 195, <https://www.rfc-editor.org/info/bcp195>.
At the time of writing, this BCP comprises the following:
Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS 1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, , <https://www.rfc-editor.org/info/rfc8996>.
Sheffer, Y., Saint-Andre, P., and T. Fossati, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, , <https://www.rfc-editor.org/info/rfc9325>.
[NIST.FAL]
"NIST SP 800-63 Digital Identity Guidelines Federation Assurance Level (FAL)", , <https://pages.nist.gov/800-63-4/sp800-63c/fal/>.
[OpenID]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", , <https://openid.net/specs/openid-connect-core-1_0.html>.
[OpenID.Discovery]
Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID Connect Discovery 1.0 incorporating errata set 2", , <https://openid.net/specs/openid-connect-discovery-1_0.html>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/rfc/rfc6749>.
[RFC6750]
Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/RFC6750, , <https://www.rfc-editor.org/rfc/rfc6750>.
[RFC6797]
Hodges, J., Jackson, C., and A. Barth, "HTTP Strict Transport Security (HSTS)", RFC 6797, DOI 10.17487/RFC6797, , <https://www.rfc-editor.org/rfc/rfc6797>.
[RFC7636]
Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key for Code Exchange by OAuth Public Clients", RFC 7636, DOI 10.17487/RFC7636, , <https://www.rfc-editor.org/rfc/rfc7636>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8252]
Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps", BCP 212, RFC 8252, DOI 10.17487/RFC8252, , <https://www.rfc-editor.org/rfc/rfc8252>.
[RFC8414]
Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, , <https://www.rfc-editor.org/rfc/rfc8414>.
[RFC8725]
Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best Current Practices", BCP 225, RFC 8725, DOI 10.17487/RFC8725, , <https://www.rfc-editor.org/rfc/rfc8725>.
[RFC9126]
Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", RFC 9126, DOI 10.17487/RFC9126, , <https://www.rfc-editor.org/rfc/rfc9126>.
[RFC9207]
Meyer zu Selhausen, K. and D. Fett, "OAuth 2.0 Authorization Server Issuer Identification", RFC 9207, DOI 10.17487/RFC9207, , <https://www.rfc-editor.org/rfc/rfc9207>.
[RFC9449]
Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449, , <https://www.rfc-editor.org/rfc/rfc9449>.
[RFC9525]
Saint-Andre, P. and R. Salz, "Service Identity in TLS", RFC 9525, DOI 10.17487/RFC9525, , <https://www.rfc-editor.org/rfc/rfc9525>.
[RFC9700]
Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett, "Best Current Practice for OAuth 2.0 Security", BCP 240, RFC 9700, DOI 10.17487/RFC9700, , <https://www.rfc-editor.org/rfc/rfc9700>.

Appendix A. Notices

Copyright (c) 2025 The OpenID Foundation.

The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft, Final Specification, or Final Specification Incorporating Errata Corrections solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts, Final Specifications, and Final Specification Incorporating Errata Corrections based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy (found at openid.net) requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. OpenID invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.

Appendix B. Document History

[[ To be removed from the final specification ]]

-01

-00

Initial draft

Acknowledgments

TODO acknowledge.

Author's Address

Aaron Parecki
Okta