Discovery Vtz
Beverly Denmark
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
This specification defines a mechanism for an OpenID Connect Relying Partyto discover the End-User's OpenID Providerand obtain information needed to interact with it,including its OAuth 2.0 endpoint locations.
In the .txt version of this specification, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. In the HTML version of this specification, values to be taken literally are indicated by the use of this fixed-width font.
IMPORTANT NOTE TO READERS: The terminology definitions in this section are a normative portion of this specification, imposing requirements upon implementations. All the capitalized words in the text of this specification, such as "Identifier", reference these defined terms. Whenever the reader encounters them, their definitions found in this section must be followed.
Issuer discovery is OPTIONAL; if a Relying Party knows theOP's Issuer location through an out-of-band mechanism, it can skip this stepand proceed to Section 4 (Obtaining OpenID Provider Configuration Information).
The purpose of Identifier normalization is to determine normalized Resource and Host values from the user input Identifier. These are then used as WebFinger request parameters to discover the Issuer location.
If the Issuer value contains a path component, any terminating / MUST be removed before appending /.well-known/openid-configuration. The RP would make the following request to the Issuer to obtain its configuration information, since the Issuer contains a path component:
The response is a set of Claims about the OpenID Provider's configuration, including all necessary endpoints and public key location information. A successful response MUST use the 200 OK HTTP status code and returna JSON object using the application/json content typethat contains a set of Claims as its membersthat are a subset of the Metadata values defined inSection 3 (OpenID Provider Metadata).Other Claims MAY also be returned.
If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.
The issuer value returned MUST be identical to the Issuer URL that was used as the prefix to /.well-known/openid-configuration to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.
This specification defines features used by both Relying Parties andOpenID Providers that choose to implement Discovery.All of these Relying Parties and OpenID ProvidersMUST implement the features that are listedin this specification as being "REQUIRED" or are described with a "MUST".No other implementation considerations for implementations ofDiscovery are defined by this specification.
TLS certificate checking MUST be performed by the RP, as described in Section 7.1 (TLS Requirements), when making an OpenID Provider Configuration Request. Checking that the server certificate is valid for the Issuer URL prevents man-in-middle and DNS-based attacks. These attacks could cause an RP to be tricked into using an attacker's keys and endpoints, which would enable impersonation of the legitimate Issuer. If an attacker can accomplish this, they can access the accounts of any existing users at the affected RP that can be logged into using the OP that they are impersonating.
An attacker may also attempt to impersonate an OpenID Provider by publishing a Discovery document that contains an issuer Claim using the Issuer URL of the OP being impersonated, but with its own endpoints and signing keys. This would enable it to issue ID Tokens as that OP, if accepted by the RP. To prevent this, RPs MUST ensure that the Issuer URL they are using for the Configuration Request exactly matches the value of the issuer Claim in the OP Metadata document received by the RP and that this also exactly matches the iss Claim value in ID Tokens that are supposed to be from that Issuer.
The OpenID Foundation (OIDF) grants to any Contributor, developer,implementer, or other interested party a non-exclusive, royalty free,worldwide copyright license to reproduce, prepare derivative works from,distribute, perform and display, this Implementers Draft orFinal Specification solely for the purposes of (i) developingspecifications, and (ii) implementing Implementers Drafts andFinal Specifications based on such documents, provided that attributionbe made to the OIDF as the source of the material, but that such attributiondoes not indicate an endorsement by the OIDF.
The technology described in this specification wasmade available from contributions from various sources,including members of the OpenID Foundation and others.Although the OpenID Foundation has taken steps to help ensurethat the technology is available for distribution, it takesno position regarding the validity or scope of any intellectualproperty or other rights that might be claimed to pertain tothe implementation or use of the technology described inthis specification or the extent to which any license undersuch rights might or might not be available; neither does itrepresent that it has made any independent effort to identifyany such rights. The OpenID Foundation and the contributorsto this specification make no (and hereby expressly disclaim any)warranties (express, implied, or otherwise), including impliedwarranties of merchantability, non-infringement, fitness fora particular purpose, or title, related to this specification,and the entire risk as to implementing this specification isassumed by the implementer. The OpenID IntellectualProperty Rights policy requires contributors to offera patent promise not to assert certain patent claims againstother contributors and against implementers. The OpenID Foundation invitesany interested party to bring to its attention any copyrights,patents, patent applications, or other proprietary rightsthat may cover technology that may be required to practicethis specification.
Our mission is to spark a lifelong love of learning and discovery in the hearts of young people through science-based programs and exhibits that inspire and educate. Through our engaging and interactive programs, exhibits, and events, we strive to make a meaningful impact on the communities we serve and inspire the next generation of scientific thinkers.
With two dynamic campuses in Orange County and Los Angeles, we offer hundreds of hands-on exhibits, educational programs, science camps, and special events that allow kids to discover the wonders of the world around them and ignite their curiosity in STEM.
Discovery, in the law of common law jurisdictions, is a phase of pretrial procedure in a lawsuit in which each party, through the law of civil procedure, can obtain evidence from other parties by means of methods of discovery such as interrogatories, requests for production of documents, requests for admissions and depositions. Discovery can be obtained from nonparties using subpoenas. When a discovery request is objected to, the requesting party may seek the assistance of the court by filing a motion to compel discovery.[2] Conversely, a party or nonparty resisting discovery can seek the assistance of the court by filing a motion for a protective order.
Discovery evolved out of a unique feature of early equitable pleading procedure before the English Court of Chancery: among various requirements, a plaintiff's bill in equity was required to plead "positions". These were statements of evidence that the plaintiff assumed to exist in support of his pleading and which he believed lay within the knowledge of the defendant. They strongly resembled modern requests for admissions, in that the defendant was required to plead only whether they were true or false.[3] The practice of pleading positiones in canon law (which influenced Chancery procedure) had originated with "the practice of the courts of the Italian communes in the early thirteenth century".[4] Although canonists also looked to Roman law, positiones were unknown to the Romans.[4]
At some point between the reign of Elizabeth I (1558-1603) and the late seventeenth century, positions were gradually replaced by interrogatories: written questions which the defendant was required to truthfully respond to under oath in his answer to the bill, based on information within his own personal knowledge as well as documents in his possession. But back then, interrogatories could only elicit admissible evidence (not the broader modern standard of "reasonably calculated to lead to the discovery of admissible evidence") and could only request evidence in support of the plaintiff's case, not either side's case (that is, they could not ask for evidence which the defendant intended to use in support of his defenses and was otherwise entirely irrelevant to the plaintiff's case). Even worse, this was purely a one-way procedure, because interrogatories could only be pleaded as part of a bill (a pleading initiating a suit in equity). A defendant who needed to obtain evidence in support of his defenses had to file a cross-bill against the plaintiff to plead his own interrogatories.[3]
Discovery did not exist at common law, but its availability in equity attracted litigants in actions at law (legal proceedings in the common law courts). They began to file bills in equity to obtain discovery in aid of actions at law. This led to another innovation in the mid-15th century: the bill to perpetuate testimony of a potential witness. This was for witnesses whose advanced age or poor health implied they would not survive to testify at the trial of an action at law.[3]