OIDC Metadata Specifications - Digital-Platform-Services/My-NS-Account GitHub Wiki
The table below outlines all the possible metadata fields, along with the type, requirement, and value restrictions for full Confidential Clients.
| ID | Field | Type | Required? | Restrictions |
|---|---|---|---|---|
| 1 | redirect_uris | Char. string array | Required | |
| 2 | response_types | JSON array | Optional | If given, must be set to code |
| 3 | grant_types | JSON array | Optional | If given, must be set to authorization_code |
| 4 | application_type | Char. String | Required | Must be “web” |
| 5 | contacts | Char. string array | Unsupported | |
| 6 | client_name | Char. String | Required | Shown on Services page, should be human readable |
| 7 | logo_uri | URL | Unsupported | |
| 8 | client_uri | URL | Unsupported | |
| 9 | policy_uri | URL | Unsupported | |
| 10 | tos_uri | URL | Unsupported | |
| 11 | jwks_uri | URL | Optional | Required if jwks (ID #12) not provided |
| 12 | jwks | JSON JWK | Optional | Required if jwks_uri (ID #11) not provided |
| 13 | sector_identifier_uri | URL | Optional | Defaulted to client_ID if not provided |
| 14 | subject_type | Char. String | Optional | If given, must be pairwise |
| 15 | id_token_signed_response_alg | Char. String | Optional | If given, must be one of: RS256 (default), RS384, RS512 |
| 16 | id_token_encrypted_response_alg | Char. String | Optional | If given, must be RSA-OAEP-256 |
| 17 | id_token_encrypted_response_enc | Char. String | Optional | If given, must be one of: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 (default) |
| 18 | userinfo_signed_response_alg | Char. String | Optional | If given, must be one of:RS256 (default), RS384, RS512 |
| 19 | userinfo_encrypted_response_alg | Char. String | Optional | If given, must be RSA-OAEP-256 |
| 20 | userinfo_encrypted_response_enc | Char. String | Optional | If given, must be one of: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 (default) |
| 21 | request_object_signing_alg | Char. String | Required | Must be one of RS256 (default), RS384,RS512 |
| 22 | request_object_encryption_alg | Char. String | Optional | If given, must be RSA-OAEP-256 |
| 23 | request_object_encryption_enc | Char. String | Optional | If given, must be one of: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 (default) |
| 24 | token_endpoint_auth_method | Char. String | Required | Must be “private_key_jwt” |
| 25 | token_endpoint_auth_signing_alg | Char. String | Optional | If given, must be one of: RS256 (default), RS384, RS512 |
| 26 | default_max_age | Unsupported | ||
| 27 | require_auth_time | Boolean | Optional | |
| 28 | default_acr_values | Char. String | Optional | If given, must be one of: urn:gc-ca:cyberauth:assurance:loa2, urn:gc-ca:cyberauth:assurance:loa3 |
| 29 | initiate_login_uri | URL | Optional | |
| 30 | request_uris | URL array | Unsupported | |
| 31 | backchannel_logout_uri | URL | Required | |
| 32 | backchannel_logout_session_required | Boolean | Optional | |
| 33 | post_logout_redirect_uris | URL array | Optional | |
| 34 | client_id | Char. String | Required | Recommended to be URL of service |
| 35 | client_secret | Char. String | Unsupported | |
| 36 | edit_profile_return_url | URL | Optional |
The table below outlines all the possible metadata fields, along with the type, requirement, and value restrictions for Public Clients.
| ID | Field | Type | Required? | Restrictions |
|---|---|---|---|---|
| 1 | redirect_uris | Char. string array | Required | |
| 2 | response_types | JSON array | Optional If given, must be set to code. | |
| 3 | grant_types | JSON array | Optional | If given, must be set to authorization_code |
| 4 | application_type | Char. String | Required Must be “native”. | |
| 5 | contacts | Char. string array | Unsupported | |
| 6 | client_name | Char. String | Required Shown on Services page, should be humanreadable. | |
| 7 | logo_uri | URL | Unsupported | |
| 8 | client_uri | URL | Unsupported | |
| 9 | policy_uri | URL | Unsupported | |
| 10 | tos_uri | URL | Unsupported | |
| 11 | jwks_uri | URL | Optional | |
| 12 | jwks JSON | JWK | Optional | |
| 13 | sector_identifier_uri | URL | Optional | Defaulted to client_ID if not provided |
| 14 | subject_type | Char. String | Optional | If given, must be pairwise |
| 15 | id_token_signed_response_alg | Char. String | Optional | If given, must be one of: RS256 (default), RS384, RS512 |
| 16 | id_token_encrypted_response_alg | Char. String | Optional | If given, must be RSA-OAEP-256 |
| 17 | id_token_encrypted_response_enc | Char. String | Optional | If given, must be one of: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 (default) |
| 18 | userinfo_signed_response_alg | Char. String | Optional | If given, must be one of: RS256 (default), RS384, RS512 |
| 19 | userinfo_encrypted_response_alg | Char. String | Optional | If given, must be RSA-OAEP-256 |
| 20 | userinfo_encrypted_response_enc | Char. String | Optional | If given, must be one of: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 (default) |
| 21 | request_object_signing_alg | Char. String | Unsupported | |
| 22 | request_object_encryption_alg | Char. String | Unsupported | |
| 23 | request_object_encryption_enc | Char. String | Unsupported | |
| 24 | token_endpoint_auth_method | Char. String | Required | Must be “none” |
| 25 | token_endpoint_auth_signing_alg | Char. String | Unsupported | |
| 26 | default_max_age | Unsupported | ||
| 27 | require_auth_time | Boolean | Optional | |
| 28 | default_acr_values | Char. String | Optional | If given, must be one of: urn:gc-ca:cyberauth:assurance:loa2, urn:gc-ca:cyberauth:assurance:loa3 |
| 29 | initiate_login_uri | URL | Optional | |
| 30 | request_uris | URL array | Unsupported | |
| 31 | backchannel_logout_uri | URL | Optional | |
| 32 | backchannel_logout_session_required | Boolean | Optional | |
| 33 | post_logout_redirect_uris | URL array | Optional | |
| 34 | client_id | Char. String | Required | Recommended to be URL of service |
| 35 | client_secret | Char. String | Unsupported | |
| 36 | edit_profile_return_url | URL | Optional |