OpenID Connect の用語
Access Token
Authorization Code
Authorization Endpoint
Authorization Grant
Authorization Server
Client
Client Authentication
Client Identifier
Client Secret
Grant Type
Protected Resource
Redirection URI
Refresh Token
Resource Server
Response Type
Token Endpoint
Claim Name
Claim Value
JSON Web Token (JWT)
JWT Claims Set
Nested JWT
Base64url Encoding
Header Parameter
JOSE Header
User Agent
Response Mode
This specification also defines the following terms:
認証 (Authentication): Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity. Authentication Request: OAuth 2.0 Authorization Request using extension parameters and scopes defined by OpenID Connect to request that the End-User be authenticated by the Authorization Server, which is an OpenID Connect Provider, to the Client, which is an OpenID Connect Relying Party. Authentication Context: Information that the Relying Party can require before it makes an entitlement decision with respect to an authentication response. Such context can include, but is not limited to, the actual authentication method used or level of assurance such as ISO/IEC 29115 ISO29115 entity authentication assurance level. Authentication Context Class: Set of authentication methods or procedures that are considered to be equivalent to each other in a particular context.
Authentication Context Class Reference
Identifier for an Authentication Context Class.
Authorization Code Flow
OAuth 2.0 flow in which an Authorization Code is returned from the Authorization Endpoint and all tokens are returned from the Token Endpoint.
Claim
Piece of information asserted about an Entity.
Claim Type
Syntax used for representing a Claim Value. This specification defines Normal, Aggregated, and Distributed Claim Types.
Claims Provider
Server that can return Claims about an Entity.
Credential
Data presented as evidence of the right to use an identity or other resources.
End-User
Human participant.
Entity
Something that has a separate and distinct existence and that can be identified in a context. An End-User is one example of an Entity.
Essential Claim
Claim specified by the Client as being necessary to ensure a smooth authorization experience for the specific task requested by the End-User.
Hybrid Flow
OAuth 2.0 flow in which an Authorization Code is returned from the Authorization Endpoint, some tokens are returned from the Authorization Endpoint, and others are returned from the Token Endpoint.
ID Token
JSON Web Token (JWT) JWT that contains Claims about the Authentication event. It MAY contain other Claims. Identifier
Value that uniquely characterizes an Entity in a specific context.
Identity
Set of attributes related to an Entity.
Implicit Flow
OAuth 2.0 flow in which all tokens are returned from the Authorization Endpoint and neither the Token Endpoint nor an Authorization Code are used.
Issuer
Entity that issues a set of Claims.
Issuer Identifier
Verifiable Identifier for an Issuer. An Issuer Identifier is a case-sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
Message
Request or a response between an OpenID Relying Party and an OpenID Provider.
OpenID Provider (OP): OAuth 2.0 Authorization Server that is capable of Authenticating the End-User and providing Claims to a Relying Party about the Authentication event and the End-User. Request Object
JWT that contains a set of request parameters as its Claims.
Request URI
URL that references a resource containing a Request Object. The Request URI contents MUST be retrievable by the Authorization Server.
Pairwise Pseudonymous Identifier (PPID)
Identifier that identifies the Entity to a Relying Party that cannot be correlated with the Entity's PPID at another Relying Party.
Personally Identifiable Information (PII)
Information that (a) can be used to identify the natural person to whom such information relates, or (b) is or might be directly or indirectly linked to a natural person to whom such information relates.
Sector Identifier
Host component of a URL used by the Relying Party's organization that is an input to the computation of pairwise Subject Identifiers for that Relying Party.
Self-Issued OpenID Provider
Personal, self-hosted OpenID Provider that issues self-signed ID Tokens.
Subject Identifier
Locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.
UserInfo Endpoint
Protected Resource that, when presented with an Access Token by the Client, returns authorized information about the End-User represented by the corresponding Authorization Grant. The UserInfo Endpoint URL MUST use the https scheme and MAY contain port, path, and query parameter components.
Validation
Process intended to establish the soundness or correctness of a construct.
Verification
Process intended to test or prove the truth or accuracy of a fact or value.
Voluntary Claim
Claim specified by the Client as being useful but not Essential for the specific task requested by the End-User.
IMPORTANT NOTE TO READERS: The terminology definitions in this section are a normative portion of this specification, imposing requirements upon implementations. All the capitalized words in the text of this specification, such as "Issuer Identifier", reference these defined terms. Whenever the reader encounters them, their definitions found in this section must be followed.
For more background on some of the terminology used, see Internet Security Glossary, Version 2 RFC4949, ISO/IEC 29115 Entity Authentication Assurance ISO29115, and ITU-T X.1252 X.1252.