3. Self-Issued OpenID Provider
Personal OP that issues self-signed ID Tokens
No central IdP servers
Defined in OpenID Connect Messages
http://j.mp/self-issued
Available any apps / devices with secure strage
e.g. iOS app with Keychain
4. 1) Launches “openid://?client_id=client://callback&..”
No discovery (static OP config)
No client registration (client_id = redirect_uri)
2) End-user approval
3) Self-issued ID Token generation
Generate RSA key pair on the device (only once)
“sub” is automatically calculated by the public key
4) Back to “client://callback#id_token=...”
No API available, thus No Access Token
5) ID Token Verification
6. The sub (subject) Claim value is
the base64url encoded SHA-256 hash of
the concatenation of the bytes of
the UTF-8 representations of
the base64url encoded key values
in the sub_jwk Claim.
OpenID Connect Messages
dra,18 Section 6.5