Self-Issued OpenID Provider v2 - SIOP v2 specification

Self-Issued OpenID Provider v2 extends OpenID Connect by introducing the concept of a self-controlled identity provider, allowing end-users to authenticate themselves and present claims directly to relying parties without depending on third-party providers.

The key innovation is that the end-user becomes the issuer of identity information, controlling their own identifiers and claims through a Self-Issued OpenID Provider (Self-Issued OP) that they manage. This creates a direct trust relationship between the end-user and relying party, rather than requiring an intermediary identity provider.

Key capabilities include:

• Self-sovereign authentication using cryptographic keys controlled by the end-user
• Self-attested claims presented directly to relying parties
• Support for verifiable credentials from trusted third parties
• Both same-device and cross-device authentication flows
• Flexible deployment models from fully local to cloud-based implementations

Technical Specifications:

1. Purpose and Scope:

• Extends OpenID Connect Core with self-issued identity capabilities
• Defines mechanisms for Self-Issued OP invocation and discovery
• Specifies ID Token format and validation requirements
• Supports both self-attested and verifiable claims

2. Key Technical Components:

• Authorization Endpoint for authentication requests
• ID Token signed with end-user controlled keys
• Subject Identifiers based on:
  • JWK Thumbprints
  • Decentralized Identifiers (DIDs)
• Support for multiple response types including:
  • id_token
  • code (Authorization Code Flow)

3. Implementation Requirements:

• Must implement TLS for all endpoints
• Must support nonce values for replay protection
• Must validate all signatures and claims
• Must implement proper key management
• Must handle both same-device and cross-device flows

4. Security Considerations:

• End-user data protection
• Metadata integrity verification
• Cross-device authentication risks
• TLS requirements per BCP 195
• Private-use URI scheme risks

5. Interoperability Features:

• Compatible with existing OpenID Connect deployments
• Supports multiple credential formats
• Works with various DID methods
• Integrates with Verifiable Presentations

6. Current Status:

• Working draft by the OpenID Foundation
• Replaces previous Self-Issued OpenID Connect Provider DID Profile
• Developed through liaison between Decentralized Identity Foundation and OpenID Foundation

The specification represents a significant advancement in self-sovereign digital identity, providing a standardized way for users to control their own identity information while maintaining compatibility with existing OpenID Connect infrastructure.