Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibly Ambiguous Metadata Policy #86

Open
SECtim opened this issue Sep 10, 2024 · 1 comment
Open

Possibly Ambiguous Metadata Policy #86

SECtim opened this issue Sep 10, 2024 · 1 comment

Comments

@SECtim
Copy link
Collaborator

SECtim commented Sep 10, 2024

As far as I can see, the following Federation hierarchy is allowed by the specification:

    TA_____
   /  \    \
 Im1  Im2  OP
   \  /
   Im3
    |
    RP

Furthermore, the specification seems to allow for Im1 and Im2 to define conflicting metadata policies for, say, the openid_relying_party entity type.
For example, Im1 may require token_endpoint_auth_method to be private_key_jwt (i.e., using the value operator). Likewise, Im2 requires the token_endpoint_auth_method to be self_signed_tls_client_auth.

For example, how would RP register at OP in this case (Section 12.2)?

Side note: Whether or not RP accepts this registration (see Section 12.2.2.2 No. 4) now depends on which of the two possible Trust Chains RP uses when checking compliance of the registered metadata with the policy.
Intuitively, the outcome of the compliance check should be deterministic (i.e., disregarding transient issues, an honest OP's registration should always be acceptable to an honest RP).
@selfissued
Copy link
Member

Related to #7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@selfissued @SECtim