3.2.5.3.1.3 Processing Details

The steps performed by the AD FS server to respond to an OpenID Provider Configuration request are defined in [OIDCDiscovery] section 4.

The following additional processing steps are expected as a result of the extensions included in this document:

• The AD FS server includes additional fields in the OpenID Provider Metadata:

  • The AD FS server can include an access_token_issuer field in the OpenID Provider Metadata. If provided, the access_token_issuer value MUST be a string that is set to the issuer of any access tokens issued by the AD FS server.

  • The AD FS server can include a microsoft_multi_refresh_token field in the OpenID Provider Metadata. If provided, the microsoft_multi_refresh_token value is set to true if the server supports multi-resource refresh tokens.

  • The AD FS server can include a capabilities field in the OpenID Provider Metadata. If the server supports exchanging a primary refresh token for a user authentication certificate ([MS-OAPXBC] section 3.2.5.1.4), it includes the following values in the capabilities field:

    • "winhello_cert" (AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_2 or higher).

    • "winhello_cert_kr" (AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_3 or higher). The server can include "winhello_cert_kr" in the capabilities field if it supports the krctx parameter as part of the OAuth token request ([MS-OAPXBC] section 2.2.2).<12>

    • kdf_ver2 (AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_3 or higher). The server can include "kdf_ver2" in the capabilities field if it is supported.<13> The client can use KDFv2 version for deriving the Session Key, as specified in [MS-OAPXBC] section 3.1.5.1.3.3.

      See [MS-OAPX] section 3.2.1.1 for the formal definition of AD FS behavior level.