Skip to content

Commit 2b9850c

Browse files
dickhardtdickhardt
committed
add trigger endpoint to metadata request
1 parent 04827e4 commit 2b9850c

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

openid-provider-commands-1_0.md

+7-1
Original file line numberDiff line numberDiff line change
@@ -280,7 +280,7 @@ A non-normative example JWT Claims Set for the Command Token for an Unauthorize
280280

281281
The Command Trigger enables a Relying Party (RP) to proactively request that the OpenID Provider (OP) invoke specific command. This mechanism allows the RP to explicitly notify the OP of changes at the RP, such as updated metadata.
282282

283-
## Endpoint
283+
## Endpoint {#trigger-endpoint}
284284

285285
The OP indicates support for receiving a Command Trigger by including the `command_trigger_endpoint` property in the metadata it sends to the RP. This URL is opaque to the RP and SHOULD have sufficient entropy to prevent guessing and unauthorized access. For multi-tenant OPs, a unique command_trigger_endpoint SHOULD be provided per tenant. The OP SHOULD require authentication from the RP if the RP is capable of authenticating. If the RP cannot authenticate, the OP SHOULD generate a new endpoint for each metadata request and SHOULD not accept a Command Trigger Request to an previous `command_trigger_endpoint`
286286

@@ -524,6 +524,10 @@ The Claims set in a Metadata Command Token MUST include the following claim:
524524
REQUIRED.
525525
A JSON object that MAY include the following Claims:
526526

527+
- **command_trigger_endpoint**
528+
OPTIONAL.
529+
A URL as defined in [Command Trigger Endpoint](#trigger-endpoint)
530+
527531
- **domains**
528532
OPTIONAL.
529533
A JSON array of one or more domain names the OP has verified the Tenant controls.
@@ -539,6 +543,8 @@ The Claims set in a Metadata Command Token MUST include the following claim:
539543
REQUIRED.
540544
The Tenant unique human readable name for the group.
541545

546+
The OP sends the `command_trigger_endpoint` if it supports receiving a [Command Trigger](#command-trigger) from the RP.
547+
542548
The OP sends the `domains` array for the RP to link any data the RP has to the OP Tenant.
543549

544550
The OP sends the `groups` array to provide the display value for each identifier that the OP MAY include in a `groups` Claim in an ID Token or a Command Token for the Activate and Maintain Commands. This allows an admin at the RP to map centrally managed `groups` from an OP to roles or entitlements at an RP.

0 commit comments

Comments
 (0)