openid-sse-framework-1_0.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />

  <title>OpenID Shared Signals and Events Framework Specification 1.0 - draft 01</title>

  <style type="text/css" title="Xml2Rfc (sans serif)">
  /*<![CDATA[*/
	  a {
	  text-decoration: none;
	  }
      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
      a.info {
          /* This is the key. */
          position: relative;
          z-index: 24;
          text-decoration: none;
      }
      a.info:hover {
          z-index: 25;
          color: #FFF; background-color: #900;
      }
      a.info span { display: none; }
      a.info:hover span.info {
          /* The span will display just on :hover state. */
          display: block;
          position: absolute;
          font-size: smaller;
          top: 2em; left: -5em; width: 15em;
          padding: 2px; border: 1px solid #333;
          color: #900; background-color: #EEE;
          text-align: left;
      }
	  a.smpl {
	  color: black;
	  }
	  a:hover {
	  text-decoration: underline;
	  }
	  a:active {
	  text-decoration: underline;
	  }
	  address {
	  margin-top: 1em;
	  margin-left: 2em;
	  font-style: normal;
	  }
	  body {
	  color: black;
	  font-family: verdana, helvetica, arial, sans-serif;
	  font-size: 10pt;
	  max-width: 55em;

	  }
	  cite {
	  font-style: normal;
	  }
	  dd {
	  margin-right: 2em;
	  }
	  dl {
	  margin-left: 2em;
	  }

	  ul.empty {
	  list-style-type: none;
	  }
	  ul.empty li {
	  margin-top: .5em;
	  }
	  dl p {
	  margin-left: 0em;
	  }
	  dt {
	  margin-top: .5em;
	  }
	  h1 {
	  font-size: 14pt;
	  line-height: 21pt;
	  page-break-after: avoid;
	  }
	  h1.np {
	  page-break-before: always;
	  }
	  h1 a {
	  color: #333333;
	  }
	  h2 {
	  font-size: 12pt;
	  line-height: 15pt;
	  page-break-after: avoid;
	  }
	  h3, h4, h5, h6 {
	  font-size: 10pt;
	  page-break-after: avoid;
	  }
	  h2 a, h3 a, h4 a, h5 a, h6 a {
	  color: black;
	  }
	  img {
	  margin-left: 3em;
	  }
	  li {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  ol {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  ol p {
	  margin-left: 0em;
	  }
	  p {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  pre {
	  margin-left: 3em;
	  background-color: lightyellow;
	  padding: .25em;
	  }
	  pre.text2 {
	  border-style: dotted;
	  border-width: 1px;
	  background-color: #f0f0f0;
	  width: 69em;
	  }
	  pre.inline {
	  background-color: white;
	  padding: 0em;
	  }
	  pre.text {
	  border-style: dotted;
	  border-width: 1px;
	  background-color: #f8f8f8;
	  width: 69em;
	  }
	  pre.drawing {
	  border-style: solid;
	  border-width: 1px;
	  background-color: #f8f8f8;
	  padding: 2em;
	  }
	  table {
	  margin-left: 2em;
	  }
	  table.tt {
	  vertical-align: top;
	  }
	  table.full {
	  border-style: outset;
	  border-width: 1px;
	  }
	  table.headers {
	  border-style: outset;
	  border-width: 1px;
	  }
	  table.tt td {
	  vertical-align: top;
	  }
	  table.full td {
	  border-style: inset;
	  border-width: 1px;
	  }
	  table.tt th {
	  vertical-align: top;
	  }
	  table.full th {
	  border-style: inset;
	  border-width: 1px;
	  }
	  table.headers th {
	  border-style: none none inset none;
	  border-width: 1px;
	  }
	  table.left {
	  margin-right: auto;
	  }
	  table.right {
	  margin-left: auto;
	  }
	  table.center {
	  margin-left: auto;
	  margin-right: auto;
	  }
	  caption {
	  caption-side: bottom;
	  font-weight: bold;
	  font-size: 9pt;
	  margin-top: .5em;
	  }

	  table.header {
	  border-spacing: 1px;
	  width: 95%;
	  font-size: 10pt;
	  color: white;
	  }
	  td.top {
	  vertical-align: top;
	  }
	  td.topnowrap {
	  vertical-align: top;
	  white-space: nowrap;
	  }
	  table.header td {
	  background-color: gray;
	  width: 50%;
	  }
	  table.header a {
	  color: white;
	  }
	  td.reference {
	  vertical-align: top;
	  white-space: nowrap;
	  padding-right: 1em;
	  }
	  thead {
	  display:table-header-group;
	  }
	  ul.toc, ul.toc ul {
	  list-style: none;
	  margin-left: 1.5em;
	  margin-right: 0em;
	  padding-left: 0em;
	  }
	  ul.toc li {
	  line-height: 150%;
	  font-weight: bold;
	  font-size: 10pt;
	  margin-left: 0em;
	  margin-right: 0em;
	  }
	  ul.toc li li {
	  line-height: normal;
	  font-weight: normal;
	  font-size: 9pt;
	  margin-left: 0em;
	  margin-right: 0em;
	  }
	  li.excluded {
	  font-size: 0pt;
	  }
	  ul p {
	  margin-left: 0em;
	  }

	  .comment {
	  background-color: yellow;
	  }
	  .center {
	  text-align: center;
	  }
	  .error {
	  color: red;
	  font-style: italic;
	  font-weight: bold;
	  }
	  .figure {
	  font-weight: bold;
	  text-align: center;
	  font-size: 9pt;
	  }
	  .filename {
	  color: #333333;
	  font-weight: bold;
	  font-size: 12pt;
	  line-height: 21pt;
	  text-align: center;
	  }
	  .fn {
	  font-weight: bold;
	  }
	  .hidden {
	  display: none;
	  }
	  .left {
	  text-align: left;
	  }
	  .right {
	  text-align: right;
	  }
	  .title {
	  color: #990000;
	  font-size: 18pt;
	  line-height: 18pt;
	  font-weight: bold;
	  text-align: center;
	  margin-top: 36pt;
	  }
	  .vcardline {
	  display: block;
	  }
	  .warning {
	  font-size: 14pt;
	  background-color: yellow;
	  }


	  @media print {
	  .noprint {
		display: none;
	  }

	  a {
		color: black;
		text-decoration: none;
	  }

	  table.header {
		width: 90%;
	  }

	  td.header {
		width: 50%;
		color: black;
		background-color: white;
		vertical-align: top;
		font-size: 12pt;
	  }

	  ul.toc a::after {
		content: leader('.') target-counter(attr(href), page);
	  }

	  ul.ind li li a {
		content: target-counter(attr(href), page);
	  }

	  .print2col {
		column-count: 2;
		-moz-column-count: 2;
		column-fill: auto;
	  }
	  }

	  @page {
	  @top-left {
		   content: "Internet-Draft";
	  }
	  @top-right {
		   content: "December 2010";
	  }
	  @top-center {
		   content: "Abbreviated Title";
	  }
	  @bottom-left {
		   content: "Doe";
	  }
	  @bottom-center {
		   content: "Expires June 2011";
	  }
	  @bottom-right {
		   content: "[Page " counter(page) "]";
	  }
	  }

	  @page:first {
		@top-left {
		  content: normal;
		}
		@top-right {
		  content: normal;
		}
		@top-center {
		  content: normal;
		}
	  }
  /*]]>*/
  </style>

  <link href="#rfc.toc" rel="Contents">
<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Notational Conventions">
<link href="#rfc.section.2" rel="Chapter" title="2 Subject Principals">
<link href="#rfc.section.3" rel="Chapter" title="3 Subject Members in SSE Events">
<link href="#rfc.section.3.1" rel="Chapter" title="3.1 Simple Subject Members">
<link href="#rfc.section.3.2" rel="Chapter" title="3.2 Complex Subject Members">
<link href="#rfc.section.3.2.1" rel="Chapter" title="3.2.1 Complex Subject Interpretation">
<link href="#rfc.section.3.3" rel="Chapter" title="3.3 Subject Identifiers in SSE Events">
<link href="#rfc.section.3.4" rel="Chapter" title="3.4 Additional Subject Identifier Formats">
<link href="#rfc.section.3.4.1" rel="Chapter" title="3.4.1 JWT ID Subject Identifier Format">
<link href="#rfc.section.3.4.2" rel="Chapter" title="3.4.2 SAML Assertion ID Subject Identifier Format">
<link href="#rfc.section.3.5" rel="Chapter" title="3.5 Receiver Subject Processing">
<link href="#rfc.section.4" rel="Chapter" title="4 Event Properties">
<link href="#rfc.section.5" rel="Chapter" title="5 Example SETs that conform to the SSE framework">
<link href="#rfc.section.6" rel="Chapter" title="6 Transmitter Configuration Discovery">
<link href="#rfc.section.6.1" rel="Chapter" title="6.1 Transmitter Configuration Metadata">
<link href="#rfc.section.6.2" rel="Chapter" title="6.2 Obtaining Transmitter Configuration Information">
<link href="#rfc.section.6.2.1" rel="Chapter" title="6.2.1 Transmitter Configuration Request">
<link href="#rfc.section.6.2.2" rel="Chapter" title="6.2.2 Backward Compatibility for RISC Transmitters">
<link href="#rfc.section.6.2.3" rel="Chapter" title="6.2.3 Transmitter Configuration Response">
<link href="#rfc.section.6.2.4" rel="Chapter" title="6.2.4 Transmitter Configuration Validation">
<link href="#rfc.section.7" rel="Chapter" title="7 Management API for SET Event Streams">
<link href="#rfc.section.7.1" rel="Chapter" title="7.1 Event Stream Management">
<link href="#rfc.section.7.1.1" rel="Chapter" title="7.1.1 Stream Status">
<link href="#rfc.section.7.1.1.1" rel="Chapter" title="7.1.1.1 Reading a Stream&#8217;s Status">
<link href="#rfc.section.7.1.1.2" rel="Chapter" title="7.1.1.2 Updating a Stream's Status">
<link href="#rfc.section.7.1.2" rel="Chapter" title="7.1.2 Stream Configuration">
<link href="#rfc.section.7.1.2.1" rel="Chapter" title="7.1.2.1 Reading a Stream&#8217;s Configuration">
<link href="#rfc.section.7.1.2.2" rel="Chapter" title="7.1.2.2 Updating a Stream&#8217;s Configuration">
<link href="#rfc.section.7.1.2.3" rel="Chapter" title="7.1.2.3 Removing a Stream Configuration">
<link href="#rfc.section.7.1.3" rel="Chapter" title="7.1.3 Subjects">
<link href="#rfc.section.7.1.3.1" rel="Chapter" title="7.1.3.1 Adding a Subject to a Stream">
<link href="#rfc.section.7.1.3.2" rel="Chapter" title="7.1.3.2 Removing a Subject">
<link href="#rfc.section.7.1.4" rel="Chapter" title="7.1.4 Verification">
<link href="#rfc.section.7.1.4.1" rel="Chapter" title="7.1.4.1 Verification Event">
<link href="#rfc.section.7.1.4.2" rel="Chapter" title="7.1.4.2 Triggering a Verification Event.">
<link href="#rfc.section.7.1.5" rel="Chapter" title="7.1.5 Stream Updated Event">
<link href="#rfc.section.8" rel="Chapter" title="8 Authorization">
<link href="#rfc.section.9" rel="Chapter" title="9 Security Considerations">
<link href="#rfc.section.9.1" rel="Chapter" title="9.1 Subject Probing">
<link href="#rfc.section.9.2" rel="Chapter" title="9.2 Information Harvesting">
<link href="#rfc.section.9.3" rel="Chapter" title="9.3 Malicious Subject Removal">
<link href="#rfc.section.10" rel="Chapter" title="10 Privacy Considerations">
<link href="#rfc.section.10.1" rel="Chapter" title="10.1 Subject Information Leakage">
<link href="#rfc.section.10.2" rel="Chapter" title="10.2 Previously Consented Data">
<link href="#rfc.section.10.3" rel="Chapter" title="10.3 New Data">
<link href="#rfc.section.10.3.1" rel="Chapter" title="10.3.1 Organizational Data">
<link href="#rfc.section.10.3.2" rel="Chapter" title="10.3.2 Consentable Data">
<link href="#rfc.section.11" rel="Chapter" title="11 Profiles">
<link href="#rfc.section.11.1" rel="Chapter" title="11.1 Security Event Token Profile">
<link href="#rfc.section.11.1.1" rel="Chapter" title="11.1.1 Signature Key Resolution">
<link href="#rfc.section.11.1.2" rel="Chapter" title="11.1.2 SSE Event Subject">
<link href="#rfc.section.11.1.3" rel="Chapter" title="11.1.3 SSE Event Properties">
<link href="#rfc.section.11.1.4" rel="Chapter" title="11.1.4 Explicit Typing of SETs">
<link href="#rfc.section.11.1.5" rel="Chapter" title='11.1.5 The "exp" Claim'>
<link href="#rfc.section.11.1.6" rel="Chapter" title='11.1.6 The "aud" Claim'>
<link href="#rfc.section.11.1.7" rel="Chapter" title='11.1.7 The "events" claim'>
<link href="#rfc.section.11.1.8" rel="Chapter" title="11.1.8 Security Considerations">
<link href="#rfc.section.11.1.8.1" rel="Chapter" title="11.1.8.1 Distinguishing SETs from other Kinds of JWTs">
<link href="#rfc.section.11.2" rel="Chapter" title="11.2 SET Token Delivery Using HTTP Profile">
<link href="#rfc.section.11.2.1" rel="Chapter" title="11.2.1 Stream Configuration Metadata">
<link href="#rfc.section.11.2.1.1" rel="Chapter" title="11.2.1.1 Push Delivery using HTTP">
<link href="#rfc.section.11.2.1.2" rel="Chapter" title="11.2.1.2 Polling Delivery using HTTP">
<link href="#rfc.section.12" rel="Chapter" title="12 IANA Considerations">
<link href="#rfc.references" rel="Chapter" title="13 References">
<link href="#rfc.references.1" rel="Chapter" title="13.1 Normative References">
<link href="#rfc.references.2" rel="Chapter" title="13.2 Non-Normative References">
<link href="#rfc.appendix.A" rel="Chapter" title="A Acknowledgements">
<link href="#rfc.appendix.B" rel="Chapter" title="B Notices">
<link href="#rfc.authors" rel="Chapter">


  <meta name="generator" content="xml2rfc version 3.10.0 - https://tools.ietf.org/tools/xml2rfc" />
  <link rel="schema.dct" href="http://purl.org/dc/terms/" />

  <meta name="dct.creator" content="Tulshibagwale, A., Cappalli, T., Scurtescu, M., Backman, A., and J. Bradley" />
  <meta name="dct.identifier" content="urn:ietf:id:openid-sse-framework-1_0" />
  <meta name="dct.issued" scheme="ISO8601" content="2021-06-08" />
  <meta name="dct.abstract" content="This Shared Signals and Events (SSE) Framework enables sharing of signals and events between cooperating peers. It enables multiple applications such as Risk Incident Sharing and Coordination (RISC) and the Continuous Access Evaluation Profile ()  This specification defines: A profile for IETF Security Events Subject Principals Subject Claims in SSE Events Event Types Event Properties Configuration information and discovery method for Transmitters A Management API for Event Streams  This spec also directly profiles several IETF Security Events drafts:Security Event Token (SET) Subject Identifiers for Security Event Tokens Push-Based SET Token Delivery Using HTTP Poll-Based SET Token Delivery Using HTTP  " />
  <meta name="description" content="This Shared Signals and Events (SSE) Framework enables sharing of signals and events between cooperating peers. It enables multiple applications such as Risk Incident Sharing and Coordination (RISC) and the Continuous Access Evaluation Profile ()  This specification defines: A profile for IETF Security Events Subject Principals Subject Claims in SSE Events Event Types Event Properties Configuration information and discovery method for Transmitters A Management API for Event Streams  This spec also directly profiles several IETF Security Events drafts:Security Event Token (SET) Subject Identifiers for Security Event Tokens Push-Based SET Token Delivery Using HTTP Poll-Based SET Token Delivery Using HTTP  " />

</head>

<body>

  <table class="header">
    <tbody>

    	<tr>
<td class="left"></td>
<td class="right">A. Tulshibagwale</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Google</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">T. Cappalli</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Microsoft</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">M. Scurtescu</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Coinbase</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">A. Backman</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Amazon</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">J. Bradley</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Yubico</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">June 8, 2021</td>
</tr>


    </tbody>
  </table>

  <p class="title">OpenID Shared Signals and Events Framework Specification 1.0 - draft 01<br />
  <span class="filename">openid-sse-framework-1_0</span></p>

  <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
<p>This Shared Signals and Events (SSE) Framework enables sharing of signals and events between cooperating peers. It enables multiple applications such as Risk Incident Sharing and Coordination (RISC) and the Continuous Access Evaluation Profile (<a href="#CAEP" class="xref">[CAEP]</a>) </p>
<p>This specification defines: </p>

<ul>
<li>A profile for <a href="https://datatracker.ietf.org/wg/secevent/about/">IETF Security Events</a>
</li>
<li>Subject Principals</li>
<li>Subject Claims in SSE Events</li>
<li>Event Types</li>
<li>Event Properties</li>
<li>Configuration information and discovery method for Transmitters</li>
<li>A Management API for Event Streams</li>
</ul>
<p>This spec also directly profiles several IETF Security Events drafts:</p>

<ul>
<li><a href="#SET" class="xref">Security Event Token (SET)</a></li>
<li><a href="#SUBIDS" class="xref">Subject Identifiers for Security Event Tokens</a></li>
<li><a href="#DELIVERYPUSH" class="xref">Push-Based SET Token Delivery Using HTTP</a></li>
<li><a href="#DELIVERYPOLL" class="xref">Poll-Based SET Token Delivery Using HTTP</a></li>
</ul>


  <hr class="noprint" />
  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
  <ul class="toc">

  	<li>1.   <a href="#rfc.section.1">Introduction</a>
</li>
<ul><li>1.1.   <a href="#rfc.section.1.1">Notational Conventions</a>
</li>
</ul><li>2.   <a href="#rfc.section.2">Subject Principals</a>
</li>
<li>3.   <a href="#rfc.section.3">Subject Members in SSE Events</a>
</li>
<ul><li>3.1.   <a href="#rfc.section.3.1">Simple Subject Members</a>
</li>
<li>3.2.   <a href="#rfc.section.3.2">Complex Subject Members</a>
</li>
<ul><li>3.2.1.   <a href="#rfc.section.3.2.1">Complex Subject Interpretation</a>
</li>
</ul><li>3.3.   <a href="#rfc.section.3.3">Subject Identifiers in SSE Events</a>
</li>
<li>3.4.   <a href="#rfc.section.3.4">Additional Subject Identifier Formats</a>
</li>
<ul><li>3.4.1.   <a href="#rfc.section.3.4.1">JWT ID Subject Identifier Format</a>
</li>
<li>3.4.2.   <a href="#rfc.section.3.4.2">SAML Assertion ID Subject Identifier Format</a>
</li>
</ul><li>3.5.   <a href="#rfc.section.3.5">Receiver Subject Processing</a>
</li>
</ul><li>4.   <a href="#rfc.section.4">Event Properties</a>
</li>
<li>5.   <a href="#rfc.section.5">Example SETs that conform to the SSE framework</a>
</li>
<li>6.   <a href="#rfc.section.6">Transmitter Configuration Discovery</a>
</li>
<ul><li>6.1.   <a href="#rfc.section.6.1">Transmitter Configuration Metadata</a>
</li>
<li>6.2.   <a href="#rfc.section.6.2">Obtaining Transmitter Configuration Information</a>
</li>
<ul><li>6.2.1.   <a href="#rfc.section.6.2.1">Transmitter Configuration Request</a>
</li>
<li>6.2.2.   <a href="#rfc.section.6.2.2">Backward Compatibility for RISC Transmitters</a>
</li>
<li>6.2.3.   <a href="#rfc.section.6.2.3">Transmitter Configuration Response</a>
</li>
<li>6.2.4.   <a href="#rfc.section.6.2.4">Transmitter Configuration Validation</a>
</li>
</ul></ul><li>7.   <a href="#rfc.section.7">Management API for SET Event Streams</a>
</li>
<ul><li>7.1.   <a href="#rfc.section.7.1">Event Stream Management</a>
</li>
<ul><li>7.1.1.   <a href="#rfc.section.7.1.1">Stream Status</a>
</li>
<ul><li>7.1.1.1.   <a href="#rfc.section.7.1.1.1">Reading a Stream&#8217;s Status</a>
</li>
<li>7.1.1.2.   <a href="#rfc.section.7.1.1.2">Updating a Stream's Status</a>
</li>
</ul><li>7.1.2.   <a href="#rfc.section.7.1.2">Stream Configuration</a>
</li>
<ul><li>7.1.2.1.   <a href="#rfc.section.7.1.2.1">Reading a Stream&#8217;s Configuration</a>
</li>
<li>7.1.2.2.   <a href="#rfc.section.7.1.2.2">Updating a Stream&#8217;s Configuration</a>
</li>
<li>7.1.2.3.   <a href="#rfc.section.7.1.2.3">Removing a Stream Configuration</a>
</li>
</ul><li>7.1.3.   <a href="#rfc.section.7.1.3">Subjects</a>
</li>
<ul><li>7.1.3.1.   <a href="#rfc.section.7.1.3.1">Adding a Subject to a Stream</a>
</li>
<li>7.1.3.2.   <a href="#rfc.section.7.1.3.2">Removing a Subject</a>
</li>
</ul><li>7.1.4.   <a href="#rfc.section.7.1.4">Verification</a>
</li>
<ul><li>7.1.4.1.   <a href="#rfc.section.7.1.4.1">Verification Event</a>
</li>
<li>7.1.4.2.   <a href="#rfc.section.7.1.4.2">Triggering a Verification Event.</a>
</li>
</ul><li>7.1.5.   <a href="#rfc.section.7.1.5">Stream Updated Event</a>
</li>
</ul></ul><li>8.   <a href="#rfc.section.8">Authorization</a>
</li>
<li>9.   <a href="#rfc.section.9">Security Considerations</a>
</li>
<ul><li>9.1.   <a href="#rfc.section.9.1">Subject Probing</a>
</li>
<li>9.2.   <a href="#rfc.section.9.2">Information Harvesting</a>
</li>
<li>9.3.   <a href="#rfc.section.9.3">Malicious Subject Removal</a>
</li>
</ul><li>10.   <a href="#rfc.section.10">Privacy Considerations</a>
</li>
<ul><li>10.1.   <a href="#rfc.section.10.1">Subject Information Leakage</a>
</li>
<li>10.2.   <a href="#rfc.section.10.2">Previously Consented Data</a>
</li>
<li>10.3.   <a href="#rfc.section.10.3">New Data</a>
</li>
<ul><li>10.3.1.   <a href="#rfc.section.10.3.1">Organizational Data</a>
</li>
<li>10.3.2.   <a href="#rfc.section.10.3.2">Consentable Data</a>
</li>
</ul></ul><li>11.   <a href="#rfc.section.11">Profiles</a>
</li>
<ul><li>11.1.   <a href="#rfc.section.11.1">Security Event Token Profile</a>
</li>
<ul><li>11.1.1.   <a href="#rfc.section.11.1.1">Signature Key Resolution</a>
</li>
<li>11.1.2.   <a href="#rfc.section.11.1.2">SSE Event Subject</a>
</li>
<li>11.1.3.   <a href="#rfc.section.11.1.3">SSE Event Properties</a>
</li>
<li>11.1.4.   <a href="#rfc.section.11.1.4">Explicit Typing of SETs</a>
</li>
<li>11.1.5.   <a href="#rfc.section.11.1.5">The "exp" Claim</a>
</li>
<li>11.1.6.   <a href="#rfc.section.11.1.6">The "aud" Claim</a>
</li>
<li>11.1.7.   <a href="#rfc.section.11.1.7">The "events" claim</a>
</li>
<li>11.1.8.   <a href="#rfc.section.11.1.8">Security Considerations</a>
</li>
<ul><li>11.1.8.1.   <a href="#rfc.section.11.1.8.1">Distinguishing SETs from other Kinds of JWTs</a>
</li>
</ul></ul><li>11.2.   <a href="#rfc.section.11.2">SET Token Delivery Using HTTP Profile</a>
</li>
<ul><li>11.2.1.   <a href="#rfc.section.11.2.1">Stream Configuration Metadata</a>
</li>
<ul><li>11.2.1.1.   <a href="#rfc.section.11.2.1.1">Push Delivery using HTTP</a>
</li>
<li>11.2.1.2.   <a href="#rfc.section.11.2.1.2">Polling Delivery using HTTP</a>
</li>
</ul></ul></ul><li>12.   <a href="#rfc.section.12">IANA Considerations</a>
</li>
<li>13.   <a href="#rfc.references">References</a>
</li>
<ul><li>13.1.   <a href="#rfc.references.1">Normative References</a>
</li>
<li>13.2.   <a href="#rfc.references.2">Non-Normative References</a>
</li>
</ul><li>Appendix A.   <a href="#rfc.appendix.A">Acknowledgements</a>
</li>
<li>Appendix B.   <a href="#rfc.appendix.B">Notices</a>
</li>
<li><a href="#rfc.authors">Authors' Addresses</a>
</li>


  </ul>

  <h1 id="rfc.section.1">
<a href="#rfc.section.1">1.</a> <a href="#intro" id="intro">Introduction</a>
</h1>
<h1 id="rfc.section.1.1">
<a href="#rfc.section.1.1">1.1.</a> <a href="#conv" id="conv">Notational Conventions</a>
</h1>
<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <a href="#RFC2119" class="xref">[RFC2119]</a> <a href="#RFC8174" class="xref">[RFC8174]</a> when, and only when, they appear in all capitals, as shown here.</p>
<h1 id="rfc.section.2">
<a href="#rfc.section.2">2.</a> <a href="#subject-principals" id="subject-principals">Subject Principals</a>
</h1>
<p id="rfc.section.2.p.1">This SSE Framework specification defines a Subject Principal to be the entities about which an event can be sent by Transmitters and received by Receivers using the SSE Framework.</p>
<p id="rfc.section.2.p.2">Subject Principals are the managed entities in a SSE Transmitter or Receiver. These include human or robotic principals, devices, customer tenants in a multi-tenanted service, organizational units within a tenant, groups of subject principals or other entities that are managed by Transmitters and Receivers. There may be other actors or resources that can be treated as Subject Principals, and event-type definitions SHOULD specify the range of principals addressed by the event.</p>
<p id="rfc.section.2.p.3">Subject Principals are identified by Subject Members defined below.</p>
<h1 id="rfc.section.3">
<a href="#rfc.section.3">3.</a> <a href="#subject-ids" id="subject-ids">Subject Members in SSE Events</a>
</h1>
<p id="rfc.section.3.p.1">A member of type Subject in an SSE event MAY have any claim name. Each Subject Member MUST refer to exactly one Subject Principal.</p>
<p id="rfc.section.3.p.2">A Subject may be a <samp>simple subject</samp> or a <samp>complex subject.</samp></p>
<h1 id="rfc.section.3.1">
<a href="#rfc.section.3.1">3.1.</a> <a href="#simple-subjects" id="simple-subjects">Simple Subject Members</a>
</h1>
<p id="rfc.section.3.1.p.1">A Simple Subject Member has a claim name and a value that is a <samp>Subject Identifier</samp> as defined in the <a href="#SUBIDS" class="xref">Subject Identifiers for Security Event Tokens</a>. Below is a non-normative example of a Simple Subject Member in a SSE event.</p>
<div id="rfc.figure.1"></div>
<div id="simple-subject-ex"></div>
<pre>
"transferer": {
  "format": "email",
  "email": "foo@example.com"
}
        </pre>
<p class="figure">Figure 1: Example: Simple Subject</p>
<h1 id="rfc.section.3.2">
<a href="#rfc.section.3.2">3.2.</a> <a href="#complex-subjects" id="complex-subjects">Complex Subject Members</a>
</h1>
<p id="rfc.section.3.2.p.1">A Complex Subject Member has a name and a value that is a <a href="#RFC7159" class="xref">JSON</a> object that has one or more Simple Subject Members. The name of each Simple Subject Member in this value MAY be one of the following: </p>

<dl>
<dt>user</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. A Subject Identifier that identifies a user.</dd>
<dt>device</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. A Subject Identifier that identifies a device.</dd>
<dt>session</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. A Subject Identifier that identifies a session.</dd>
<dt>application</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. A Subject Identifier that identifies an application.</dd>
<dt>tenant</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. A Subject Identifier that identifies a tenant.</dd>
<dt>org_unit</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. A Subject Identifier that identifies an organizational unit.</dd>
<dt>group</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. A Subject Identifier that identifies a group.</dd>
</dl>
<p id="rfc.section.3.2.p.2">Additional Subject Member names MAY be used in Complex Subjects. Each member name MAY appear at most once in the Complex Subject value.</p>
<p id="rfc.section.3.2.p.3">Below is a non-normative example of a Complex Subject claim in a SSE event.</p>
<div id="rfc.figure.2"></div>
<div id="complex-subject-ex"></div>
<pre>
"transferee": {
  "user" : {
    "format": "email",
    "email": "bar@example.com"
  },
  "tenant" : {
    "format": "iss_sub",
    "iss" : "http://example.com/idp1",
    "sub" : "1234"
  }
}
        </pre>
<p class="figure">Figure 2: Example: Complex Subject</p>
<h1 id="rfc.section.3.2.1">
<a href="#rfc.section.3.2.1">3.2.1.</a> <a href="#complex-subject-interpretation" id="complex-subject-interpretation">Complex Subject Interpretation</a>
</h1>
<p id="rfc.section.3.2.1.p.1">All members within a Complex Subject MUST represent attributes of the same Subject Principal. As a whole, the Complex Subject MUST refer to exactly one Subject Principal.</p>
<h1 id="rfc.section.3.3">
<a href="#rfc.section.3.3">3.3.</a> <a href="#subject-ids-in-sse" id="subject-ids-in-sse">Subject Identifiers in SSE Events</a>
</h1>
<p id="rfc.section.3.3.p.1">A Subject Identifier in a SSE event MUST have an identifier format that is any one of: </p>

<ul>
<li>Defined in the IANA Registry defined in <a href="#SUBIDS" class="xref">Subject Identifiers for Security Event Tokens</a>, located at <samp>"https://www.iana.org/assignments/secevent/".</samp>
</li>
<li>An identifier format defined in the <a href="#additional-subject-id-formats" class="xref">Additional Subject Identifier Formats</a> section below, OR</li>
<li>A proprietary subject identifier format that is agreed to between parties. Members within a subject identifier that has a proprietary subject identifier format are agreed to between the parties and such agreement is outside the scope of this specification.</li>
</ul>
<h1 id="rfc.section.3.4">
<a href="#rfc.section.3.4">3.4.</a> <a href="#additional-subject-id-formats" id="additional-subject-id-formats">Additional Subject Identifier Formats</a>
</h1>
<p id="rfc.section.3.4.p.1">The following new subject identifier formats are defined:</p>
<h1 id="rfc.section.3.4.1">
<a href="#rfc.section.3.4.1">3.4.1.</a> <a href="#sub-id-jwt-id" id="sub-id-jwt-id">JWT ID Subject Identifier Format</a>
</h1>
<p id="rfc.section.3.4.1.p.1">The "JWT ID" Subject Identifier Format specifies a JSON Web Token (JWT) identifier, defined in  <a href="#RFC7519" class="xref">[RFC7519]</a>. Subject Identifiers of this type MUST contain the following members: </p>

<dl>
<dt>iss</dt>
<dd style="margin-left: 8">
<br>REQUIRED. The "iss" (issuer) claim of the JWT being identified, defined in <a href="#RFC7519" class="xref">[RFC7519]</a>
</dd>
<dt>jti</dt>
<dd style="margin-left: 8">
<br>REQUIRED. The "jti" (JWT token ID) claim of the JWT being identified, defined in <a href="#RFC7519" class="xref">[RFC7519]</a>
</dd>
</dl>
<p id="rfc.section.3.4.1.p.2">The "JWT ID" Subject Identifier Format is identified by the name <samp>jwt-id</samp>.</p>
<p id="rfc.section.3.4.1.p.3">Below is a non-normative example of Subject Identifier for the <samp>jwt-id</samp> Subject Identifier Format.</p>
<div id="rfc.figure.3"></div>
<div id="sub-id-jwtid"></div>
<pre>

{
    "format": "jwt-id",
    "iss": "https://idp.example.com/123456789/",
    "jti": "B70BA622-9515-4353-A866-823539EECBC8"
}
        </pre>
<p class="figure">Figure 3: Example: 'jwt-id' Subject Identifier</p>
<h1 id="rfc.section.3.4.2">
<a href="#rfc.section.3.4.2">3.4.2.</a> <a href="#sub-id-saml-assertion-id" id="sub-id-saml-assertion-id">SAML Assertion ID Subject Identifier Format</a>
</h1>
<p id="rfc.section.3.4.2.p.1">The "SAML Assertion ID" Subject Identifier Format specifies a SAML 2.0 <a href="#OASIS.saml-core-2.0-os" class="xref">[OASIS.saml-core-2.0-os]</a> assertion identifier. Subject Identifiers of this format MUST contain the following members: </p>

<dl>
<dt>issuer</dt>
<dd style="margin-left: 8">
<br>REQUIRED. The "Issuer" value of the SAML assertion being identified, defined in <a href="#OASIS.saml-core-2.0-os" class="xref">[OASIS.saml-core-2.0-os]</a>
</dd>
<dt>assertion_id</dt>
<dd style="margin-left: 8">
<br>REQUIRED. The "ID" value of the SAML assertion being identified, defined in <a href="#OASIS.saml-core-2.0-os" class="xref">[OASIS.saml-core-2.0-os]</a> </dd>
</dl>
<p id="rfc.section.3.4.2.p.2">The "SAML Assertion ID" Subject Identifier Format is identified by the name <samp>saml_assertion_id</samp>.</p>
<p id="rfc.section.3.4.2.p.3">Below is a non-normative example Subject Identifier for the <samp>saml_assertion_id</samp> Subject Identifier Format.</p>
<div id="rfc.figure.4"></div>
<div id="sub-id-samlassertionid"></div>
<pre>
{
    "format": "saml_assertion_id",
    "issuer": "https://idp.example.com/123456789/",
    "assertion_id": "_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6"
}
        </pre>
<p class="figure">Figure 4: Example: 'saml_assertion_id' Subject Identifier</p>
<h1 id="rfc.section.3.5">
<a href="#rfc.section.3.5">3.5.</a> <a href="#receiver-subject-processing" id="receiver-subject-processing">Receiver Subject Processing</a>
</h1>
<p id="rfc.section.3.5.p.1">A SSE Receiver MUST make a best effort process all members from a Subject in an SSE event.  The <a href="#discovery-meta" class="xref">Transmitter Configuration Metadata</a> defined below MAY define certain members within a Complex Subject to be Critical. A SSE Receiver MUST discard any event that contains a Subject with a Critical member that it is unable to process.</p>
<h1 id="rfc.section.4">
<a href="#rfc.section.4">4.</a> <a href="#properties" id="properties">Event Properties</a>
</h1>
<p id="rfc.section.4.p.1">Additional members about an event may be included in the <samp>events</samp> claim. Some of these members are required and specified as such in the respective event types specs. If a Transmitter determines that it needs to include additional members that are not specified in the event types spec, then the name of such members MUST be a URI. The discoverability of all additional members is specified in the <a href="#discovery" class="xref">Discovery</a> section.  </p>
<h1 id="rfc.section.5">
<a href="#rfc.section.5">5.</a> <a href="#events-examples" id="events-examples">Example SETs that conform to the SSE framework</a>
</h1>
<p id="rfc.section.5.p.1">The following are hypothetical examples of SETs that conform to the SSE framework.</p>
<div id="rfc.figure.5"></div>
<div id="subject-ids-ex-simple"></div>
<pre>
{
  "iss": "https://idp.example.com/",
  "jti": "756E69717565206964656E746966696572",
  "iat": 1520364019,
  "aud": "636C69656E745F6964",
  "events": {
    "https://schemas.openid.net/secevent/risc/event-type/account-enabled": {
      "subject": {
        "format": "email",
        "email": "foo@example.com"
      }
    }
  }
}
        </pre>
<p class="figure">Figure 5: Example: SET Containing a SSE Event with a Simple Subject Member</p>
<div id="rfc.figure.6"></div>
<div id="subject-ids-ex-complex"></div>
<pre>
{
  "iss": "https://idp.example.com/",
  "jti": "756E69717565206964656E746966696572",
  "iat": 1520364019,
  "aud": "636C69656E745F6964",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/session-revoked": {
      "subject": {
          "user": {
              "format": "iss_sub",
              "iss": "https://idp.example.com/3957ea72-1b66-44d6-a044-d805712b9288/",
              "sub": "jane.smith@example.com"
          },
          "device": {
              "format": "iss_sub",
              "iss": "https://idp.example.com/3957ea72-1b66-44d6-a044-d805712b9288/",
              "sub": "e9297990-14d2-42ec-a4a9-4036db86509a"
          }
      }
      "initiating_entity": "policy",
      "reason_admin": "Policy Violation: C076E82F",
      "reason_user": "Landspeed violation.",
      "event_timestamp": 1600975810
    }
  }
}
        </pre>
<p class="figure">Figure 6: Example: SET Containing a SSE Event with a Complex Subject Member</p>
<div id="rfc.figure.7"></div>
<div id="subject-properties-ex"></div>
<pre>
{
  "iss": "https://sp.example2.com/",
  "jti": "756E69717565206964656E746966696572",
  "iat": 1520364019,
  "aud": "636C69656E745F6964",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/token-claims-change": {
      "subject": {
        "format": "email",
        "email": "foo@example2.com"
      },
      "event_timestamp": 1600975810,
      "claims": {
         "role": "ro-admin"
      }
    }
  }
}
        </pre>
<p class="figure">Figure 7: Example: SET Containing a SSE Event with a Simple Subject and a Property Member</p>
<div id="rfc.figure.8"></div>
<div id="subject-custom-type-ex"></div>
<pre>
{
  "iss": "https://myservice.example3.com/",
  "jti": "756E69717565206964656E746966696534",
  "iat": 15203800012,
  "aud": "636C69656E745F6324",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/token-claims-change": {
    "subject": {
        "format": "catalog_item",
        "catalog_id": "c0384/winter/2354122"
      },
      "event_timestamp": 1600975810,
      "claims": {
         "role": "ro-admin"
      }
    }
  }
}
        </pre>
<p class="figure">Figure 8: Example: SET Containing a SSE Event with a Proprietary Subject Identifier Format</p>
<h1 id="rfc.section.6">
<a href="#rfc.section.6">6.</a> <a href="#discovery" id="discovery">Transmitter Configuration Discovery</a>
</h1>
<p id="rfc.section.6.p.1">This section defines a mechanism for Receivers to obtain Transmitter configuration information.</p>
<h1 id="rfc.section.6.1">
<a href="#rfc.section.6.1">6.1.</a> <a href="#discovery-meta" id="discovery-meta">Transmitter Configuration Metadata</a>
</h1>
<p id="rfc.section.6.1.p.1">Transmitters have metadata describing their configuration:</p>

<dl>
<dt>issuer</dt>
<dd style="margin-left: 8">REQUIRED. URL using the https scheme with no query or fragment component that the Transmitter asserts as its Issuer Identifier. This MUST be identical to the iss claim value in Security Event Tokens issued from this Transmitter.</dd>
<dt>jwks_uri</dt>
<dd style="margin-left: 8">REQUIRED. URL of the Transmitter's <a href="#RFC7517" class="xref">JSON Web Key Set</a> document. This contains the signing key(s) the Receiver uses to validate signatures from the Transmitter.</dd>
<dt>delivery_methods_supported</dt>
<dd style="margin-left: 8">RECOMMENDED. List of supported delivery method URIs.</dd>
<dt>configuration_endpoint</dt>
<dd style="margin-left: 8">OPTIONAL. The URL of the Configuration Endpoint.</dd>
<dt>status_endpoint</dt>
<dd style="margin-left: 8">OPTIONAL. The URL of the Status Endpoint.</dd>
<dt>add_subject_endpoint</dt>
<dd style="margin-left: 8">OPTIONAL. The URL of the Add Subject Endpoint.</dd>
<dt>remove_subject_endpoint</dt>
<dd style="margin-left: 8">OPTIONAL. The URL of the Remove Subject Endpoint.</dd>
<dt>verification_endpoint</dt>
<dd style="margin-left: 8">OPTIONAL. The URL of the Verification Endpoint.</dd>
<dt>critical_subject_members</dt>
<dd style="margin-left: 8">OPTIONAL. List of member names in a Complex Subject which, if present in a Subject Member in an event, MUST be interpreted by a Receiver.</dd>
</dl>
<p id="rfc.section.6.1.p.2">TODO: consider adding a IANA Registry for metadata, similar to Section 7.1.1 of <a href="#OAUTH-DISCOVERY" class="xref">[OAUTH-DISCOVERY]</a>.  This would allow other specs to add to the metadata.</p>
<h1 id="rfc.section.6.2">
<a href="#rfc.section.6.2">6.2.</a> Obtaining Transmitter Configuration Information</h1>
<p id="rfc.section.6.2.p.1">Using the Issuer as documented by the Transmitter, the Transmitter Configuration Information can be retrieved.</p>
<p id="rfc.section.6.2.p.2">Transmitters supporting Discovery MUST make a JSON document available at the path formed by inserting the string <samp>/.well-known/sse-configuration</samp> into the Issuer between the host component and the path component, if any. The syntax and semantics of <samp>.well-known</samp> are defined in <a href="#RFC5785" class="xref">[RFC5785]</a>.  <samp>sse-configuration</samp> MUST point to a JSON document compliant with this specification and MUST be returned using the <samp>application/json</samp> content type.</p>
<h1 id="rfc.section.6.2.1">
<a href="#rfc.section.6.2.1">6.2.1.</a> Transmitter Configuration Request</h1>
<p id="rfc.section.6.2.1.p.1">A Transmitter Configuration Document MUST be queried using an HTTP <samp>GET</samp> request at the previously specified path.</p>
<div id="rfc.figure.9"></div>
<div id="figdiscoveryrequest"></div>
<pre>
GET /.well-known/sse-configuration HTTP/1.1
Host: tr.example.com
</pre>
<p class="figure">Figure 9: Example: Transmitter Configuration Request (without path)</p>
<p id="rfc.section.6.2.1.p.2">The Receiver would make the following request to the Issuer <samp>https://tr.example.com</samp> to obtain its Configuration information, since the Issuer contains no path component: </p>
<div id="rfc.figure.10"></div>
<div id="figdiscoveryrequestpath"></div>
<pre>
GET /.well-known/sse-configuration/issuer1 HTTP/1.1
Host: tr.example.com
</pre>
<p class="figure">Figure 10: Example: Transmitter Configuration Request (with path)</p>
<p id="rfc.section.6.2.1.p.3">If the  Issuer value contains a path component, any terminating <samp>/</samp> MUST be removed before inserting <samp>/.well-known/sse-configuration</samp> between the host component and the path component. The Receiver would make the following request to the Issuer <samp>https://tr.example.com/issuer1</samp> to obtain its Configuration information, since the Issuer contains a path component: </p>
<p id="rfc.section.6.2.1.p.4">Using path components enables supporting multiple issuers per host. This is required in some multi-tenant hosting configurations. This use of <samp>.well-known</samp> is for supporting multiple issuers per host; unlike its use in <a href="#RFC5785" class="xref">[RFC5785]</a>, it does not provide general information about the host.  </p>
<h1 id="rfc.section.6.2.2">
<a href="#rfc.section.6.2.2">6.2.2.</a> Backward Compatibility for RISC Transmitters</h1>
<div id="rfc.figure.11"></div>
<div id="figolddiscoveryrequest"></div>
<pre>
GET /.well-known/risc-configuration HTTP/1.1
Host: risc-tr.example.com
</pre>
<p class="figure">Figure 11: Example: Transmitter Configuration Request for RISC Transmitters</p>
<p id="rfc.section.6.2.2.p.1">Existing RISC Transmitters MAY continue to use the path component <samp>/risc-configuration</samp> instead of the path component <samp>/sse-configuration</samp> in the path for the Transmitter Configuration Metadata. New services supporting the SSE Framework SHOULD NOT use this location for publishing the Transmitter Configuration Metadata. For example, the Transmitter Configuration Metadata for the Transmitter <samp>https://risc-tr.example.com</samp> MAY be obtained by making the following request: </p>
<h1 id="rfc.section.6.2.3">
<a href="#rfc.section.6.2.3">6.2.3.</a> Transmitter Configuration Response</h1>
<p id="rfc.section.6.2.3.p.1">The response is a set of Claims about the Transmitter's configuration, including all necessary endpoints and public key location information. A successful response MUST use the 200 OK HTTP status code and return a JSON object using the <samp>application/json</samp> content type that contains a set of Claims as its members that are a subset of the Metadata values defined in <a href="#discovery-meta" class="xref">Section 6.1</a>.  Other Claims MAY also be returned.</p>
<p id="rfc.section.6.2.3.p.2">Claims that return multiple values are represented as JSON arrays. Claims with zero elements MUST be omitted from the response.</p>
<p id="rfc.section.6.2.3.p.3">An error response uses the applicable HTTP status code value.</p>
<div id="rfc.figure.12"></div>
<div id="figdiscoveryresponse"></div>
<pre>
HTTP/1.1 200 OK
Content-Type: application/json

{
  "issuer":
    "https://tr.example.com",
  "jwks_uri":
    "https://tr.example.com/jwks.json",
  "delivery_methods_supported": [
    "https://schemas.openid.net/secevent/risc/delivery-method/push",
    "https://schemas.openid.net/secevent/risc/delivery-method/poll"],
  "configuration_endpoint":
    "https://tr.example.com/sse/mgmt/stream",
  "status_endpoint":
    "https://tr.example.com/sse/mgmt/status",
  "add_subject_endpoint":
    "https://tr.example.com/sse/mgmt/subject:add",
  "remove_subject_endpoint":
    "https://tr.example.com/sse/mgmt/subject:remove",
  "verification_endpoint":
    "https://tr.example.com/sse/mgmt/verification",
  "critical_subject_members": [ "tenant", "user" ]
}
</pre>
<p class="figure">Figure 12: Example: Transmitter Configuration Response</p>
<p></p>
<h1 id="rfc.section.6.2.4">
<a href="#rfc.section.6.2.4">6.2.4.</a> Transmitter Configuration Validation</h1>
<p id="rfc.section.6.2.4.p.1">If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.</p>
<p id="rfc.section.6.2.4.p.2">The <samp>issuer</samp> value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the <samp>iss</samp> Claim value in Security Event Tokens issued from this Transmitter.  </p>
<h1 id="rfc.section.7">
<a href="#rfc.section.7">7.</a> <a href="#management" id="management">Management API for SET Event Streams</a>
</h1>
<p id="rfc.section.7.p.1">This section defines an HTTP API to be implemented by Event Transmitters and that can be used by Event Receivers to query and update the Event Stream configuration and status, to add and remove subjects and to trigger verification.</p>
<p id="rfc.section.7.p.2">This section is based on <a href="#MGMTAPI" class="xref">Management API for SET Event Streams</a>.</p>
<div id="rfc.figure.13"></div>
<div id="figintro"></div>
<pre>
+------------+                +------------+
|            | Stream Config  |            |
| Event      &lt;----------------+ Event      |
| Stream     |                | Receiver   |
| Management | Stream Status  |            |
| API        &lt;----------------+            |
|            |                |            |
|            | Add Subject    |            |
|            &lt;----------------+            |
|            |                |            |
|            | Remove Subject |            |
|            &lt;----------------+            |
|            |                |            |
|            | Stream Updated |            |
|            +----------------&gt;            |
|            |                |            |
|            | Verification   |            |
|            &lt;----------------+            |
|            |                |            |
+------------+                +------------+
</pre>
<p class="figure">Figure 13: Event Stream Management API</p>
<p id="rfc.section.7.p.3">It is OPTIONAL for Transmitters to implement a Management API, but it is RECOMMENDED that they implement it, especially the endpoints for querying the Stream Status and for triggering Verification.</p>
<h1 id="rfc.section.7.1">
<a href="#rfc.section.7.1">7.1.</a> <a href="#management-api" id="management-api">Event Stream Management</a>
</h1>
<p id="rfc.section.7.1.p.1">Event Receivers manage how they receive events, and the subjects about which they want to receive events over an Event Stream by making HTTP requests to endpoints in the Event Stream Management API.</p>
<p id="rfc.section.7.1.p.2">A Transmitter and Receiver MAY use the same Event Stream for updates about multiple Subject Principals. The status of the Event Stream MAY be queried and managed independently for each Subject Principal by Transmitters and Receivers.</p>
<p id="rfc.section.7.1.p.3">The Event Stream Management API is implemented by the Event Transmitter and consists of the following endpoints:</p>
<p></p>

<dl>
<dt>Configuration Endpoint</dt>
<dd style="margin-left: 8">
<br> An endpoint used to read the Event Stream&#8217;s current configuration.</dd>
<dt>Status Endpoint</dt>
<dd style="margin-left: 8">
<br> An endpoint used to read the Event Stream&#8217;s current status.</dd>
<dt>Add Subject Endpoint</dt>
<dd style="margin-left: 8">
<br> An endpoint used to add subjects to an Event Stream.</dd>
<dt>Remove Subject Endpoint</dt>
<dd style="margin-left: 8">
<br> An endpoint used to remove subjects from an Event Stream.</dd>
<dt>Verification Endpoint</dt>
<dd style="margin-left: 8">
<br> An endpoint used to request the Event Transmitter transmit a Verification Event over the Event Stream.</dd>
</dl>
<p id="rfc.section.7.1.p.5">An Event Transmitter MAY use the same URLs as endpoints for multiple streams, provided that the Event Transmitter has some mechanism through which they can identify the applicable Event Stream for any given request, e.g. from authentication credentials. The definition of such mechanisms is outside the scope of this specification.</p>
<p id="rfc.section.7.1.p.6">Within an Event Stream, events related to different Subject Principals MAY be managed independently. A Receiver MAY request Subject Principals to be added to or removed from a stream by <a href="#updating-a-streams-status" class="xref">Updating the Stream Status</a> and specifying the Subject in the request.</p>
<p id="rfc.section.7.1.p.7">A Transmitter MAY decide to enable, pause or disable updates about a Subject independently of an update request from a Receiver. If a Transmitter decides to start or stop events for a Subject then the Transmitter MUST do the following according to the status of the stream</p>
<p id="rfc.section.7.1.p.8">If the stream is: </p>

<dl>
<dt>Enabled</dt>
<dd style="margin-left: 8">the Transmitter MUST send a <a href="#stream-updated-event" class="xref">stream updated</a> event respectively to the Receiver within the Event Stream.</dd>
<dt>Paused</dt>
<dd style="margin-left: 8">the Transmitter SHOULD send <a href="#stream-updated-event" class="xref">stream updated</a> after the Event Stream is re-started. A Receiver MUST assume that events may have been lost during the time when the event stream was paused.</dd>
<dt>Disabled</dt>
<dd style="margin-left: 8">the Transmitter MAY send <a href="#stream-updated-event" class="xref">stream updated</a> after the Event Stream is re-enabled.</dd>
</dl>
<h1 id="rfc.section.7.1.1">
<a href="#rfc.section.7.1.1">7.1.1.</a> <a href="#status" id="status">Stream Status</a>
</h1>
<h1 id="rfc.section.7.1.1.1">
<a href="#rfc.section.7.1.1.1">7.1.1.1.</a> <a href="#reading-a-streams-status" id="reading-a-streams-status">Reading a Stream&#8217;s Status</a>
</h1>
<p id="rfc.section.7.1.1.1.p.1">An Event Receiver checks the current status of an event stream by making an HTTP GET request to the stream&#8217;s Status Endpoint.</p>
<p id="rfc.section.7.1.1.1.p.2">The Stream Status method takes the following parameters: </p>

<dl>
<dt>subject</dt>
<dd style="margin-left: 8">OPTIONAL. The subject for which the stream status is requested.</dd>
</dl>

<p> </p>
<p id="rfc.section.7.1.1.1.p.3">On receiving a valid request the Event Transmitter responds with a 200 OK response containing a <a href="#RFC7159" class="xref">JSON</a> object with an attribute <samp>status</samp>, whose string value MUST have one of the following values:</p>

<dl>
<dt>enabled</dt>
<dd style="margin-left: 8">
<br> The Transmitter MUST transmit events over the stream, according to the stream&#8217;s configured delivery method.</dd>
<dt>paused</dt>
<dd style="margin-left: 8">
<br> The Transmitter MUST NOT transmit events over the stream. The transmitter will hold any events it would have transmitted while paused, and SHOULD transmit them when the stream&#8217;s status becomes <samp>enabled</samp>. If a Transmitter holds successive events that affect the same Subject Principal, then the Transmitter MUST make sure that those events are transmitted in the order of time that they were generated OR the Transmitter MUST send only the last events that do not require the previous events affecting the same Subject Principal to be processed by the Receiver, because the previous events are either cancelled by the later events or the previous events are outdated.</dd>
<dt>disabled</dt>
<dd style="margin-left: 8">
<br> The Transmitter MUST NOT transmit events over the stream, and will not hold any events for later transmission.</dd>
</dl>
<p id="rfc.section.7.1.1.1.p.4">The following is a non-normative example request to check an event stream&#8217;s status:</p>
<div id="rfc.figure.14"></div>
<div id="figstatusreq"></div>
<pre>
GET /sse/status HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer zzzz
</pre>
<p class="figure">Figure 14: Example: Check Stream Status Request</p>
<div id="rfc.figure.15"></div>
<div id="figstatusresp"></div>
<pre>
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "status": "enabled"
}

              </pre>
<p class="figure">Figure 15: Example: Check Stream Status Response</p>
<p id="rfc.section.7.1.1.1.p.5">The following is a non-normative example response: </p>
<div id="rfc.figure.16"></div>
<div id="figstatuswithsubjectreq"></div>
<pre>
GET /sse/status?subject=&lt;url-encoded-subject&gt; HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=

              </pre>
<p class="figure">Figure 16: Example: Check Stream Status Request with Subject</p>
<p id="rfc.section.7.1.1.1.p.6">The following is a non-normative example request to check an event stream's status for a specific subject: </p>
<div id="rfc.figure.17"></div>
<div id="figstatuswithsubjectresp"></div>
<pre>
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "status": "enabled",
  "subject": {
    "tenant" : {
      "format" : "iss_sub",
      "iss" : "http://example.com/idp1",
      "sub" : "1234"
    }
  }
}

              </pre>
<p class="figure">Figure 17: Example: Check Stream Status Response</p>
<p id="rfc.section.7.1.1.1.p.7">The following is a non-normative example response with a Subject claim: </p>
<p id="rfc.section.7.1.1.1.p.8">Errors are signaled with HTTP status codes as follows:</p>
<div id="rfc.table.1"></div>
<div id="tabreadstatus"></div>
<table cellpadding="3" cellspacing="0" class="tt full center">
<caption>Read Stream Status Errors</caption>
<thead><tr>
<th class="left">Code</th>
<th class="left">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="left">401</td>
<td class="left">if authorization failed or it is missing</td>
</tr>
<tr>
<td class="left">403</td>
<td class="left">if the Event Receiver is not allowed to read the stream status</td>
</tr>
<tr>
<td class="left">404</td>
<td class="left">if there is no Event Stream configured for this Event Receiver, or if the Subject specified is invalid or if the Receiver is not authorized to get status for the specified Subject.</td>
</tr>
</tbody>
</table>
<p id="rfc.section.7.1.1.1.p.9">Examples: </p>

<ol>
<li>If a Receiver makes a request with an invalid OAuth token, then the Transmitter MUST respond with a 401 error status.</li>
<li>If the Receiver presents a valid OAuth token, but the Transmitter policy does not permit the Receiver from obtaining the status, then the Transmitter MAY respond with a 403 error status.</li>
<li>If the Receiver requests the status for specific Subject, but the Transmitter policy does not permit the Receiver to read the status of that Subject, then the Transmitter MAY respond with a 404 error status in order to not reveal the policy decision.</li>
<li>If the specified Subject is invalid then the Transmitter MUST respond with a 404 error status.</li>
</ol>
<h1 id="rfc.section.7.1.1.2">
<a href="#rfc.section.7.1.1.2">7.1.1.2.</a> <a href="#updating-a-streams-status" id="updating-a-streams-status">Updating a Stream's Status</a>
</h1>
<p id="rfc.section.7.1.1.2.p.1">An Event Receiver updates the current status of a stream by making an HTTP POST request to the Status Endpoint. The POST body contains a <a href="#RFC7159" class="xref">JSON</a> object with the following fields: <samp>200 OK</samp> response containing a <a href="#RFC7159" class="xref">JSON</a> representation of the updated stream status in the body.</p>

<dl>
<dt>status</dt>
<dd style="margin-left: 8">
<br>REQUIRED. The new status of the Event Stream.</dd>
<dt>subject</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. The Subject to which the new status applies.</dd>
<dt>reason</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. A short text description that explains the reason for the change.</dd>
</dl>

<p> On receiving a valid request the Event Transmitter responds with a </p>
<div id="rfc.figure.18"></div>
<div id="figupdatestatusreq"></div>
<pre>
POST /sse/status HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=

{
  "status": "paused"
}

                </pre>
<p class="figure">Figure 18: Example: Update Stream Status Request Without Optional Fields</p>
<p id="rfc.section.7.1.1.2.p.2">The following is a non-normative example request to update an Event Stream&#8217;s status: </p>
<div id="rfc.figure.19"></div>
<div id="figupdatestatuswithsubjectreq"></div>
<pre>
POST /sse/status HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=

{
  "status": "paused",
  "subject": {
    "tenant" : {
      "format" : "iss_sub",
      "iss" : "http://example.com/idp1",
      "sub" : "1234"
    }
  },
  "reason": "Disabled by administrator action."
}

                </pre>
<p class="figure">Figure 19: Example: Update Stream Status Request With Optional Fields</p>
<p id="rfc.section.7.1.1.2.p.3">The following is a non-normative example of an Update Stream Status request with optional fields: </p>
<div id="rfc.figure.20"></div>
<div id="figupdatestatusresp"></div>
<pre>
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "status": "paused"
}

                </pre>
<p class="figure">Figure 20: Example: Update Stream Status Response</p>
<p id="rfc.section.7.1.1.2.p.4">The following is a non-normative example response: </p>
<p id="rfc.section.7.1.1.2.p.5">Errors are signaled with HTTP status codes as follows:</p>
<div id="rfc.table.2"></div>
<div id="tabupdatestatus"></div>
<table cellpadding="3" cellspacing="0" class="tt full center">
<caption>Update Stream Status Errors</caption>
<thead><tr>
<th class="left">Code</th>
<th class="left">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="left">202</td>
<td class="left">if the update request has been accepted, but not processed. Receiver MAY try the same request later in order to get processing result.</td>
</tr>
<tr>
<td class="left">400</td>
<td class="left">if the request body cannot be parsed or if the request is otherwise invalid</td>
</tr>
<tr>
<td class="left">401</td>
<td class="left">if authorization failed or it is missing</td>
</tr>
<tr>
<td class="left">403</td>
<td class="left">if the Event Receiver is not allowed to update the stream status</td>
</tr>
<tr>
<td class="left">404</td>
<td class="left">if there is no Event Stream configured for this Event Receiver, or if an invalid Subject is specified.</td>
</tr>
</tbody>
</table>
<p id="rfc.section.7.1.1.2.p.6">Example: </p>

<ol><li>If a Receiver makes a request to update the stream to enable it for a specific Subject, and the Transmitter is unable to decide whether or not to complete the request, then the Transmitter MUST respond with a 202 status code.</li></ol>
<h1 id="rfc.section.7.1.2">
<a href="#rfc.section.7.1.2">7.1.2.</a> <a href="#stream-config" id="stream-config">Stream Configuration</a>
</h1>
<p id="rfc.section.7.1.2.p.1">An Event Stream&#8217;s configuration is represented as a <a href="#RFC7159" class="xref">JSON</a> object with the following properties:</p>
<p></p>

<dl>
<dt>iss</dt>
<dd style="margin-left: 8">
<br> <strong>Read-Only</strong>, A URL using the https scheme with no query or fragment component that the Transmitter asserts as its Issuer Identifier. This MUST be identical to the <samp>iss</samp> Claim value in Security Event Tokens issued from this Transmitter.</dd>
<dt>aud</dt>
<dd style="margin-left: 8">
<br> <strong>Read-Only</strong>, A string or an array of strings containing an audience claim as defined in <a href="#RFC7519" class="xref">JSON Web Token (JWT)</a> that identifies the Event Receiver(s) for the Event Stream. This property cannot be updated. If multiple Receivers are specified then the Transmitter SHOULD know that these Receivers are the same entity.</dd>
<dt>events_supported</dt>
<dd style="margin-left: 8">
<br>  <strong>Read-Only</strong>, An array of URIs identifying the set of events supported by the Transmitter for this Receiver. If omitted, Event Transmitters SHOULD make this set available to the Event Receiver via some other means (e.g. publishing it in online documentation).</dd>
<dt>events_requested</dt>
<dd style="margin-left: 8">
<br>  <strong>Read-Write</strong>, An array of URIs identifying the set of events that the Receiver requested. A Receiver SHOULD request only the events that it understands and it can act on. This is configurable by the Receiver.</dd>
<dt>events_delivered</dt>
<dd style="margin-left: 8">
<br> <strong>Read-Only</strong>, An array of URIs which is the intersection of <samp>events_supported</samp> and <samp>events_requested</samp>. These events MAY be delivered over the Event Stream.</dd>
<dt>delivery</dt>
<dd style="margin-left: 8">
<br> <strong>Read-Write</strong>, A JSON object containing a set of name/value pairs specifying configuration parameters for the SET delivery method.  The actual delivery method is identified by the special key <samp>method</samp> with the value being a URI as defined in <a href="#delivery-meta" class="xref">Section 11.2.1</a>.</dd>
<dt>min_verification_interval</dt>
<dd style="margin-left: 8">
<br> <strong>Read-Only</strong>, An integer indicating the minimum amount of time in seconds that must pass in between verification requests. If an Event Receiver submits verification requests more frequently than this, the Event Transmitter MAY respond with a 429 status code. An Event Transmitter SHOULD NOT respond with a 429 status code if an Event Receiver is not exceeding this frequency.</dd>
<dt>format</dt>
<dd style="margin-left: 8">
<br> <strong>Read-Write</strong>, The Subject Identifier Format that the Receiver wants for the events.  If not set then the Transmitter might decide to use a type that discloses more information than necessary.</dd>
</dl>
<p id="rfc.section.7.1.2.p.3">TODO: consider adding a IANA Registry for stream configuration metadata, similar to Section 7.1.1 of <a href="#OAUTH-DISCOVERY" class="xref">[OAUTH-DISCOVERY]</a>. This would allow other specs to add to the stream configuration.</p>
<h1 id="rfc.section.7.1.2.1">
<a href="#rfc.section.7.1.2.1">7.1.2.1.</a> <a href="#reading-a-streams-configuration" id="reading-a-streams-configuration">Reading a Stream&#8217;s Configuration</a>
</h1>
<p id="rfc.section.7.1.2.1.p.1">An Event Receiver gets the current configuration of a stream by making an HTTP GET request to the Configuration Endpoint. On receiving a valid request the Event Transmitter responds with a <samp>200 OK</samp> response containing a <a href="#RFC7159" class="xref">JSON</a> representation of the stream&#8217;s configuration in the body.</p>
<p id="rfc.section.7.1.2.1.p.2">The following is a non-normative example request to read an Event Stream&#8217;s configuration:</p>
<div id="rfc.figure.21"></div>
<div id="figreadconfigreq"></div>
<pre>
GET /sse/stream HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=
</pre>
<p class="figure">Figure 21: Example: Read Stream Configuration Request</p>
<p id="rfc.section.7.1.2.1.p.3">The following is a non-normative example response:</p>
<div id="rfc.figure.22"></div>
<div id="figreadconfigresp"></div>
<pre>
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "iss": "https://tr.example.com",
  "aud": [
      "http://receiver.example.com/web",
      "http://receiver.example.com/mobile"
    ],
  "delivery": {
    "delivery_method":
      "https://schemas.openid.net/secevent/risc/delivery-method/push",
      "url": "https://receiver.example.com/events"
  },
  "events_supported": [
    "urn:example:secevent:events:type_1",
    "urn:example:secevent:events:type_2",
    "urn:example:secevent:events:type_3"
  ],
  "events_requested": [
    "urn:example:secevent:events:type_2",
    "urn:example:secevent:events:type_3",
    "urn:example:secevent:events:type_4"
  ],
  "events_delivered": [
    "urn:example:secevent:events:type_2",
    "urn:example:secevent:events:type_3"
  ]
}
</pre>
<p class="figure">Figure 22: Example: Read Stream Configuration Response</p>
<p id="rfc.section.7.1.2.1.p.4">Errors are signaled with HTTP status codes as follows:</p>
<div id="rfc.table.3"></div>
<div id="tabreadconfig"></div>
<table cellpadding="3" cellspacing="0" class="tt full center">
<caption>Read Stream Configuration Errors</caption>
<thead><tr>
<th class="left">Code</th>
<th class="left">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="left">401</td>
<td class="left">if authorization failed or it is missing</td>
</tr>
<tr>
<td class="left">403</td>
<td class="left">if the Event Receiver is not allowed to read the stream configuration</td>
</tr>
<tr>
<td class="left">404</td>
<td class="left">if there is no Event Stream configured for this Event Receiver</td>
</tr>
</tbody>
</table>
<h1 id="rfc.section.7.1.2.2">
<a href="#rfc.section.7.1.2.2">7.1.2.2.</a> <a href="#updating-a-streams-configuration" id="updating-a-streams-configuration">Updating a Stream&#8217;s Configuration</a>
</h1>
<p id="rfc.section.7.1.2.2.p.1">An Event Receiver updates the current configuration of a stream by making an HTTP POST request to the Configuration Endpoint. The POST body contains a <a href="#RFC7159" class="xref">JSON</a> representation of the updated configuration. On receiving a valid request the Event Transmitter responds with a <samp>200 OK</samp> response containing a <a href="#RFC7159" class="xref">JSON</a> representation of the updated stream configuration in the body.</p>
<p id="rfc.section.7.1.2.2.p.2">The full set of editable properties must be present in the POST body, not only the ones that are specifically intended to be changed. Missing properties SHOULD be interpreted as requested to be deleted. Event Receivers should read the configuration first, modify the <a href="#RFC7159" class="xref">JSON</a> representation, then make an update request.</p>
<p id="rfc.section.7.1.2.2.p.3">Properties that cannot be updated MAY be present, but they MUST match the expected value.</p>
<p id="rfc.section.7.1.2.2.p.4">The following is a non-normative example request to update an Event Stream&#8217;s configuration:</p>
<div id="rfc.figure.23"></div>
<div id="figupdateconfigreq"></div>
<pre>
POST /sse/stream HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=

{
  "iss": "https://tr.example.com",
  "aud": [
    "http://receiver.example.com/web",
    "http://receiver.example.com/mobile"
  ],
  "delivery": {
    "delivery_method":
      "https://schemas.openid.net/secevent/risc/delivery-method/push",
      "url": "https://receiver.example.com/events"
  },
  "events_requested": [
    "urn:example:secevent:events:type_2",
    "urn:example:secevent:events:type_3",
    "urn:example:secevent:events:type_4"
  ]
}
</pre>
<p class="figure">Figure 23: Example: Update Stream Configuration Request</p>
<p id="rfc.section.7.1.2.2.p.5">The following is a non-normative example response:</p>
<div id="rfc.figure.24"></div>
<div id="figupdateconfigresp"></div>
<pre>
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "iss": "https://tr.example.com",
  "aud": [
    "http://receiver.example.com/web",
    "http://receiver.example.com/mobile"
  ],
  "delivery": {
    "delivery_method":
      "https://schemas.openid.net/secevent/risc/delivery-method/push",
      "url": "https://receiver.example.com/events"
  },
  "events_supported": [
    "urn:example:secevent:events:type_1",
    "urn:example:secevent:events:type_2",
    "urn:example:secevent:events:type_3"
  ],
  "events_requested": [
    "urn:example:secevent:events:type_2",
    "urn:example:secevent:events:type_3",
    "urn:example:secevent:events:type_4"
  ],
  "events_delivered": [
    "urn:example:secevent:events:type_2",
    "urn:example:secevent:events:type_3"
  ]
}
</pre>
<p class="figure">Figure 24: Example: Update Stream Configuration Response</p>
<p id="rfc.section.7.1.2.2.p.6">Pending conditions or errors are signaled with HTTP status codes as follows:</p>
<div id="rfc.table.4"></div>
<div id="tabupdateconfig"></div>
<table cellpadding="3" cellspacing="0" class="tt full center">
<caption>Update Stream Configuration Errors</caption>
<thead><tr>
<th class="left">Code</th>
<th class="left">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="left">202</td>
<td class="left">if the update request has been accepted, but not processed. Receiver MAY try the same request later in order to get processing result.</td>
</tr>
<tr>
<td class="left">400</td>
<td class="left">if the request body cannot be parsed or if the request is otherwise invalid</td>
</tr>
<tr>
<td class="left">401</td>
<td class="left">if authorization failed or it is missing</td>
</tr>
<tr>
<td class="left">403</td>
<td class="left">if the Event Receiver is not allowed to update the stream configuration</td>
</tr>
<tr>
<td class="left">404</td>
<td class="left">if there is no Event Stream configured for this Event Receiver</td>
</tr>
</tbody>
</table>
<h1 id="rfc.section.7.1.2.3">
<a href="#rfc.section.7.1.2.3">7.1.2.3.</a> <a href="#removing-a-stream-configuration" id="removing-a-stream-configuration">Removing a Stream Configuration</a>
</h1>
<p id="rfc.section.7.1.2.3.p.1">An Event Receiver removes the configuration of a stream by making an HTTP DELETE request to the Configuration Endpoint. On receiving a request the Event Transmitter responds with a <samp>200 OK</samp> response if the configuration was successfully removed.</p>
<p id="rfc.section.7.1.2.3.p.2">The following is a non-normative example request to remove an Event Stream&#8217;s configuration:</p>
<div id="rfc.figure.25"></div>
<div id="figremoveconfigreq"></div>
<pre>
DELETE /sse/stream HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=
</pre>
<p class="figure">Figure 25: Example: Remove Stream Configuration Request</p>
<p id="rfc.section.7.1.2.3.p.3">Errors are signaled with HTTP status codes as follows:</p>
<div id="rfc.table.5"></div>
<div id="tabremoveconfig"></div>
<table cellpadding="3" cellspacing="0" class="tt full center">
<caption>Update Stream Configuration Errors</caption>
<thead><tr>
<th class="left">Code</th>
<th class="left">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="left">401</td>
<td class="left">if authorization failed or it is missing</td>
</tr>
<tr>
<td class="left">403</td>
<td class="left">if the Event Receiver is not allowed to update the stream configuration</td>
</tr>
</tbody>
</table>
<h1 id="rfc.section.7.1.3">
<a href="#rfc.section.7.1.3">7.1.3.</a> <a href="#subjects" id="subjects">Subjects</a>
</h1>
<p id="rfc.section.7.1.3.p.1">An Event Receiver can indicate to an Event Transmitter whether or not the receiver wants to receive events about a particular subject by &#8220;adding&#8221; or &#8220;removing&#8221; that subject to the Event Stream, respectively.</p>
<h1 id="rfc.section.7.1.3.1">
<a href="#rfc.section.7.1.3.1">7.1.3.1.</a> <a href="#adding-a-subject-to-a-stream" id="adding-a-subject-to-a-stream">Adding a Subject to a Stream</a>
</h1>
<p id="rfc.section.7.1.3.1.p.1">To add a subject to an Event Stream, the Event Receiver makes an HTTP POST request to the Add Subject Endpoint, containing in the body a JSON object the following claims:</p>

<dl>
<dt>subject</dt>
<dd style="margin-left: 8">
<br>REQUIRED. A Subject claim identifying the subject to be added.</dd>
<dt>verified</dt>
<dd style="margin-left: 8">
<br>OPTIONAL.  A boolean value; when true, it indicates that the Event Receiver has verified the Subject claim.  When false, it indicates that the Event Receiver has not verified the Subject claim. If omitted, Event Transmitters SHOULD assume that the subject has been verified.</dd>
</dl>
<p id="rfc.section.7.1.3.1.p.2">On a successful response, the Event Transmitter responds with an empty <samp>200 OK</samp> response.  The Event Transmitter MAY choose to silently ignore the request, for example if the subject has previously indicated to the transmitter that they do not want events to be transmitted to the Event Receiver. In this case, the transmitter MAY return an empty <samp>200 OK</samp> response or an appropriate error code. See <a href="#management-sec" class="xref">Security Considerations</a>.</p>
<p id="rfc.section.7.1.3.1.p.3">Errors are signaled with HTTP status codes as follows:</p>
<div id="rfc.table.6"></div>
<div id="tabadderr"></div>
<table cellpadding="3" cellspacing="0" class="tt full center">
<caption>Add Subject Errors</caption>
<thead><tr>
<th class="left">Code</th>
<th class="left">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="left">400</td>
<td class="left">if the request body cannot be parsed or if the request is otherwise invalid</td>
</tr>
<tr>
<td class="left">401</td>
<td class="left">if authorization failed or it is missing</td>
</tr>
<tr>
<td class="left">403</td>
<td class="left">if the Event Receiver is not allowed to add this particular subject, or not allowed to add in general</td>
</tr>
<tr>
<td class="left">404</td>
<td class="left">if the subject is not recognized by the Event Transmitter, the Event Transmitter may chose to stay silent in this case and respond with <samp>200</samp>
</td>
</tr>
<tr>
<td class="left">429</td>
<td class="left">if the Event Receiver is sending too many requests in a given amount of time</td>
</tr>
</tbody>
</table>
<p id="rfc.section.7.1.3.1.p.4">The following is a non-normative example request to add a subject to a stream, where the subject is identified by an Email Subject Identifier.</p>
<div id="rfc.figure.26"></div>
<div id="figaddreq"></div>
<pre>
POST /sse/subjects:add HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=

{
  "subject": {
    "format": "email",
    "email": "example.user@example.com"
  },
  "verified": true
}
</pre>
<p class="figure">Figure 26: Example: Add Subject Request</p>
<p id="rfc.section.7.1.3.1.p.5">The following is a non-normative example response to a successful request:</p>
<div id="rfc.figure.27"></div>
<div id="figaddresp"></div>
<pre>
HTTP/1.1 200 OK
Server: transmitter.example.com
Cache-Control: no-store
Pragma: no-cache
</pre>
<p class="figure">Figure 27: Example: Add Subject Response</p>
<h1 id="rfc.section.7.1.3.2">
<a href="#rfc.section.7.1.3.2">7.1.3.2.</a> <a href="#removing-a-subject" id="removing-a-subject">Removing a Subject</a>
</h1>
<p id="rfc.section.7.1.3.2.p.1">To remove a subject from an Event Stream, the Event Receiver makes an HTTP POST request to the Remove Subject Endpoint, containing in the body a JSON object with the following claims:</p>

<dl>
<dt>subject</dt>
<dd style="margin-left: 8">
<br> REQUIRED. A Subject claim identifying the subject to be removed.</dd>
</dl>
<p id="rfc.section.7.1.3.2.p.2">On a successful response, the Event Transmitter responds with a <samp>204 No Content</samp> response.</p>
<p id="rfc.section.7.1.3.2.p.3">Errors are signaled with HTTP status codes as follows:</p>
<div id="rfc.table.7"></div>
<div id="tabremoveerr"></div>
<table cellpadding="3" cellspacing="0" class="tt full center">
<caption>Remove Subject Errors</caption>
<thead><tr>
<th class="left">Code</th>
<th class="left">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="left">400</td>
<td class="left">if the request body cannot be parsed or if the request is otherwise invalid</td>
</tr>
<tr>
<td class="left">401</td>
<td class="left">if authorization failed or it is missing</td>
</tr>
<tr>
<td class="left">403</td>
<td class="left">if the Event Receiver is not allowed to remove this particular subject, or not allowed to remove in general</td>
</tr>
<tr>
<td class="left">404</td>
<td class="left">if the subject is not recognized by the Event Transmitter, the Event Transmitter may chose to stay silent in this case and respond with <samp>204</samp>
</td>
</tr>
<tr>
<td class="left">429</td>
<td class="left">if the Event Receiver is sending too many requests in a given amount of time</td>
</tr>
</tbody>
</table>
<p id="rfc.section.7.1.3.2.p.4">The following is a non-normative example request where the subject is identified by a Phone Number Subject Identifier:</p>
<div id="rfc.figure.28"></div>
<div id="figremovereq"></div>
<pre>
POST /sse/subjects:remove HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=

{
  "subject": {
    "format": "phone",
    "phone_number": "+1 206 555 0123"
  }
}
</pre>
<p class="figure">Figure 28: Example: Remove Subject Request</p>
<p id="rfc.section.7.1.3.2.p.5">The following is a non-normative example response to a successful request:</p>
<div id="rfc.figure.29"></div>
<div id="figremoveresp"></div>
<pre>
HTTP/1.1 204 No Content
Server: transmitter.example.com
Cache-Control: no-store
Pragma: no-cache
</pre>
<p class="figure">Figure 29: Example: Remove Subject Response</p>
<h1 id="rfc.section.7.1.4">
<a href="#rfc.section.7.1.4">7.1.4.</a> <a href="#verification" id="verification">Verification</a>
</h1>
<p id="rfc.section.7.1.4.p.1">In some cases, the frequency of event transmission on an Event Stream will be very low, making it difficult for an Event Receiver to tell the difference between expected behavior and event transmission failure due to a misconfigured stream. Event Receivers can request that a verification event be transmitted over the Event Stream, allowing the receiver to confirm that the stream is configured correctly upon successful receipt of the event. The acknowledgment of a Verification Event also confirms to the Event Transmitter that end-to-end delivery is working, including signature verification and encryption.</p>
<p id="rfc.section.7.1.4.p.2">An Event Transmitter MAY send a Verification Event at any time, even if one was not requested by the Event Receiver.</p>
<h1 id="rfc.section.7.1.4.1">
<a href="#rfc.section.7.1.4.1">7.1.4.1.</a> <a href="#verification-event" id="verification-event">Verification Event</a>
</h1>
<p id="rfc.section.7.1.4.1.p.1">The Verification Event is a standard SET with the following attributes:</p>
<p></p>

<dl>
<dt>event type</dt>
<dd style="margin-left: 8">
<br> The Event Type URI is: <samp>https://schemas.openid.net/secevent/sse/event-type/verification</samp>.</dd>
<dt>state</dt>
<dd style="margin-left: 8">
<br> OPTIONAL An opaque value provided by the Event Receiver when the event is triggered. This is a nested attribute in the event payload.</dd>
</dl>
<p id="rfc.section.7.1.4.1.p.3">Upon receiving a Verification Event, the Event Receiver SHALL parse the SET and validate its claims. In particular, the Event Receiver SHALL confirm that the value for <samp>state</samp> is as expected. If the value of <samp>state</samp> does not match, an error response of <samp>setData</samp> SHOULD be returned (see Section 2.3 of <a href="#DELIVERYPUSH" class="xref">[DELIVERYPUSH]</a> or <a href="#DELIVERYPOLL" class="xref">[DELIVERYPOLL]</a>).</p>
<p id="rfc.section.7.1.4.1.p.4">In many cases, Event Transmitters MAY disable or suspend an Event Stream that fails to successfully verify based on the acknowledgement or lack of acknowledgement by the Event Receiver.</p>
<h1 id="rfc.section.7.1.4.2">
<a href="#rfc.section.7.1.4.2">7.1.4.2.</a> <a href="#triggering-a-verification-event" id="triggering-a-verification-event">Triggering a Verification Event.</a>
</h1>
<p id="rfc.section.7.1.4.2.p.1">To request that a verification event be sent over an Event Stream, the Event Receiver makes an HTTP POST request to the Verification Endpoint, with a <a href="#RFC7159" class="xref">JSON</a> object containing the parameters of the verification request, if any. On a successful request, the event transmitter responds with an empty <samp>204 No Content</samp> response.</p>
<p id="rfc.section.7.1.4.2.p.2">Verification requests have the following properties:</p>
<p></p>

<dl>
<dt>state</dt>
<dd style="margin-left: 8">
<br> OPTIONAL. An arbitrary string that the Event Transmitter MUST echo back to the Event Receiver in the verification event&#8217;s payload. Event Receivers MAY use the value of this parameter to correlate a verification event with a verification request. If the verification event is initiated by the transmitter then this parameter MUST not be set.</dd>
</dl>
<p id="rfc.section.7.1.4.2.p.4">A successful response from a POST to the Verification Endpoint does not indicate that the verification event was transmitted successfully, only that the Event Transmitter has transmitted the event or will do so at some point in the future.  Event Transmitters MAY transmit the event via an asynchronous process, and SHOULD publish an SLA for verification event transmission times. Event Receivers MUST NOT depend on the verification event being transmitted synchronously or in any particular order relative to the current queue of events.</p>
<p id="rfc.section.7.1.4.2.p.5">Errors are signaled with HTTP status codes as follows:</p>
<div id="rfc.table.8"></div>
<div id="taberifyerr"></div>
<table cellpadding="3" cellspacing="0" class="tt full center">
<caption>Verification Errors</caption>
<thead><tr>
<th class="left">Code</th>
<th class="left">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="left">400</td>
<td class="left">if the request body cannot be parsed or if the request is otherwise invalid</td>
</tr>
<tr>
<td class="left">401</td>
<td class="left">if authorization failed or it is missing</td>
</tr>
<tr>
<td class="left">429</td>
<td class="left">if the Event Receiver is sending too many requests in a given amount of time; see related <samp>min_verification_interval</samp> in <a href="#stream-config" class="xref">Section 7.1.2</a>
</td>
</tr>
</tbody>
</table>
<p id="rfc.section.7.1.4.2.p.6">The following is a non-normative example request to trigger a verification event:</p>
<div id="rfc.figure.30"></div>
<div id="figverifyreq"></div>
<pre>
POST /sse/verify HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=
Content-Type: application/json; charset=UTF-8

{
  "state": "VGhpcyBpcyBhbiBleGFtcGxlIHN0YXRlIHZhbHVlLgo="
}
</pre>
<p class="figure">Figure 30: Example: Trigger Verification Request</p>
<p id="rfc.section.7.1.4.2.p.7">The following is a non-normative example response to a successful request:</p>
<div id="rfc.figure.31"></div>
<div id="figverifyresp"></div>
<pre>
HTTP/1.1 204 No Content
Server: transmitter.example.com
Cache-Control: no-store
Pragma: no-cache
</pre>
<p class="figure">Figure 31: Example: Trigger Verification Response</p>
<p id="rfc.section.7.1.4.2.p.8">And the following is a non-normative example of a verification event sent to the Event Receiver as a result of the above request:</p>
<div id="rfc.figure.32"></div>
<div id="figverifyset"></div>
<pre>
{
  "jti": "123456",
  "iss": "https://transmitter.example.com",
  "aud": "receiver.example.com",
  "iat": 1493856000,
  "events": {
    "https://schemas.openid.net/secevent/sse/event-type/verification":{
      "state": "VGhpcyBpcyBhbiBleGFtcGxlIHN0YXRlIHZhbHVlLgo="
    }
  }
}
</pre>
<p class="figure">Figure 32: Example: Verification SET</p>
<h1 id="rfc.section.7.1.5">
<a href="#rfc.section.7.1.5">7.1.5.</a> <a href="#stream-updated-event" id="stream-updated-event">Stream Updated Event</a>
</h1>
<p id="rfc.section.7.1.5.p.1">A Transmitter MAY change the stream status in reference to one or more Subjects without a request from a Receiver. The Transmitter sends an event of type <samp>https://schemas.openid.net/secevent/sse/event-type/stream-updated</samp> to indicate that it has changed the status of the Event Stream for a specific Subject.</p>
<p id="rfc.section.7.1.5.p.2">If a Transmitter decides to change the status of an Event Stream from <samp>enabled</samp> to either <samp>paused</samp> or <samp>disabled</samp>, then the Transmitter MUST send this event to any Receiver that is currently <samp>enabled</samp> to receive events for the specified Subject.</p>
<p id="rfc.section.7.1.5.p.3">If the Transmitter changes the status of the stream for a Subject from either <samp>paused</samp> or <samp>disabled</samp> to <samp>enabled</samp>, then it MUST send this event to any Receiver that has previously been enabled to receive events for the specified Subject.</p>
<p id="rfc.section.7.1.5.p.4">The <samp>stream-updated</samp> event MAY contain the following claims: </p>

<dl>
<dt>status</dt>
<dd style="margin-left: 8">
<br>REQUIRED. Defines the new status of the stream for the Subject Identifier specified in the Subject.</dd>
<dt>reason</dt>
<dd style="margin-left: 8">
<br>OPTIONAL. Provides a short description of why the Transmitter has updated the status.</dd>
<dt>subject</dt>
<dd style="margin-left: 8">OPTIONAL. Specifies the Subject Principal for whom the status has been updated.</dd>
</dl>

<p> </p>
<div id="rfc.figure.33"></div>
<div id="figstreamupdatedset"></div>
<pre>
{
  "jti": "123456",
  "iss": "https://transmitter.example.com",
  "aud": "receiver.example.com",
  "iat": 1493856000,
  "events": {
    "https://schemas.openid.net/secevent/sse/event-type/stream-updated": {
      "subject": {
        "tenant" : {
          "format": "iss_sub",
          "iss" : "http://example.com/idp1",
          "sub" : "1234"
        }
      },
      "status": "paused",
      "reason": "License is not valid"
    },
  }
}
          </pre>
<p class="figure">Figure 33: Example: Stream Updated SET</p>
<h1 id="rfc.section.8">
<a href="#rfc.section.8">8.</a> <a href="#management-api-auth" id="management-api-auth">Authorization</a>
</h1>
<p id="rfc.section.8.p.1">HTTP API calls from a Receiver to a Transmitter SHOULD be authorized by providing an OAuth 2.0 Access Token as defined by <a href="#RFC6750" class="xref">[RFC6750]</a>.</p>
<p id="rfc.section.8.p.2">The receiver may obtain an access token using the <a href="#CLIENTCRED" class="xref">Client Credential Grant</a>, or any other method suitable for the Receiver and the Transmitter.</p>
<h1 id="rfc.section.9">
<a href="#rfc.section.9">9.</a> <a href="#management-sec" id="management-sec">Security Considerations</a>
</h1>
<h1 id="rfc.section.9.1">
<a href="#rfc.section.9.1">9.1.</a> <a href="#management-sec-subject-probing" id="management-sec-subject-probing">Subject Probing</a>
</h1>
<p id="rfc.section.9.1.p.1">It may be possible for an Event Transmitter to leak information about subjects through their responses to add subject requests. A <samp>404</samp> response may indicate to the Event Receiver that the subject does not exist, which may inadvertently reveal information about the subject (e.g. that a particular individual does or does not use the Event Transmitter&#8217;s service).</p>
<p id="rfc.section.9.1.p.2">Event Transmitters SHOULD carefully evaluate the conditions under which they will return error responses to add subject requests. Event Transmitters MAY return a <samp>204</samp> response even if they will not actually send any events related to the subject, and Event Receivers MUST NOT assume that a 204 response means that they will receive events related to the subject.</p>
<h1 id="rfc.section.9.2">
<a href="#rfc.section.9.2">9.2.</a> <a href="#management-sec-information-harvesting" id="management-sec-information-harvesting">Information Harvesting</a>
</h1>
<p id="rfc.section.9.2.p.1">SETs may contain personally identifiable information (PII) or other non-public information about the event transmitter, the subject (of an event in the SET), or the relationship between the two. It is important for Event Transmitters to understand what information they are revealing to Event Receivers when transmitting events to them, lest the event stream become a vector for unauthorized access to private information.</p>
<p id="rfc.section.9.2.p.2">Event Transmitters SHOULD interpret add subject requests as statements of interest in a subject by an Event Receiver, and ARE NOT obligated to transmit events related to every subject an Event Receiver adds to the stream. Event Transmitters MAY choose to transmit some, all, or no events related to any given subject and SHOULD validate that they are permitted to share the information contained within an event with the Event Receiver before transmitting the event. The mechanisms by which such validation is performed are outside the scope of this specification.</p>
<h1 id="rfc.section.9.3">
<a href="#rfc.section.9.3">9.3.</a> <a href="#management-sec-malicious-subject-removal" id="management-sec-malicious-subject-removal">Malicious Subject Removal</a>
</h1>
<p id="rfc.section.9.3.p.1">A malicious party may find it advantageous to remove a particular subject from a stream, in order to reduce the Event Receiver&#8217;s ability to detect malicious activity related to the subject, inconvenience the subject, or for other reasons. Consequently it may be in the best interests of the subject for the Event Transmitter to continue to send events related to the subject for some time after the subject has been removed from a stream.</p>
<p id="rfc.section.9.3.p.2">Event Transmitters MAY continue sending events related to a subject for some amount of time after that subject has been removed from the stream. Event Receivers MUST tolerate receiving events for subjects that have been removed from the stream, and MUST NOT report these events as errors to the Event Transmitter.</p>
<h1 id="rfc.section.10">
<a href="#rfc.section.10">10.</a> <a href="#privacy-considerations" id="privacy-considerations">Privacy Considerations</a>
</h1>
<h1 id="rfc.section.10.1">
<a href="#rfc.section.10.1">10.1.</a> <a href="#sub-info-leakage" id="sub-info-leakage">Subject Information Leakage</a>
</h1>
<p id="rfc.section.10.1.p.1">Event issuers and recipients SHOULD take precautions to ensure that they do not leak information about subjects via Subject Identifiers, and choose appropriate Subject Identifier Types accordingly. Parties SHOULD NOT identify a subject using a given Subject Identifier Type if doing so will allow the recipient to correlate different claims about the subject that they are not known to already have knowledge of. Transmitters and Receivers SHOULD always use the same Subject Identifier Type and the same claim values to identify a given subject when communicating with a given party in order to reduce the possibility of information leakage.</p>
<h1 id="rfc.section.10.2">
<a href="#rfc.section.10.2">10.2.</a> <a href="#previously-consented-data" id="previously-consented-data">Previously Consented Data</a>
</h1>
<p id="rfc.section.10.2.p.1">If SSE events contain new values for attributes of Subject Principals that were previously exchanged between the Transmitter and Receiver, then there are no additional privacy considerations introduced by providing the updated values in the SSE events, unless the attribute was exchanged under a one-time consent obtained from the user.</p>
<h1 id="rfc.section.10.3">
<a href="#rfc.section.10.3">10.3.</a> <a href="#new-data" id="new-data">New Data</a>
</h1>
<p id="rfc.section.10.3.p.1">Data that was not previously exchanged between the Transmitter and the Receiver, or data whose consent to exchange has expired has the following considerations:</p>
<h1 id="rfc.section.10.3.1">
<a href="#rfc.section.10.3.1">10.3.1.</a> <a href="#organizational-data" id="organizational-data">Organizational Data</a>
</h1>
<p id="rfc.section.10.3.1.p.1">If a user has previously agreed with a Transmitter that they agree to release certain data to third-parties, then the Transmitter MAY send such data in SSE events without additional consent of the user. Such data MAY include organizational data about the Subject Principal that was generated by the Transmitter.</p>
<h1 id="rfc.section.10.3.2">
<a href="#rfc.section.10.3.2">10.3.2.</a> <a href="#consentable-data" id="consentable-data">Consentable Data</a>
</h1>
<p id="rfc.section.10.3.2.p.1">If a Transmitter intends to include data in SSE events that is not previously consented to be released by the user, then the Transmitter MUST obtain consent to release such data from the user in accordance with the Transmitter's privacy policy.</p>
<h1 id="rfc.section.11">
<a href="#rfc.section.11">11.</a> <a href="#profiles" id="profiles">Profiles</a>
</h1>
<p id="rfc.section.11.p.1">This section is a profile of the following IETF SecEvent specifications:</p>

<ul>
<li><a href="#SET" class="xref">"Security Event Token (SET)"</a></li>
<li><a href="#DELIVERYPUSH" class="xref">Push-Based SET Token Delivery Using HTTP</a></li>
<li><a href="#DELIVERYPOLL" class="xref">Poll-Based SET Token Delivery Using HTTP</a></li>
</ul>
<p id="rfc.section.11.p.2">The RISC use cases that set the requirements are described in <a href="#USECASES" class="xref">Security Events RISC Use Cases</a>.</p>
<p id="rfc.section.11.p.3">The CAEP use cases that set the requirements are described in CAEP Use Cases (TODO: Add reference when file is added to repository.)</p>
<h1 id="rfc.section.11.1">
<a href="#rfc.section.11.1">11.1.</a> <a href="#set-profle" id="set-profle">Security Event Token Profile</a>
</h1>
<p id="rfc.section.11.1.p.1">This section provides SSE profiling specifications for the <a href="#SET" class="xref">"Security Event Token (SET)"</a> spec.</p>
<h1 id="rfc.section.11.1.1">
<a href="#rfc.section.11.1.1">11.1.1.</a> <a href="#signature-key-resolution" id="signature-key-resolution">Signature Key Resolution</a>
</h1>
<p id="rfc.section.11.1.1.p.1">The signature key can be obtained through <samp>jwks_uri</samp>, see <a href="#discovery" class="xref">Section 6</a>.</p>
<h1 id="rfc.section.11.1.2">
<a href="#rfc.section.11.1.2">11.1.2.</a> <a href="#event-subjects" id="event-subjects">SSE Event Subject</a>
</h1>
<p id="rfc.section.11.1.2.p.1">The subject of a SSE event is identified by the <samp>subject</samp> claim within the event payload, whose value is a Subject Identifier. The <samp>subject</samp> claim is REQUIRED for all SSE events. The JWT <samp>sub</samp> claim MUST NOT be present in any SET containing a SSE event.</p>
<h1 id="rfc.section.11.1.3">
<a href="#rfc.section.11.1.3">11.1.3.</a> <a href="#event-properties" id="event-properties">SSE Event Properties</a>
</h1>
<p id="rfc.section.11.1.3.p.1">The SSE event MAY contain additional claims within the event payload that are specific to the event type.</p>
<div id="rfc.figure.34"></div>
<div id="risc-event-subject-example"></div>
<pre>
{
  "iss": "https://idp.example.com/",
  "jti": "756E69717565206964656E746966696572",
  "iat": 1520364019,
  "aud": "636C69656E745F6964",
  "events": {
    "https://schemas.openid.net/secevent/risc/event-type/account-\
disabled": {
      "subject": {
        "format": "phone",
        "phone_number": "+1 206 555 0123"
      },
      "reason": "hijacking",
      "cause-time": 1508012752
    }
  }
}
              </pre>
<p class="figure">Figure 34: Example: SET Containing a RISC Event with a Phone Number Subject</p>
<div id="rfc.figure.35"></div>
<div id="caep-event-properties-example"></div>
<pre>
{
  "iss": "https://idp.example.com/",
  "jti": "756E69717565206964656E746966696572",
  "iat": 1520364019,
  "aud": "636C69656E745F6964",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/token-claims-changed": {
      "subject": {
        "format": "email",
        "email": "user@example.com"
      },
      "token": "some-token-value",
    }
  }
}
              </pre>
<p class="figure">Figure 35: Example: SET Containing a CAEP Event with Properties</p>
<h1 id="rfc.section.11.1.4">
<a href="#rfc.section.11.1.4">11.1.4.</a> <a href="#explicit-typing" id="explicit-typing">Explicit Typing of SETs</a>
</h1>
<p id="rfc.section.11.1.4.p.1">SSE events MUST use explicit typing as defined in Section 2.3 of <a href="#SET" class="xref">[SET]</a>.</p>
<div id="rfc.figure.36"></div>
<div id="explicit-type-header"></div>
<pre>
{
  "typ":"secevent+jwt",
  "alg":"HS256"
}
</pre>
<p class="figure">Figure 36: Explicitly Typed JOSE Header</p>
<p id="rfc.section.11.1.4.p.2">The purpose is defense against confusion with other JWTs, as described in Sections 4.5, 4.6 and 4.7 of <a href="#SET" class="xref">[SET]</a>. While current <a href="#IDTOKEN" class="xref">Id Token</a> validators may not be using the <samp>typ</samp> header parameter, by requiring it for SSE SETs a distinct value is guaranteed for future validators.</p>
<h1 id="rfc.section.11.1.5">
<a href="#rfc.section.11.1.5">11.1.5.</a> <a href="#exp-claim" id="exp-claim">The "exp" Claim</a>
</h1>
<p id="rfc.section.11.1.5.p.1">The <samp>exp</samp> claim MUST NOT be used in SSE SETs.</p>
<p id="rfc.section.11.1.5.p.2">The purpose is defense in depth against confusion with other JWTs, as described in Sections 4.5 and 4.6 of <a href="#SET" class="xref">[SET]</a>.</p>
<h1 id="rfc.section.11.1.6">
<a href="#rfc.section.11.1.6">11.1.6.</a> <a href="#aud-claim" id="aud-claim">The "aud" Claim</a>
</h1>
<p id="rfc.section.11.1.6.p.1">The <samp>aud</samp> claim can be a single value or an array. Each value SHOULD be the OAuth 2.0 client ID.  Other values that uniquely identifies the Receiver to the Transmitter MAY be used, if the two parties have agreement on the format.</p>
<p id="rfc.section.11.1.6.p.2">More than one value can be present if the corresponding Receivers are known to the Transmitter to be the same entity, for example a web client and a mobile client of the same application. All the Receivers in this case MUST use the exact same delivery method.</p>
<p id="rfc.section.11.1.6.p.3">If multiple Receivers have the exact same delivery configuration but the Transmitter does not know if they belong to the same entity then the Transmitter SHOULD issue distinct SETs for each Receiver and deliver them separately. In this case the multiple Receivers might use the same service to process SETs, and this service might reroute SETs to respective Receivers, an <samp>aud</samp> claim with multiple Receivers would lead to unintended data disclosure.</p>
<div id="rfc.figure.37"></div>
<div id="figarrayaud"></div>
<pre>
{
  "jti": "123456",
  "iss": "https://transmitter.example.com",
  "aud": ["receiver.example.com/web", "receiver.example.com/mobile"],
  "iat": 1493856000,
  "events": {
    "https://schemas.openid.net/secevent/sse/event-type/verification": {
      "state": "VGhpcyBpcyBhbiBleGFtcGxlIHN0YXRlIHZhbHVlLgo="
    }
  }
}
</pre>
<p class="figure">Figure 37: Example: SET with array 'aud' claim</p>
<h1 id="rfc.section.11.1.7">
<a href="#rfc.section.11.1.7">11.1.7.</a> <a href="#events-claim" id="events-claim">The "events" claim</a>
</h1>
<p id="rfc.section.11.1.7.p.1">The <samp>events</samp> claim SHOULD contain only one event. Multiple event type URIs are permitted only if they are alternative URIs defining the exact same event type.</p>
<h1 id="rfc.section.11.1.8">
<a href="#rfc.section.11.1.8">11.1.8.</a> Security Considerations</h1>
<h1 id="rfc.section.11.1.8.1">
<a href="#rfc.section.11.1.8.1">11.1.8.1.</a> Distinguishing SETs from other Kinds of JWTs</h1>
<p id="rfc.section.11.1.8.1.p.1">Of particular concern is the possibility that SETs are confused for other kinds of JWTs. The Security Considerations section of <a href="#SET" class="xref">[SET]</a> has several sub-sections on this subject. The SSE Framework is asking for further restrictions: </p>

<ul>
<li>The <samp>sub</samp> claim MUST NOT be present, as described in <a href="#event-subjects" class="xref">Section 11.1.2</a>.</li>
<li>SSE SETs MUST use explicit typing, as described in <a href="#explicit-typing" class="xref">Section 11.1.4</a>.</li>
<li>The <samp>exp</samp> claim MUST NOT be present, as described in <a href="#exp-claim" class="xref">Section 11.1.5</a>.</li>
</ul>
<h1 id="rfc.section.11.2">
<a href="#rfc.section.11.2">11.2.</a> <a href="#set-token-delivery-using-http-profile" id="set-token-delivery-using-http-profile">SET Token Delivery Using HTTP Profile</a>
</h1>
<p id="rfc.section.11.2.p.1">This section provides SSE profiling specifications for the <a href="#DELIVERYPUSH" class="xref">[DELIVERYPUSH]</a> and <a href="#DELIVERYPOLL" class="xref">[DELIVERYPOLL]</a> specs.</p>
<h1 id="rfc.section.11.2.1">
<a href="#rfc.section.11.2.1">11.2.1.</a> <a href="#delivery-meta" id="delivery-meta">Stream Configuration Metadata</a>
</h1>
<p id="rfc.section.11.2.1.p.1">Each delivery method is identified by a URI, specified below by the <samp>method</samp> metadata.</p>
<h1 id="rfc.section.11.2.1.1">
<a href="#rfc.section.11.2.1.1">11.2.1.1.</a> Push Delivery using HTTP</h1>
<p id="rfc.section.11.2.1.1.p.1">This section provides SSE profiling specifications for the <a href="#DELIVERYPUSH" class="xref">[DELIVERYPUSH]</a> spec.</p>
<p></p>

<dl>
<dt>method</dt>
<dd style="margin-left: 8"><samp>https://schemas.openid.net/secevent/risc/delivery-method/push</samp></dd>
<dt>endpoint_url</dt>
<dd style="margin-left: 8">The URL where events are pushed through HTTP POST.  This is set by the Receiver.</dd>
<dt>authorization_header</dt>
<dd style="margin-left: 8">The HTTP Authorization header that the Transmitter MUST set with each event delivery, if the configuration is present. The value is optional and it is set by the Receiver.</dd>
</dl>
<h1 id="rfc.section.11.2.1.2">
<a href="#rfc.section.11.2.1.2">11.2.1.2.</a> Polling Delivery using HTTP</h1>
<p id="rfc.section.11.2.1.2.p.1">This section provides SSE profiling specifications for the <a href="#DELIVERYPOLL" class="xref">[DELIVERYPOLL]</a> spec.</p>
<p></p>

<dl>
<dt>method</dt>
<dd style="margin-left: 8"><samp>https://schemas.openid.net/secevent/risc/delivery-method/poll</samp></dd>
<dt>endpoint_url</dt>
<dd style="margin-left: 8">The URL where events can be retrieved from. This is specified by the Transmitter.</dd>
</dl>
<h1 id="rfc.section.12">
<a href="#rfc.section.12">12.</a> <a href="#iana" id="iana">IANA Considerations</a>
</h1>
<p id="rfc.section.12.p.1">Subject Identifiers defined in this document will be added to the "Security Events Subject Identifier Types" registry. This registry is defined in the <a href="#SUBIDS" class="xref">Subject Identifiers for Security Event Tokens</a> specification.</p>
<h1 id="rfc.references">
<a href="#rfc.references">13.</a> References</h1>
<h1 id="rfc.references.1">
<a href="#rfc.references.1">13.1.</a> Normative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="CLIENTCRED">[CLIENTCRED]</b></td>
<td class="top">
<a>Hardt, D.</a>, "<a href="https://tools.ietf.org/html/rfc6749">The OAuth 2.0 Authorization Framework - Client Credentials Grant</a>", RFC 6749, DOI 10.17487/RFC6749, October 2012.</td>
</tr>
<tr>
<td class="reference"><b id="DELIVERYPOLL">[DELIVERYPOLL]</b></td>
<td class="top">
<a>Backman, A.</a>, <a>Jones, M.</a>, <a>Scurtescu, M.</a>, <a>Ansari, M.</a> and <a>A. Nadalin</a>, "<a href="https://www.rfc-editor.org/info/rfc8936">Poll-Based SET Token Delivery Using HTTP</a>", November 2020.</td>
</tr>
<tr>
<td class="reference"><b id="DELIVERYPUSH">[DELIVERYPUSH]</b></td>
<td class="top">
<a>Backman, A.</a>, <a>Jones, M.</a>, <a>Hunt, P.</a>, <a>Scurtescu, M.</a>, <a>Ansari, M.</a> and <a>A. Nadalin</a>, "<a href="https://www.rfc-editor.org/info/rfc8935">Push-Based SET Token Delivery Using HTTP</a>", November 2020.</td>
</tr>
<tr>
<td class="reference"><b id="IDTOKEN">[IDTOKEN]</b></td>
<td class="top">
<a>Sakimura, N.</a>, <a>Bradley, J.</a>, <a>Jones, M.</a>, <a>de Medeiros, B.</a> and <a>C. Mortimore</a>, "<a href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken">OpenID Connect Core 1.0 - ID Token</a>", April 2017.</td>
</tr>
<tr>
<td class="reference"><b id="OASIS.saml-core-2.0-os">[OASIS.saml-core-2.0-os]</b></td>
<td class="top">
<a title="Internet2">Cantor, S.</a>, <a title="Nokia">Kemp, J.</a>, <a title="RSA Security">Philpott, R.</a> and <a title="Sun Microsystems">E. Maler</a>, "<a href="http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf">Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0</a>", March 2005.</td>
</tr>
<tr>
<td class="reference"><b id="OAUTH-DISCOVERY">[OAUTH-DISCOVERY]</b></td>
<td class="top">
<a title="Microsoft">Jones, M.</a>, <a title="Nomura Research Institute, Ltd.">Sakimura, N.</a> and <a title="Ping Identity">J. Bradley</a>, "<a href="https://www.rfc-editor.org/info/rfc8414">OAuth 2.0 Authorization Server Metadata - Version 10</a>", June 2018.</td>
</tr>
<tr>
<td class="reference"><b id="OPENID-DISCOVERY">[OPENID-DISCOVERY]</b></td>
<td class="top">
<a title="Nomura Research Institute, Ltd.">Sakimura, N.</a>, <a title="Ping Identity">Bradley, J.</a>, <a title="Microsoft">Jones, M.</a> and <a title="Illumila">E. Jay</a>, "<a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>", November 2014.</td>
</tr>
<tr>
<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
<td class="top">
<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
</tr>
<tr>
<td class="reference"><b id="RFC5785">[RFC5785]</b></td>
<td class="top">
<a>Nottingham, M.</a> and <a>E. Hammer-Lahav</a>, "<a href="https://tools.ietf.org/html/rfc5785">Defining Well-Known Uniform Resource Identifiers (URIs)</a>", RFC 5785, DOI 10.17487/RFC5785, April 2010.</td>
</tr>
<tr>
<td class="reference"><b id="RFC6750">[RFC6750]</b></td>
<td class="top">
<a>Jones, M.</a> and <a>D. Hardt</a>, "<a href="https://tools.ietf.org/html/rfc6750">The OAuth 2.0 Authorization Framework: Bearer Token Usage</a>", RFC 6750, DOI 10.17487/RFC6750, October 2012.</td>
</tr>
<tr>
<td class="reference"><b id="RFC7159">[RFC7159]</b></td>
<td class="top">
<a>Bray, T.</a>, "<a href="https://tools.ietf.org/html/rfc7159">The JavaScript Object Notation (JSON) Data Interchange Format</a>", RFC 7159, DOI 10.17487/RFC7159, March 2014.</td>
</tr>
<tr>
<td class="reference"><b id="RFC7517">[RFC7517]</b></td>
<td class="top">
<a>Jones, M.</a>, "<a href="https://tools.ietf.org/html/rfc7517">JSON Web Key (JWK)</a>", RFC 7517, DOI 10.17487/RFC7517, May 2015.</td>
</tr>
<tr>
<td class="reference"><b id="RFC7519">[RFC7519]</b></td>
<td class="top">
<a>Jones, M.</a>, <a>Bradley, J.</a> and <a>N. Sakimura</a>, "<a href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>", RFC 7519, DOI 10.17487/RFC7519, May 2015.</td>
</tr>
<tr>
<td class="reference"><b id="RFC8174">[RFC8174]</b></td>
<td class="top">
<a>Leiba, B.</a>, "<a href="https://tools.ietf.org/html/rfc8174">Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</a>", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.</td>
</tr>
<tr>
<td class="reference"><b id="SET">[SET]</b></td>
<td class="top">
<a>Hunt, P.</a>, <a>Jones, M.</a>, <a>Denniss, W.</a> and <a>M. Ansari</a>, "<a href="https://www.rfc-editor.org/info/rfc8417">Security Event Token (SET)</a>", April 2018.</td>
</tr>
<tr>
<td class="reference"><b id="SUBIDS">[SUBIDS]</b></td>
<td class="top">
<a>Backman, A.</a> and <a>M. Scurtescu</a>, "<a href="https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers">Subject Identifiers for Security Event Tokens</a>", May 2021.</td>
</tr>
</tbody></table>
<h1 id="rfc.references.2">
<a href="#rfc.references.2">13.2.</a> Non-Normative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="CAEP">[CAEP]</b></td>
<td class="top">
<a title="Google">Tulshibagwale, A.</a>, "<a href="https://cloud.google.com/blog/products/identity-security/re-thinking-federated-identity-with-the-continuous-access-evaluation-protocol">Re-thinking Federated Identity with the Continuous Access Evaluation Protocol</a>", February 2019.</td>
</tr>
<tr>
<td class="reference"><b id="MGMTAPI">[MGMTAPI]</b></td>
<td class="top">
<a>Scurtescu, M.</a> and <a>A. Backman</a>, "<a href="https://tools.ietf.org/html/draft-scurtescu-secevent-simple-control-plane">Management API for SET Event Streams</a>", June 2017.</td>
</tr>
<tr>
<td class="reference"><b id="USECASES">[USECASES]</b></td>
<td class="top">
<a>Scurtescu, M.</a>, "<a href="https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases-00">Security Events RISC Use Cases</a>", June 2017.</td>
</tr>
</tbody></table>
<h1 id="rfc.appendix.A">
<a href="#rfc.appendix.A">Appendix A.</a> <a href="#ack" id="ack">Acknowledgements</a>
</h1>
<p id="rfc.section.A.p.1">The authors wish to thank all members of the OpenID Foundation Shared Signals and Events Working Group who contributed to the development of this specification.</p>
<p><a href="#discovery" class="xref">Transmitter Configuration Discovery</a> is based on both <a href="#OPENID-DISCOVERY" class="xref">OpenID Connect Discovery 1.0</a> and <a href="#OAUTH-DISCOVERY" class="xref">OAuth 2.0 Authorization Server Metadata</a>.</p>
<h1 id="rfc.appendix.B">
<a href="#rfc.appendix.B">Appendix B.</a> <a href="#Notices" id="Notices">Notices</a>
</h1>
<p id="rfc.section.B.p.1">Copyright (c) 2021 The OpenID Foundation.</p>
<p id="rfc.section.B.p.2">The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.  </p>
<p id="rfc.section.B.p.3">The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others.  Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights.  The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer.  The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers.  The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.  </p>
<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
<div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Atul Tulshibagwale</span>
	  <span class="n hidden">
		<span class="family-name">Tulshibagwale</span>
	  </span>
	</span>
	<span class="org vcardline">Google</span>
	<span class="adr">

	  <span class="vcardline">
		<span class="locality"></span>
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline"></span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:atultulshi@google.com">atultulshi@google.com</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Tim Cappalli</span>
	  <span class="n hidden">
		<span class="family-name">Cappalli</span>
	  </span>
	</span>
	<span class="org vcardline">Microsoft</span>
	<span class="adr">

	  <span class="vcardline">
		<span class="locality"></span>
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline"></span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:tim.cappalli@microsoft.com">tim.cappalli@microsoft.com</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Marius Scurtescu</span>
	  <span class="n hidden">
		<span class="family-name">Scurtescu</span>
	  </span>
	</span>
	<span class="org vcardline">Coinbase</span>
	<span class="adr">

	  <span class="vcardline">
		<span class="locality"></span>
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline"></span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:marius.scurtescu@coinbase.com">marius.scurtescu@coinbase.com</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Annabelle Backman</span>
	  <span class="n hidden">
		<span class="family-name">Backman</span>
	  </span>
	</span>
	<span class="org vcardline">Amazon</span>
	<span class="adr">

	  <span class="vcardline">
		<span class="locality"></span>
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline"></span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:richanna@amazon.com">richanna@amazon.com</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">John Bradley</span>
	  <span class="n hidden">
		<span class="family-name">Bradley</span>
	  </span>
	</span>
	<span class="org vcardline">Yubico</span>
	<span class="adr">

	  <span class="vcardline">
		<span class="locality"></span>
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline"></span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:secevemt@ve7jtb.com">secevemt@ve7jtb.com</a></span>

  </address>
</div>

</body>
</html>