184.108.40.206.1.3 Processing Details
The steps performed by the AD FS server to respond to an OpenID Provider Configuration request are defined in [OIDCDiscovery] section 4.
The following additional processing steps are expected as a result of the extensions included in this document:
The AD FS server includes additional fields in the OpenID Provider Metadata:
The AD FS server can include an access_token_issuer field in the OpenID Provider Metadata. If provided, the access_token_issuer value MUST be a string that is set to the issuer of any access tokens issued by the AD FS server.
The AD FS server can include a microsoft_multi_refresh_token field in the OpenID Provider Metadata. If provided, the microsoft_multi_refresh_token value is set to true if the server supports multi-resource refresh tokens.
The AD FS server can include a capabilities field in the OpenID Provider Metadata. If the server supports exchanging a primary refresh token for a user authentication certificate ([MS-OAPXBC] section 220.127.116.11.4), it includes the following values in the capabilities field:
"winhello_cert" (AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_2 or higher).
"winhello_cert_kr" (AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_3 or higher). The server can include "winhello_cert_kr" in the capabilities field if it supports the krctx parameter as part of the OAuth token request ([MS-OAPXBC] section 2.2.2).<12>
kdf_ver2 (AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_3 or higher). The server can include "kdf_ver2" in the capabilities field if it is supported.<13> The client can use KDFv2 version for deriving the Session Key, as specified in [MS-OAPXBC] section 18.104.22.168.3.3.
See [MS-OAPX] section 22.214.171.124 for the formal definition of AD FS behavior level.