2.2.3.2 OpenID Provider Metadata

OpenID Provider Metadata provides information about the OpenID connect provider, as described in [OIDCDiscovery] section 3.

Note:

• The end_session_endpoint metadata field defined in [OIDCFrontChanLO] section 4 is required for the OpenID Connect 1.0 Protocol Extensions.<3>

• The frontchannel_logout_supported and frontchannel_logout_session_supported metadata fields defined in [OIDCFrontChanLO] section 3 are required for the OpenID Connect 1.0 Protocol Extensions.<4>

• The device_authorization_endpoint metadata fields defined in [RFC8628] section 4 are required for the OpenID Connect 1.0 Protocol Extensions.<5>

The OpenID Connect 1.0 Protocol Extensions extend OpenID Provider Metadata by adding a number of fields. See [OIDCDiscovery] section 3 for the OpenID Provider Metadata with the standard fields. The extended fields are defined as follows.

access_token_issuer: OPTIONAL. A string that specifies the issuer for access tokens issued by the OpenID provider.

microsoft_multi_refresh_token: OPTIONAL. A Boolean value that indicates whether the OpenID provider supports multi-resource refresh tokens, which are refresh tokens that can be redeemed for an access token for any resource registered with the AD FS server.

capabilities: OPTIONAL. A JSON array of strings describing additional protocol capabilities that are supported by the AD FS server.<6>