Self-Issued OpenID Provider v2 - SIOP v2

Self-Issued OpenID Provider v2 extends OpenID Connect by enabling end-users to control their own identity provider rather than relying on third-party providers. This fundamental shift allows users to authenticate themselves using self-issued ID tokens and present self-attested claims directly to relying parties.

The key innovation is that the end-user becomes the issuer of identity information, rather than delegating this role to a traditional OpenID Provider. A Self-Issued OP can operate entirely on a user's device, utilize cloud components, or run completely in the cloud - the crucial aspect is that the end-user maintains control over their identifiers and claims.

Key capabilities include:

• Self-authentication using cryptographically verifiable identifiers
• Presentation of self-attested claims
• Support for verifiable credentials from trusted third parties
• Cross-device authentication flows
• Selective disclosure and unlinkable presentations

Technical Details:

1. Purpose and Scope:

• Extends OpenID Connect Core with self-issued provider capabilities
• Defines mechanisms for RP-SIOP discovery and interaction
• Establishes protocols for self-issued ID token validation
• Supports both same-device and cross-device flows

2. Key Technical Specifications:

• Uses JWT format for ID tokens
• Supports multiple Subject Syntax Types:
  • JWK Thumbprint
  • Decentralized Identifiers (DIDs)
• Implements Authorization Code and Implicit flows
• Requires TLS for all communications

3. Implementation Requirements:

• Must support the openid scope
• Must implement specified ID token validation rules
• Must handle both static and dynamic metadata discovery
• Must support specified cryptographic algorithms:
  • ES256
  • ES256K
  • EdDSA
  • RS256

4. Security Considerations:

• Enforces nonce validation for replay protection
• Requires TLS certificate validation
• Implements strict ID token validation rules
• Provides mechanisms for metadata integrity protection
• Addresses cross-device authentication risks

5. Interoperability Features:

• Compatible with existing OpenID Connect implementations
• Supports multiple credential formats
• Enables integration with Verifiable Credentials
• Provides standardized metadata discovery

6. Current Adoption Status:

• Supported by major identity platforms
• Being integrated into digital wallet implementations
• Used in decentralized identity solutions
• Gaining adoption in self-sovereign identity systems

The standard represents a significant evolution in digital identity by enabling true user control while maintaining compatibility with existing identity infrastructure.