Abstract

This specification defines the "SIOP DID Profile" (SIOP DID) that is a DID AuthN flavor to use OpenID Connect (OIDC) together with the strong decentralization, privacy and security guarantees of Decentralized Identifiers (DID) for everyone who wants to have a generic way to integrate Identity Wallets into their web applications.

SIOP DID is a draft specification being developed within the Decentralized Identity Foundation (DIF). This spec will be updated to reflect relevant changes, and participants are encouraged to contribute at the following repository location: https://github.com/decentralized-identity/did-siop

Terminology

Term Description
DID Decentralized Identifier as per [[DID]]
DID Document DID Document as per [[DID]]
SIOP DID Self-Issued OpenID Connect Provider DID profile. Refers to a specific flavor of DID AuthN used in the OIDC SIOP flow.
JWT JSON Web Token as per [[RFC7797]]
JWE JSON Web Encryption as per [[RFC7516]]
JWS JSON Web Signature as per [[RFC7515]]
JWK JSON Web Key as per [[RFC7517]]
JWKS JWK Set as per [[RFC7517]]
OIDC OpenID Connect as per [[?OIDC.Core]]
OIDC client Used synonymously with Relying Party (see RP)
OP OpenID Provider as per [[?OIDC.Core]]
SIOP Self-Issued OpenID Provider as per [[?OIDC.Core]]
RP Relying Party, as used in [[?OIDC.Core]]
Identity Wallet An Identity Wallet refers to a application that is under the control and acts on behalf of the DID holder. This Also known as an identity agent. The Identity Wallet can have different form factors such as a mobile app, browser extension/ plugin etc.
DID AuthN Refers to a method of proofing control over a DID for the purpose of authentication.

Introduction

An everyday use case that the Decentralized Identity community identified is the sign-up or login with web applications. Nowadays, this is often achieved through social login schemes such as Google Sign-In. While the Decentralized Identity community has serious concerns about social login, the underlying protocol, OIDC, does not have these flaws by design. SIOP DID provides great potential by leveraging an Identity Wallet, e.g., as a smartphone app, on the web. This will increase and preserve the user’s privacy by preventing third-parties from having the ability to track which web applications a user is interacting with.

While this specification focuses on the integration of Identity Wallets in the form of browser extensions/ plugins, or smartphone apps, it does not prevent implementers using the proposed flow in different scenarios as well, e.g., between two web services with pre-populated DIDs.

Purpose

The main purpose is to sign up with/ login to an RP, i.e., web application. It assumes the user operates a mobile or desktop browser or a browser-based app that can respond to SIOP requests according to this specification.

The SIOP flow is conducted peer-to-peer between the RP and the SIOP. This could be used to authenticate holders based on their DID, to setup/ bootstrap a DID Comm connection with any DID routing that you may need, or to provide the login_hint to an OpenID Connect service in the DID Document supporting the Client-Initiated Backend Channel (CIBA) as per [[?OIDC.CIBA]].

Goals

The main goals of this specification are:

Protocol Flow

It is assumed that the user owns an Identity Wallet implementing the SIOP DID specification. It is further assumed that the user is operating a mobile or desktop browser to visit a web application or is using a mobile app under the control of the RP that supports DID SIOP authentication requests.

This specification supports the Regular-device Flow and the Multi-device Flow. The abstract protocol flow is as follows:

RP Meta-data

In contrast to other OIDC flows, e.g., Authorization Code Flow, RPs can provide client meta-data in the registration request parameter.

In addition to RS256, an SIOP according to this specification MUST support EdDSA and ES256K [[!draft-ietf-cose-webauthn-algorithms-03]] for request_object_signing_alg and request_object_signing_alg can be omitted. RPs implementing the DID AuthN profile MUST not use none for request_object_signing_alg.

The RP MUST provide jwks_uri or jwks in the registration parameter which correlate with the DID Document of the RP. jwks_uri MUST use the HTTP(S) DID Resolution Binding as per [[DID.Resolution]] for backward compatibility reasons with plain SIOP OPs. The jwks request parameter SHOULD be used only if the public key cannot be directly obtained from the DID Document.

RPs can decide to receive the <SIOP DID Response> encrypted. To enable encryption, the registration parameter MUST use id_token_encrypted_response_alg and id_token_encrypted_response_enc according to OIDC Client Metadata [[!OIDC.Registration]]. See SIOP DID Encryption for more information.

Regular Flow

The Regular Flow can be used if the entire flow is conducted on the same device, e.g., desktop or mobile phone. Typically, the initial authentication request is created in response to a 302 HTTP redirect, or clicking on a button/ link on the web page or inside a mobile app under the control of the RP.

The following diagram is a non-normative example of the Regular Flow:

Regular flow using mobile phone.
: Regular Flow with a mobile browser as the User-Agent and an Identity Wallet app as the SIOP.

Request (Regular-device Flow)

The request contains scope, response_type and client_id as query string parameters for backward compatibility with the OAuth2 specification [[!RFC6749]]. response_type MUST be id_token and client_id MUST specify the callback URL of the RP (as per [[!OIDC.Core]]). All other OIDC request parameters MUST be provided in an Request Object as per [[!OIDC.Core]] which is encoded as a JWT. This enables the RP to authenticate against the SIOP using the RP's DID. The Request Object can be passed by value in the request request parameter, or by reference using the request_uri parameter.

The Request Object follows the OIDC specification, e.g., adding nonce, state, response_type, and client_id parameters.

This specification introduces additional rules for request parameters and claims in the Request Object:

  • REQUIRED. iss MUST contain the DID of the RP that can be resolved to a DID Document. The DID Document MUST contain a verification method in the authentication section, e.g., public key, that allows the SIOP to verify the Request Object.

    • By default, the iss claim refers to the client_id but SIOP assumes that client_id is the callback URL of the RP. That is the reason why the DID is not encoded in the client_id. It is compliant with the OIDC specification to use different values for iss and client_id.

  • REQUIRED. kid MUST be a DID URL referring to a verification method in the authentication section in the RP's DID Document, e.g., did:example:0xab#key1. The SIOP MUST be able to use that verification method to verify the Request Object directly or indirectly. Additionally, the referred JWKS in the registration parameter MUST contain an entry with the same kid.
  • REQUIRED. scope MUST include did_authn to indicate the SIOP DID profile is used.
  • REQUIRED. registration MUST be included in the Request Object
  • REQUIRED. client_id MUST be repeated in the Request Object
  • OPTIONAL. did_doc MUST contain the DID Document that corresponds to the DID in the iss claim.
  • OPTIONAL. response_mode specifies how the response is returned to the callback URL by the SIOP. SIOP implementing this specification MAY set the response_mode to form_post. fragment is the default Response Mode. RPs MUST take into consideration the platform of the User-Agent when specifying this request parameter.

    • See OAuth 2.0 Form Post Response Mode [[?OAuth2.FormPost]] and OAuth 2.0 Multiple Response Type Encoding Practices [[?OAuth2.ResponseTypes]] for more information about response_mode.

The following is a non-normative example of the JWT header of a Request Object: 

                {
                   "alg": "ES256K",
                   "typ": "JWT",
                   "kid": "did:example:0xab#veri-key1"
                }

The following is a non-normative example of the JWT payload of a Request Object without requesting <SIOP DID Response> encryption: 

                {
                    "iss": "did:example:0xab",
                    "response_type": "id_token",
                    "client_id": "https://my.rp.com/cb",
                    "scope": "openid did_authn",
                    "state": "af0ifjsldkj",
                    "nonce": "n-0S6_WzA2Mj",
                    "response_mode" : "form_post",
                    "registration" : {
                        "jwks_uri" : "https://uniresolver.io/1.0/identifiers/did:example:0xab;transform-keys=jwks",
                        "id_token_signed_response_alg" : [ "ES256K", "EdDSA", "RS256" ]
                    }
                }

The following is a non-normative example HTTP 302 redirect response by the RP, which triggers the User-Agent to make an SIOP DID Authentication Request using Request Object by value to the SIOP (with line wraps within values for display purposes only): 

                HTTP/1.1 302 Found
                Location: openid://?
                    &client_id=https%3A%2F%2Frp.example.com%2Fcb
                    &scope=openid%20did_authn
                    &request=<JWT>

The following is a non-normative example HTTP 302 redirect response by the RP, which triggers the User-Agent to make an SIOP DID Authentication Request using Request Object by reference to the SIOP (with line wraps within values for display purposes only): 

                HTTP/1.1 302 Found
                Location: openid://?
                    response_type=id_token
                    &client_id=https%3A%2F%2Frp.example.com%2Fcb
                    &scope=openid%20did_authn
                    &request_uri=https%3A%2F%2Frp.example.com%2F90ce0b8a-a910-4dd0

Request Validation (Regular-device Flow)

The SIOP MUST validate the <SIOP DID Request> by following the Self-Issued ID Token Validation rules as per [[!OIDC.Core]].

The step described above ensures that the Request Object is verified according to the OIDC specification. This includes basic JWS verification.

If scope contains the did_authn scope, the receiving SIOP MUST further validate the <SIOP DID Request> as follows in no particular order:

  • If no did_doc is present, resolve the DID Document from the RP's DID specified in the iss request parameter.
  • If did_doc is present, ensure this is a viable channel to exchange the RP's DID Document according to the applicable DID method.
  • If jwks_uri is present, ensure that the DID in the jwks_uri matches the DID in the iss claim.
  • Determine the verification method from the RP's DID Document that matches the kid of the <SIOP DID Request>.
  • Verify the <SIOP DID Request> according to the verification method above. This step depends on the verification method in the authentication section in the DID Document and is out-of-scope of this specification.

If the key pair that signed the <SIOP DID Request> refers to the same key as indicated by the verification method, then no additional verification has to be done as the SIOP validation will verify the signature of the JWS.

Response (Regular-device Flow)

The SIOP MUST generate and send the <SIOP DID Response> to the RP as described in the Self-Issued OpenID Provider Response section in [[!OIDC.Core]]. The id_token represents the <SIOP DID Response> encoded as a JWS, or nested JWS/JWE.

This specification introduces additional rules for claims in the id_token:

  • REQUIRED. sub_jwk MUST contain a kid that is a DID URL referring to the verification method in the SIOP's DID Document that can be used to verify the JWS of the id_token directly or indirectly.
  • REQUIRED. did MUST be the SIOP's DID.
  • OPTIONAL. did_doc MUST be the SIOP's DID Document corresponding to did in JSON encoding.

The sub_jwk claim has to be provided for backward compatibility reasons. The verification method in the DID Document can be different from a public key and can use a publicKey property value other than publicKeyJwk.

The following is a non-normative example of the JWT header of an id_token using no encryption: 

                {
                    "alg": "ES256K",
                    "typ": "JWT",
                    "kid": "did:example:0xab#key-1"
                }

The following is a non-normative example of the unencrypted JWT payload of an id_token: 

                {
                   "iss": "https://self-issued.me",
                   "nonce": "n-0S6_WzA2Mj",
                   "exp": 1311281970,
                   "iat": 1311280970,
                   "sub_jwk" : {
                      "crv":"secp256k1",
                      "kid":"did:example:0xcd#verikey-1",
                      "kty":"EC",
                      "x":"7KEKZa5xJPh7WVqHJyUpb2MgEe3nA8Rk7eUlXsmBl-M",
                      "y":"3zIgl_ml4RhapyEm5J7lvU-4f5jiBvZr4KgxUjEhl9o"
                   },
                   "sub": "9-aYUQ7mgL2SWQ_LNTeVN2rtw7xFP-3Y2EO9WV22cF0",
                   "did": "did:example:0xcd"
                }

Response Validation (Regular-device Flow)

The RP MUST validate the <SIOP DID Response> as described in the Self-Issued ID Token Validation section in [[!OIDC.Core]]. This includes:

  • Optionally decrypting the JWE to obtain the JWS which contains the id_token.
  • Verifying that the id_token was signed by the key specified in the sub_jwk claim.

Additionally, the RP MUST validate the id_token against the SIOP's DID Document as follows:

  • If no did_doc is present, resolve the DID Document from the SIOP's DID specified in the did claim.
  • If did_doc is present, ensure this is a viable channel to exchange the SIOP's DID Document according to the applicable DID method.
  • Determine the verification method from the SIOP's DID Document that matches the kid of the sub_jwk claim in the id_token.
  • Verify the id_token according to the verification method above. This step depends on the verification method in the authentication section in the DID Document and is out-of-scope of this specification.

If the key pair that signed the id_token refers to the same key as indicated by the verification method, then no additional verification has to be done as the SIOP validation will verify the signature of the JWS.

Multi-device Flow

SIOP as per [[OIDC.Core]] does not consider multi-device flows, e.g., the user starts in the desktop browser and finishes the authentication flow on the mobile device. Because this is a common pattern in the decentralized identity community, this specification has explicit support for this flow. To prevent certain attacks such as session fixation, additional device binding as described in Device Binding MUST be performed.

The high-level flow for Device Binding is as follows:

The approach is borrowed from OAuth2 Device Flow [[RFC8628]]. Note, that OAuth2 Device Flow cannot be used as the device is the OP itself and the RP cannot poll requests to the SIOP as in most cases, the device cannot expose public endpoints without additional infrastructure, e.g., a mobile phone.

The following diagram is a non-normative example of the Multi-device Flow:

Multi-device flow using QR Code.
: Multi-device Flow with a Desktop browser as the User-Agent and an Identity Wallet app as the SIOP using QR Code.

Request (Multi-device Flow)

The RP MUST follow the rules in Request (Regular Flow) to generate the <SIOP DID Request>.

Additionally, the Request Object in the <SIOP DID Request> MUST contain the following parameters:

  • REQUIRED. verification_uri MUST contain the verification URI that points to an endpoint on the RP to check whether the user has repeated the user_code. The presence of verification_uri also indicates the Multi-device flow is requested. The details of the interface is described in Device Binding.
  • REQUIRED. device_code MUST contain the device verification code. The RP SHOULD use the device_code to authorize the <Device Binding Requests> from the SIOP. As the device_code is not displayed to the user and thus there are no usability considerations on the length, a very high entropy code SHOULD be used.
  • REQUIRED. expires_in MUST contain the lifetime in seconds of the device_code after when the SIOP MUST stop polling requests to the verification URI.
  • OPTIONAL. interval MUST contain the minimum amount of time in seconds that the client SHOULD wait between polling requests to the verification URI. If no value is provided, clients MUST use 5 as the default.

See Device Binding for more details on the usage of verification_uri, device_code, expires_in and interval.

Request Validation (Multi-device Flow)

The SIOP MUST follow the rules in Request Validation (Regular Flow) to validate the <SIOP DID Request>.

Additionally, the following validation rules MUST be applied:

  • If no verification_uri is present, then continue with the Regular-device Flow.
  • If verification_uri is present, then Device Binding has to be performed before the <SIOP DID Response> is sent to the RP.

Device Binding (Multi-device Flow)

The SIOP extracts the parameters from the <SIOP DID Request> that were described in Request (Multi-device Flow).

Then, the SIOP generates a user_code. The user_code is typed by the user. For this reason, shorter codes are more desirable for usability reasons. This means the entropy is typically less than would be used for the device_code where the code length does not impact usability. Therefore, it is RECOMMENDED that the server rate-limit user_code attempts. The user_code SHOULD have enough entropy that, when combined with rate-limiting and other mitigations, a brute-force attack becomes infeasible.

The SIOP SHOULD then continuously poll the verification_uri endpoint with the device_code and user_code as detailed in Device Binding Request and Device Binding Response, until the user completes the interaction, the user_code or device_code expires, or another error occurs.

RPs supporting this specification MUST implement a user interaction sequence that allows users to supply the user_code at some stage during the interaction. Other than that, the exact sequence and implementation of the user interaction is up to the RP.

Device Binding Request

The SIOP sends the <Device Binding Request> to the verification URI. Between polling requests to the verification URI, the SIOP considers the device binding parameters enclosed in the <SIOP DID Request> which are detailed in Request (Multi-device Flow).

All requests from the SIOP MUST use the Transport Layer Security (TLS) protocol [[RFC8446]] and implement the best practices of BCP 195 [[RFC7525]].

The verification URI endpoint MUST support HTTP POST and MUST accept the <Device Binding Request> provided as a JSON object with Content-Type of the HTTP request set to application/json.

The <Device Binding Request> MUST contain the following parameters:

  • REQUIRED. device_code MUST contain the device verification code as described in Request (Multi-device Flow).
  • REQUIRED. user_code MUST contain the user code as described in Device Binding.
  • REQUIRED. expires_in MUST contain the expiration date of the user_code in seconds, after when RPs MUST reject the <Device Binding Request>.

Parameters sent without a value MUST be treated as if they were omitted from the request. The RP MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once.

For example, the SIOP makes the following HTTPS request: 

                POST /device_verification HTTP/1.1
                Host: server.example.com
                Content-Type: application/json

                {
                  "device_code" : "GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS",
                  "user_code" : "WDJB-MJHT",
                  "expires_in" : 1800
                }

Device Binding Response

If the user has repeated the user_code for the device_code on time, the verification URI endpoint MUST respond with a success response with a 200 (OK) status code in case the Device Binding was successful; otherwise, it MUST respond with an error response, as defined in Section 5.2 of [[RFC6749]]. Instead of the error codes defined in Section 5.2 of [[RFC6749]], the following error codes are specified for use with the Device Binding:

  • authorization_pending: The RP request is still pending as the end user hasn't yet completed the user-interaction steps. The SIOP SHOULD repeat the request to the verification URI endpoint (a process known as polling). Before each new request, the SIOP MUST wait at least the number of seconds specified by the interval parameter of the <SIOP DID Request>, or 5 seconds if none was provided, and respect any increase in the polling interval required by the slow_down error.
  • slow_down: A variant of authorization_pending, the <Device Binding Request> is still pending and polling should continue, but the interval MUST be increased by 5 seconds for this and all subsequent requests.
  • expired_token: The device_code has expired and the device binding session has concluded. The SIOP SHOULD stop polling and send the <SIOP DID Response>.
  • access_denied: The end user denied the request and the SIOP SHOULD stop polling and send the <SIOP DID Response>.

The authorization_pending and slow_down error codes define particularly unique behavior, as they indicate that the SIOP should continue to poll the verification URI by repeating the <Device Binding Request> (implementing the precise behavior defined above). If the SIOP receives an error response with any other error code, it MUST stop polling and SHOULD react accordingly, for example, by displaying an error to the user.

On encountering a connection timeout, SIOPs MUST unilaterally reduce their polling frequency before retrying. The use of an exponential backoff algorithm to achieve this, such as by doubling the polling interval on each such connection timeout, is RECOMMENDED.

The assumption of this specification is that the RP does not have a way to communicate back to the SIOP. This protocol only requires a one-way channel in order to maximise the viability of the protocol in restricted environments, like a SIOP on a mobile phone that is only capable of outbound requests. If a return channel were to exist for the chosen user interaction interface, then the SIOP MAY wait until notified on that channel that the user has completed the action before sending the <SIOP DID Response> (as an alternative to polling). Such behavior is, however, outside the scope of this specification.

For example, the RP responds the following HTTPS response in case the request was successful: 

                HTTP/1.1 200 OK
                Cache-Control: no-store
                Pragma: no-cache

For example, the RP responds the following HTTPS response in case of an error: 

                HTTP/1.1 400 Bad Request
                Content-Type: application/json;charset=UTF-8
                Cache-Control: no-store
                Pragma: no-cache

                {
                  "error" : "invalid_request",
                  "error_description" : "Some error description"
                }

Response (Multi-device Flow)

The SIOP MUST perform Device Binding. Then, the SIOP MUST follow the rules in Response (Regular Flow) to generate the <SIOP DID Response>.

Response Validation (Multi-device Flow)

The RP MUST follow the rules in Response Validation (Regular Flow) to validate the <SIOP DID Response>. Additionally, RPs implementing this specification MUST reject the <SIOP DID Response> without prior successful Device Binding.

Discovery

The SIOP specification assumes the following OP discovery meta-data: 

            "id_token_signing_alg_values_supported": ["RS256"],
            "request_object_signing_alg_values_supported": ["none", "RS256"]

The DID AuthN profile assumes the following OP discovery meta-data: 

            "id_token_signing_alg_values_supported": ["RS256", "ES256K", "EdDSA"],
            "request_object_signing_alg_values_supported":
               ["none", "RS256", "ES256K", "EdDSA"]

This change will allow DID AuthN enabled RPs to use additional signature algorithms commonly used amongst members of the SSI community.

"Self-Issued OpenID Provider Discovery" IS NOT normative and does not contain any MUST, SHOULD, or MAY statements. Therefore, using a different signing algorithmn than RS256 shouldn't break the SIOP specification. An DID AuthN enabled RP would provide id_token_signed_response_alg to indicate which signature algorithms other than RS256 are supported, and can assume that SIOP implementing the DID AuthN profile support any of the additional algorithms.

Encryption

JWE encryption MUST use Diffie-Hellman key agreement, i.e., algorithm `ECDH-ES` using the `X25519` curve which uses direct key agreement with an ephemeral key as described in [[!draft-amringer-jose-chacha-00]]. This means that a symmetric key is derived using Diffie-Hellman from the RP's public key and a randomly generated ephemeral private key. The corresponding ephemeral public key is included in the header of the JWE in the `epk` and the derived symmetric key is used to directly encrypt the JWT content. For symmetrically encrypting the content `XChaCha20Poly1305` is used which has algorithm code `XC20P`.

The following is an example of the protected header of the resulting JWE: 

                {
                   "alg": "ECDH-ES",
                   "epk":
                   {
                     "kty": "OKP",
                     "crv":"X25519",
                     "x":"hSDwCYkwp1R0i33ctD73Wg2_Og0mOBr066SpjqqbTmo"
                   }
                   "enc": "XC20P",
                   "kid": "did:example:0xab#key-1"
                }

Note that the `kid` above denotes the DID and key of the RP, i.e., this public key is the key used by the sender together with the ephemeral private key in order to derive the shared secret. For the encryption the 24 bytes nonce field in the `XChaCha20` algorithm is used as the initialization vector. The authentication tag is the MAC computed by the `Poly1305` function. It is 16 bytes long.

The message to be encrypted is the JWT of the `id_token`, including header and signature. The JWT is encoded via base64url before encryption.

For the final encoding of the JWE the JWE Compact Serialization outlined in [[!RFC7516]] is used. The structure of the message is as follows: 

                BASE64URL(JWE Protected Header) || '.' || '.' ||
                BASE64URL(JWE Initialization Vector) || '.' ||
                BASE64URL(JWE Ciphertext) || '.' ||
                BASE64URL(JWE Authentication Tag)

Note the two '.' characters above which indicates that the encrypted key is empty since we are using direct key agreement.

UX Considerations

SIOP uses the custom URL scheme openid://. Mobile browsers would open the app that registered that scheme. Desktop browser extensions/ plugins have support for similar functionality. It is out of the scope of the spec under which circumstances a QR code will be rendered. One option will be to provide the QR code if the user is using the desktop browser, and no browser extension/ plugin is available.

On Android, the user can choose which app should open if multiple apps registered the same custom URL scheme. On iOS, the behavior is undefined. One approach would be to check if the user is on an iOS device and then, won't render the button if this is a concern. A fallback on iOS could be the use of custom mime types, but unusual UX has to be considered. Note, this issue is not specific to SIOP only but affects all apps using custom URL schemes. In case a QR Code is used where the user has to open the app first and has to scan the QR Code, this issue is mitigated.

Security Considerations

Threat: Interception of the Redirect URI

If an attacker can cause the <SIOP DID Response> to be sent a URI under his control, he will directly get access to the fragment carrying the id_token.

This attack can be mitigated by hardening the RP, e.g., no support for the open redirector pattern.

Threat: Identity Token Leak in Browser History

An attacker could obtain the <SIOP DID Response> from the browser's history.

This attack cannot be fully mitigated. It is RECOMMENDED to use short expiration times for id_token, and indicating that browsers should not cache the response.

Threat: Identity Token Leak to Third Party Scripts

It is relatively common to use third-party scripts on RP pages, such as analytics tools, crash reporting. The author of the application may not be able to be fully aware of the entirety of the code running in the application. When a <SIOP DID Response> is returned in the fragment, it is visible to any third-party scripts on the page.

This attack could be mitigated by using trusted/ audited third party scripts on the RP's page, or browser-based app.

Countermeasures

Use response_mode=form_post whenever possible to mitigate the risks described above. Under some circumstances, e.g., this will not be possible as such in the case of purely decentralized apps (dApp).

Additional Security Considerations

The OWASP Foundation maintains a set of security recommendations and best practices for web applications, and it is RECOMMENDED to follow these best practices when creating an SIOP or RP based on this specification.

IANA Considerations

This specification registers the did and did_doc claims in the IANA JSON Web Token Claims registry defined in JWT.

OIDC Considerations

This specification aims to be backward compatible with existing OIDC clients and OPs that implement the SIOP specification. Although the SIOP specification is part of the OIDC core specification, it is not widely adopted yet. One of the reasons was that not many apps existed that provided functionality we can find in Identity Wallets. Nevertheless, SIOP uses the same or similar request and response messages and should be easy to allow OIDC vendors to upgrade existing OIDC clients to support SIOP.