OpenID Connect Federation 1.0 -
draft 08
independentroland@catalogix.seMicrosoftmbj@microsoft.comhttp://self-issued.info/Uninett ASandreas.solberg@uninett.nohttps://www.linkedin.com/in/andreassolberg/Schibsted Media Groupsamuel.gulliksson@gmail.comYubicove7jtb@ve7jtb.comhttp://www.thread-safe.com/OpenID Connect Working GroupOpenIDConnectFederation
The OpenID Connect standard specifies how a Relying Party (RP)
can discover metadata about an OpenID Provider (OP), and then
register to obtain RP credentials. The discovery and
registration process does not involve any mechanisms of
dynamically establishing trust in the exchanged information, but
instead rely on out-of-band trust establishment.
In an identity federation context, this is not sufficient. The
participants of the federation must be able to trust information
provided about other participants in the federation. OpenID
Connect Federations specifies how trust can be dynamically
obtained by resolving trust from a common trusted third party.
While this specification is primarily targeting OpenID Connect,
it is designed to allow for re-use by other
protocols and in other use cases.
This specification describes how two entities that would like to
interact can dynamically fetch and resolve trust and metadata for a
given protocol through the use of third-party trust issuers. A trust
issuer is an entity whose main purpose is to issue statements
about entities, such as OpenID Connect Relying Parties, OpenID Providers,
and participating organizations.
An identity
federation can be realized using this specification using one or
more levels of trust issuers. This specification does not mandate a
specific way or restrict how a federation may be built. Instead, the
specification provides the basic technical trust infrastructure building
blocks needed to build a dynamic and distributed trust network such as a
federation.
All entities in an OpenID Connect federation MUST have a globally
unique identifier.
Note that a company, as with any real-world organization, may be
represented by more than one entity in a federation.
OpenID Connect Federation trust chains rely on
cryptographically signed JSON Web Token (JWT) documents, and the trust chain does not at
all rely on TLS in order to establish trust.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
This specification uses the terms
"Claim Name", "Claim Value", "JSON Web Token (JWT)",
defined by JSON Web Token (JWT)
and the terms "OpenID Provider (OP)" and "Relying Party (RP)" defined by
OpenID Connect Core 1.0.
This specification also defines the following terms:
Something that has a separate and distinct existence and that can
be identified in a context.
An entity statement is
issued by an entity, which pertains to a subject entity and leaf
entities. An entity statement is always a signed JWT.
An entity that issues
an entity statement that appears somewhere in between those
issued by the trust anchor and the leaf entity in a trust chain.
An entity defined by a certain protocol,
e.g., OpenID Connect Relying Party or Provider.
An entity that represents a trusted third party.
A sequence of entity statements that represents a trusted chain
starting at a leaf entity and ending in a trust anchor.
An entity statement is
issued by an entity and concerns a subject entity and leaf entities
in a federation. An entity statement is always a signed JWT.
All entities in a federation MUST be prepared to publish an entity
statement about themselves.
An entity statement is composed of the following claims:
REQUIRED. The entity identifier of the issuer of
the statement. If the iss and
the sub are identical, the
issuer is making a statement about itself.
REQUIRED. The entity identifier of the subject
REQUIRED. The time the statement was issued.
Its value is a JSON number representing the number of seconds from
1970-01-01T0:0:0Z as measured in UTC until the date/time.
See RFC 3339 for
details regarding date/times in general and UTC in particular.
REQUIRED.
Expiration time on or after which the statement MUST NOT be
accepted for processing. Its value is a JSON number representing
the number of seconds from 1970-01-01T0:0:0Z as measured in UTC
until the date/time.
REQUIRED. A JSON Web Key Set (JWKS)
representing the public part of the subject
entity's signing keys. The corresponding private key is
used by leaf entities to sign entity statements about themselves,
and intermediate entities to sign statements about other entities.
The keys that can be found here are primarily intended to sign
entity statements and should not be used in other protocols.
OPTIONAL.
The entity statement may be specifically created for a entity.
The entity identifier for that entity should appear in this claim.
OPTIONAL. A JSON object where the keys
are the entity IDs of the intermediate entities that may issue an
entity statement about the issuer entity. The value MUST be a
JSON array of entities that are further up in the trust chain.
The array may be an empty list.
The JSON array can be used to simplify the selection of trust
chains without the need for following all possible trust chains.
authority_hints values
may be multiple hops up the chain.
These values will typically be trust anchors.
OPTIONAL. JSON object including protocol
specific metadata claims that represent the entity's metadata.
Each key of the JSON object represents a metadata type
identifier, and each value MUST be a JSON object representing
the metadata according to the metadata schema of that metadata
type. An entity statement may contain multiple
metadata statements, but only one for each metadata type.
OPTIONAL. JSON object that describes
a metadata policy.
Each key of the JSON object represents a metadata type
identifier, and each value MUST be a JSON object representing
the metadata policy according to the metadata schema of that metadata
type. An entity statement may contain multiple
metadata policy statements, but only one for each metadata type.
If the metadata type identifier is
federation_entity, then the policy
MUST be applied to the immediate subordinate in the trust chain
unless that is a leaf entity.
If the metadata type identifier is not
federation_entity, then the policy
MUST be applied to all subordinate nodes of that type in the trust chain.
Only non-leaf entities contain a metadata_policy field.
OPTIONAL.
The crit (critical) entity statement claim
indicates that extensions to entity statement claims defined by this specification
are being used that MUST be understood and processed.
It is used in the same way that crit
is used for extension JWS header parameters that MUST be understood and processed.
Its value is an array listing the entity statement claims
present in the entity statement that use those extensions.
If any of the listed extension entity statement claims are not
understood and supported by the recipient, then the entity statement is invalid.
Producers MUST NOT include entity statement claim names defined by this specification or
names that do not occur as entity statement claim names in the entity statement
in the crit list.
Producers MUST NOT use the empty list []
as the crit value.
OPTIONAL.
The policy_language_crit (critical) entity statement claim
indicates that extensions to the policy language defined by this specification
are being used that MUST be understood and processed.
It is used in the same way that crit
is used for extension JWS header parameters that MUST be understood and processed.
Its value is an array listing the policy language extensions
present in the policy language statements that use those extensions.
If any of the listed extension policy language extensions are not
understood and supported by the recipient, then the entity statement is invalid.
Producers MUST NOT include policy language names defined by this specification or
names that do not occur in policy language statements in the entity statement
in the policy_language_crit list.
Producers MUST NOT use the empty list []
as the policy_language_crit value.
The entity statement is signed using the private key of the issuer
entity, in the form of a JSON Web Signature (JWS).
The following is a non-normative example of an entity statement, before
serialization and adding a signature. The example contains
a critical extension jti (JWT ID) to the
entity statement and one critical extension to the policy language
regexp (Regular expression).
In an OpenID Connect Identity Federation, entities that together build a
trust chain can be categorized as:
An entity that represents a trusted
third party
In an OpenID Connect Identity Federation, an RP or an OP
Neither a leaf nor a trust anchor
A trust chain begins with a leaf entity's self-signed entity
statement, has zero or more entity statements
issued by intermediates about subordinates, and ends with an
entity statement issued by the trust anchor about the top-most
intermediate (if there are intermediates) or the leaf entity
(if there are no intermediates)
and finally a self-signed entity statement about the trust anchor.
A simple example: If we have an RP that belongs to organization A
that is a member of federation F, the trust chain for such a setup
will contain the following entity statements:
A self-signed entity statement about the RP published by the RP
An entity statement about the RP published by Organization A
An entity statement about Organization A published by Federation
F
A self-signed entity statement about Federation F published
by Federation F.
A trust chain MUST always be possible to order such that:
If we name the entity statements ES[0] (the leaf entity's
self-signed entity statement) to ES[i] (the trust anchors
self-signed entity statement), i>0 then:
The iss entity in one entity statement is always the sub
entity in the next.
ES[j]['iss'] == ES[j+1]['sub'], j=0,...,i-1
There MUST always be a signing key carried in the
jwks claim in
ES[j] that can be used to verify the signature of ES[j-1],
j=i,...,1 .
The signing key that MUST be used to verify ES[i] is distributed
from the trust anchors to the leaf entities in
some secure out-of-band's way not described in this document.
This specification does allow new metadata
types to be defined, to support use cases outside OpenID Connect federations.
The metadata type identifier will uniquely identify which metadata
specification to utilize.
The metadata document MUST be a JSON document. Beyond that there is
no restriction.
Metadata used in federations typically re-uses existing metadata standards.
If needed, the metadata schema is extended
with additional properties relevant in a federated context.
For instance, for OpenID Connect Federations, this specification uses
metadata values from
OpenID Connect Discovery 1.0 and
OpenID Connect Dynamic Client Registration 1.0
and adds additional values used for federations.
The metadata type identifier is
openid_relying_party.
All parameters defined in Section 2 of
OpenID Connect Dynamic Client Registration 1.0
are allowed in a metadata statement.
To that list is added:
REQUIRED. String specifying the federation type being used.
Values defined by this specification are
automatic and explicit.
OPTIONAL. A human readable
name representing the organization owning the RP.
The metadata type identifier is
openid_provider.
All parameters defined in Section 3 of
OpenID Connect Discovery 1.0
are applicable.
In addition, the following parameters are defined by this specification:
REQUIRED. Array specifying the federation types supported.
Federation type values defined by this specification are
automatic and explicit.
OPTIONAL. A human readable
name representing the organization owning the OP. It is
intended to be used in the user interface, being recognized by
the end users that would be using the OP to authenticate.
OPTIONAL.
URL of the OP's Federation specific Dynamic Client Registration
Endpoint. If the OP supports explicit client
registration as described in ,
then this claim is REQUIRED.
The metadata type identifier is
oauth_authorization_server.
All parameters defined in Section 2 of
RFC 8414
are applicable.
The metadata type identifier is
oauth_client.
All parameters defined in Section 2 of
RFC 7591
The metadata type identifier is
oauth_resource.
The metadata type identifier is
federation_entity.
Intermediates in a trust chain are of this type.
Note that the information carried here is not bound to any
specific protocol but of a general nature.
The following properties are allowed:
OPTIONAL. String. The human readable name
describing the subject entity. This may be, for example, the
name of an organization.
OPTIONAL. JSON array with one or more
strings. Contact persons at the entity.
These may contain names, e-mail addresses, descriptions, phone numbers, etc.
OPTIONAL. URL to documentation of
conditions and policies relevant to this entity.
OPTIONAL. URL to a generic home page
representing this entity.
The metadata for a specific entity can be constructed by starting
with the information in leaf entity's entity statement and then
applying the polices defined by the trust anchor and possible
intermediates starting with the trust anchor.
Policies are expressed using a JSON object.
The following keywords represent different
actions/checks that MUST be applied to the metadata.
The resulting value of the claim will be the intersection of the
values specified here and the values of the claim. For
instance, the claim policy:
if applied to a metadata statement with:
will update the claim in the metadata statement to be:
The value of the claim MUST be one of the ones listed here.
As an example, if the claim policy:
is applied to the metadata statement
the resulting claim statement will be:
Adds the value or values specified to the list of values for the
metadata statement claim.
If the specified value is already present in the list,
this operation has no effect.
As an example, if the claim policy:
is applied to the following claim in the metadata statement:
the end result will be the claim:
Disregarding what value the claim had,
if any, the claims value will be set to what is specified here.
As an example, if the claim policy:
is applied to a metadata statement with no such claim
the result will be that the metadata statement after applying the
policy contains the claim:
If no value is assigned to this claim, then the claim's value
will be set to what is specified here.
As an example, if the claim policy:
is applied to a metadata statement with the claim
then the metadata statement will afterwards contain:
if on the other hand the metadata statement did not contain a
require_auth_time claim then the
following claim statement would be added to the metadata
statement:
If 'true' then claim MUST have a value. essential can be
combined with all the other types.
The upshot of applying this policy to a metadata statement
is that the metadata statement MUST contain such a claim
otherwise the metadata statement is incorrect.
Some policy types can be combined with others.
Can be combined with one_of and
subset_of.
Can be combined with all the others. If
essential is not present that is
the same as stating essential=true.
If there is more than one metadata policy in a trust chain, then
the policies MUST be combined before they are applied to the
metadata statement.
Using the notation we have previously defined metadata policies
are combined starting with ES[i] and then adding the policies from
ES[j] j=i-1,..,1 before applying the combined policy to the entity's
metadata
These are the policy types that can be combined when combining 2
policies:
The result of combining 2 subset_of policies is the intersection of
the values.
The result of combining 2 one_of policies is the intersection of
the values.
The result of combining 2 add policies is the union of the
values.
All the other policy types can NOT be combined. Which means that
whatever a superior specifies are what goes.
A federations policy for RPs:
An organization's policy for RPs:
The combined metadata policy then becomes:
If after combining a default value for a claim policy,
the result is not a
subset of a subset_of policy or a
one_of defined for that claim, then an
error MUST be raised and the trust chain NOT used.
If applying a policy to a metadata statement results in some claims
having all their values removed and it is essential that a
claim has a value, then such a metadata statement MUST
be regarded as broken and MUST NOT be used.
There might be parties that wants to extend the policy language
defined here. If that happens then the rule is that if
software compliant with this specification
encounters a keyword it doesn't understand it MUST ignore it
unless it is listed in a policy_language_crit list,
as is done for JWS header parameters with the crit parameter.
If the policy language extension keyword
is listed in the policy_language_crit list
and not understood, then the metadata MUST be rejected.
The following is a non-normative example of a set of policies being
applied to an RP's metadata.
The RP's metadata:
The federations policy for RPs:
The organization's policy for RPs:
The metadata for the entity in question after applying the policies
above, would then become:
All entities that are expected
to publish entity statements about themselves or other entities, MUST
expose a Federation API endpoint.
The federation API endpoint of an entity is resolved from the entity
identifier. The Federation API endpoint is found using the
Well-Known URIs specification, with the suffix
openid-federation. The scheme, host and port
is taken directly from the entity identifier combined with the following
path: /.well-known/openid-federation.
If the entity identifier contains a path, it is concatenated after
/.well-known/openid-federation in the same manner
that path components are concatenated to the well-known identifier in
the OAuth 2.0 Authorization Server Metadata specification.
Of course, in real multi-tenant deployments, in which the entity ID might be of the form
https://multi-teanant-service.example.com/my-tenant-identifier
the tenant is very likely to not have control over the path
https://multi-teanant-service.example.com/.well-known/openid-federation/my-tenant-identifier
whereas it is very likely to have control over the path
https://multi-teanant-service.example.com/my-tenant-identifier/.well-known/openid-federation.
Therefore, if using the Federation API at the URL with the tenant path after the well-known part fails,
it is RECOMMENDED that callers retry at the URL with the tenant path before the well-known part
(even though this violates ).
The Federation API is an HTTPS API that may support multiple
operations. Fetching entity statements is one of the operations, and the
only one
that all Federation API endpoints are REQUIRED to support. All the
other operations are OPTIONAL. The list of defined operations may be
extended in a future.
While all operations in the specification make use of a GET request,
other operations may choose to use other HTTP methods. If the
operation
parameter is left out, it is treated as a
fetch entity statements request. Unless otherwise mentioned or agreed
upon, requests to the federation API does not need to be
authenticated.
Fetching entity statement is used to collect entity statements
one by one in order to gather trust chains.
In order to fetch an entity statement, an entity needs to know the
identifier of the entity to ask (the issuer), and the identifier of
the entity that you want the statement to be about (the subject).
The request MUST be an HTTP request using the GET method and
the https scheme to a resolved federation API endpoint with the
following query string parameters:
OPTIONAL. If not present, MUST be treated as
fetch.
REQUIRED. The entity identifier of the issuer
from which you want an entity statement issued. Because of the
normalization of the URL, multiple issuers may resolve to a
shared federation API. This parameter makes it explicit exactly
which issuer we want entity statements from.
OPTIONAL. The entity identifier of the subject
for which you would like an entity statement issued. If this
parameter is left out, it is considered to be the same as the
issuer and would indicate a request for a self-issued
statement.
OPTIONAL. The entity identifier of the
requester. The issuing entity may choose to include this
parameter to form the entity statement specifically for this
target, in which the aud claim also
SHOULD be present in the entity statement self.
The following is a non-normative example of an API
request for an entity statement:
A positive response is a signed entity statement where
the content type MUST be set to application/jose.
If it is negative response it will be a JSON object and the
content type MUST be set to
application/json.
See more about error responses in .
The following is a non-normative example of a response:
(the signed JWT is truncated)
An entity may use the trust negotiation operation in order to fetch
resolved metadata about itself as seen/trusted by a remote peer.
The result may, for instance, tell an RP what operations, scopes and
claims an OP would allow the RP to use if a specific trust anchor
was used.
The request MUST be an HTTP request using the GET method and
the https scheme to a resolved federation API endpoint with the
following query string parameters:
REQUIRED. MUST be set to resolve_metadata.
REQUIRED. The entity identifier of the
entity whose metadata are requested. Because of the
normalization of the URL, multiple entity identifiers may
resolve to a shared federation API. This parameter makes it
explicit exactly which entity is expected.
REQUIRED. The entity identifier of the entity
the information is requested for. This must be a leaf entity.
REQUIRED. The metadata type to resolve.
In this document, we use the metadata types listed in
.
REQUIRED. The trust anchor the remote peer
MUST use when resolving the metadata.
The following is a non-normative example of an API
request for trust negotiation:
The response is a metadata statement that is the result of
applying the metadata polices in the trust chain on the entity's
metadata.
The following is a non-normative example of a response:
An entity may query another entity for a list of all the
entities immediately subordinate to that entity
that that entity is prepared to issue statements about.
(In some cases, this may be a very large list.)
The request MUST be an HTTP request using the GET method and
the https scheme to a resolved federation API endpoint with the
following query string parameters:
REQUIRED. MUST be set to
listing.
REQUIRED. The entity identifier of the entity
from which an entity listing is requested. Because of the
normalization of the URL, multiple entity identifiers may
resolve to a shared federation API. This parameter makes it
explicit exactly which entity is expected.
OPTIONAL. If left out, result should
include both leaf entities and intermediate nodes. If set to
true,
the response should contain only leaf entities. If set to
false, the
response should contain only intermediate nodes.
The following is a non-normative example of an API
request for trust negotiation:
The response MUST contain an JSON list with the known entity
identifiers.
The following is a non-normative example of a response:
If the request was malformed, or some error occurred during
processing of the request, the following standardized error format
should be used regardless of the operation specified.
The HTTP response code MUST be something in 400/500-range, giving an
indication of the type of error. The response body MUST be a JSON
object containing the claims below and the content type MUST
be set to application/json.
REQUIRED. The operation of the request.
REQUIRED. The error code.
REQUIRED. A human readable short
text describing the error.
The following is a non-normative example of an error response:
An entity (e.g., the Consumer) that wants to establish trust with a
remote
peer, must have the remote peer's entity identifier and a list of
entity IDs of trusted trust anchors together with the public version
of their signing keys. The Consumer will first have to fetch
sufficient entity statements to establish at least one chain of trust
from the remote peer to one or more of the configured trust anchors.
After that the entity MUST validate the trust chains independently,
and -- if there are multiple valid trust chains and if the
application demands it -- choose one.
Depending on the circumstances, the Consumer may either be
handed the remote peer's self-issued entity statement, or it may
have to fetch it by itself. If it needs to fetch it, it will use the
process described in
with both iss and sub set to the entity ID
of the remote peer.
The next step is to iterate through the list of
intermediates listed in
authority_hints, ignoring the authority
hints that end in an unknown trust anchor, requesting an entity
statement about the remote peer from each of the intermediates.
If the received entity statement contains an authority hint this
process is repeated. This time with the iss set to the
intermediates entity ID and the sub to be the iss of the previous
query.
The Consumer should never attempt to fetch
entity statements it already has fetched during this
process (loop prevention).
Once the Consumer has found a trust anchor it wants to use it MUST
complete the trust chain by fetching the trust anchor's self-signed
entity statement.
A successful operation will return one or more lists of
entity statements. Each of the lists terminating in a self-signed
entity statement issued by a trust anchor.
If there is no path from the remote peer to at least one of the
trusted trust anchors, then the list will be empty and there is no
way of establishing trust in the remote peer's information. How the
Consumer deals with this is out of scope for this specification.
As described in ,
a trust chain consists of an ordered list of entity
statements. So whichever way the Consumer has acquired the set of
entity statements, it must now verify that it is a proper trust chain
using the rules laid out in that section.
To validate the chain, the following must be done:
For each entity statement ES[j] j=i,..,0:
Verify that the statement contains all the required claims.
Verify that iat has a value in the past
Verify that exp has a value that is in the future.
For j=0,i verify that iss == sub.
For j=1,...,i-1: Verify that ES[j]['iss'] == ES[j+1]['sub']
For j=0,...,i-1: Verify the signature of ES[j] using the public
key carried in ES[j+1]['jwks'].
For j == i: verify the signature with the configured public
key of the trust anchor.
Verifying the signature is a much more expensive
operation then verifying the correctness of the statement and the
timestamps. An implementer MAY therefor chose to not verify the
signature until all the other checks have been done.
No information in the chain of statements should be used
before the signature chain has been validated.
If multiple valid trust chains are found, the Consumer will
need to decide on which one to use.
One simple rule would be to prefer a shorter chain over a longer
one.
Each entity statement in a trust chain is signed and MUST have a
expiration time (exp) set. The expiration time of the whole trust
chain is set to the minimum value of exp within the chain.
This specification allows for a smooth process of updating metadata
and public keys.
As described above in ,
each trust chain has an expiration time.
A consumer of metadata using this specification MUST support
refreshing a trust chain when it expires.
How often a consumer SHOULD re-evaluate the trust chain depends on
how quickly the consumer wants to find out that something has changed
in the trust chain.
If a leaf entity publishes its public keys in the metadata part
using jwks, setting an expiration time on the self-signed entity
statement can be used to control how often the remote party is
fetching an updated version of the public key.
If a leaf entity uses jwks_uri, the remote party will in the normal
OpenID Connect way fetch the keys anew from the jwks_uri URI when it
discovers that the entity uses a key it has never seen before.
A trust anchor must publish a self-signed entity statement about
itself. As described above in ,
it should be at the end of the trust chain.
The trust anchor SHOULD set a reasonable expiration
time on that statement, such that the consumers will re-fetch the
entity statement at reasonable intervals. If the trust root wants to
roll over its signing keys it would have to:
Add the new keys to the jwks representing the trust
anchors signing keys.
Keep signing the entity statement using
the old keys for a long enough time period to allow all
subordinates to have gotten access to the new keys.
Switch to signing with the new keys.
After a reasonable time period remove the old keys. What is
regarded as a reasonable time is dependent on the security profile
and risk assessment of the trust anchor.
It must be taken into consideration that clients may have
manually configured pubic keys as part of their configuration.
Since the consumers are expected to check the trust chain at regular,
reasonably frequent times, this specification does not specify a
standard revocation process. Specific federations may make a
different choice and will then have to add such a process.
This section describes how the trust framework in this specification
is used to establish trust between an RP and an OP
that has no explicit configuration or registration in advance.
There are two alternative approaches to establish trust between an
RP and an OP, which we call automatic and explicit
registration. Members of a federation or a community
should agree upon which one to use. While implementations should
support both methods, deployments may choose to disable the use of one
of them.
The trust between the entities is established using the
above described extensions in the first two steps of the
communication between an RP and an OP. How the RP found the OP in
the first place is out of scope for this document.
| |
| RP | ---- 2) Authentication request -----> | OP |
| | | |
------ ------
]]>
The client_id of the RP
MUST be set identically to the RP entity identifier.
Without a registration process, the RP does not have a
client_secret. Instead the automatic registration model requires the RP
to make use of asymmetric cryptography.
The RP MUST host a Federation API that allows the OP to fetch the
entity statements.
The authentication request is as specified in OpenID Connect
Core.
The RP MUST authenticate at the authentication endpoint
using the private_key_jwt method described in the client
authentication section of
OpenID Connect Core 1.0.
An authorization request example:
When the OP receives an incoming authentication request,
the OP supports OpenID Connect Federation and the incoming client_id
is a valid URL, the OP should try to resolve and fetch trust
chains starting with the RP's entity
statement as described in .
The OP should validate the possible trust chains, as described in
,
and resolve the RP metadata with type
openid_relying_party.
The OP should consider the resolved metadata of the RP, and
verify that it complies with the client metadata specification in
OpenID Connect Dynamic Client Registration 1.0.
Once the OP has the RP's metadata, it can verify the client authentication.
If the OP fails to establish trust with the RP, it should use the
invalid_request
error code, and an
error_description
that aids the RP to understand what is wrong.
This method involves performing an explicit registration of a new
client the first time a RP interacts with an OP
using something that basically follows the steps in
OpenID Connect Dynamic Client Registration 1.0
but where the client registration request
is a signed entity statement.
The RP will start by gathering the OP's metadata using the
process specified in above.
The OP MUST support OpenID Dynamic Client Registration as extended by this specification.
This is signaled by having the claim
federation_registration_endpoint
in the OP's metadata.
Given that the OP supports explicit registration, the RP
progresses as follows:
Once it has the list of acceptable trust chains for the OP
it MUST choose the subset it wants to progress with. The
subset can be as small as one trust chain, but it can also
contain more than one.
Based on the trust anchors referenced in the subset of
trust chains, the RP will choose a set of authority_hints from
its own set that terminates in those trust anchors.
The RP will now construct a self-signed entity statement
where the metadata statement chosen is influenced by the OPs
metadata and the authority_hints included are picked by the
process described above.
The entity statement is sent to the
federation_registration_endpoint
defined in this document.
After the OP receives the request, it collects and
evaluates
the trust chains starting with the authority_hints in the
registration request.
After it has verified at least one trust chain it
can verify that the signature on the received registration
request is correct.
If it finds more than one acceptable trust chain, it MUST
choose one trust anchor from those chains as the one it will
proceed with.
At this point, if there already exists a client
registration under the same entity ID then that registration
MUST be regarded as invalid. Note that key material from
the
previous registration MUST be kept to make key rollover
possible.
The OP will now construct a metadata policy that, if
applied to the RP's metadata statement, will result in
metadata that the OP finds acceptable.
Note that the client_id the OP chooses does not have to be
the same as the entity ID of the RP.
To the entity statement it will add one or more
authority_hints, from its collection, that terminate in the
trust anchor chosen above.
It will sign and return the registration response (a signed
entity statement) to the RP.
The RP verifies the correctness of the received entity
statement, making sure that the trust chains starting at the
authority_hints terminates in trust anchors that were
referenced in the entity statement it sent to the OP.
The RP MUST NOT apply metadata policies from the trust
chains that the OP provides because those are not valid for
the RP's metadata.
The RP MUST apply policies to the metadata using one of its
own trust chains that ends in the trust anchor that the OP chose.
Once it has applied those policies it can the apply
the policy returned from the OP.
When it has applied all the metadata policies to its
metadata statement, it then stores
the result and can continue communicating with the OP
using the agreed-upon metadata.
At this point the RP also knows which trust chain it should
use when evaluating the OP's metadata. It can therefore
apply the metadata policies on the OP's metadata using the
relevant trust chain and store the result as the OPs
metadata.
If the RP was not OK, for some reason, with the received
entity statement then it has the choice to restart the
registration process or to give up.
A client registration using this specification is not expected to
be valid forever. The entity statements exchanged all have
expiration times, which means that the registration will eventually
time out. An OP can also for administrative reasons decide that a
client registration is not valid anymore. An example of this could
be that the OP leaves the federation in use.
At regular intervals the RP MUST:
Starting with the OP's entity statement, resolve and verify
the trust chains it chooses to use when constructing the
registration request. If those trust chains do not exist
anymore or do not verify, then the registration should be
regarded as invalid and a new registration process should be
started.
If the OP's entity statement was properly formed the RP must
now verify that the entity statement it received about itself
from the OP is still valid.
Again, if that is not the case the registration
should be regarded as invalid and a new registration process
should be started.
What is regarded as reasonable intervals will depend on
federation policies and risk assessment by the maintainer of
the RP.
At regular intervals the OP MUST:
If the signature on the registration request has expired it
MUST mark the registration as invalid and demand that the
RP MUST re-register. Else
starting with the RP's client registration request, the OP MUST
verify that there still is a valid trust chain terminating in
the trust anchor the OP chose during the registration process.
An OP MUST NOT assign an expiration time
to a RP's registration that is later then the trust
chains expiration time.
TBD Register federation_types_supported for OP metadata with initial values automatic, explicit.
TBD Register federation_type for RP registration metadata.
TBD Register federation_registration_endpoint for the OP metadata.
TBD
OpenID Connect Discovery 1.0Nomura Research Institute,
Ltd.
Ping IdentityMicrosoftGoogleSalesforceOpenID Connect Discovery 1.0Nomura Research Institute,
Ltd.
Ping IdentityMicrosoftIllumilaOpenID Connect Dynamic Client Registration 1.0Nomura Research Institute,
Ltd.
Ping IdentityMicrosoft
A service Foodle would like to offer its services to all OPs in
eduGAIN. Foodle is managed and registered by the university
NTNU. NTNU is part of the Norwegian Feide federation. Foodle is also
directly trusted in the Swedish SWAMID federation. Both Feide and SWAMID
are part of the international eduGAIN federation.
The Foodle service chooses to use the entity identifier
https://foodl.org/.
And upon deployment, Foodle
is setup with an RSA key pair, with the following public key:
Foodle offers a WebFinger interface and a metadata API according to
this specification, with the ability to issue entity statements about
itself.
How trust is established and how entities become part of a federation
is out of scope of this specification. It could involve some kind
of non-technical contract, agreement or term of use that is
established, followed by a federation or trust issuer that registers
an entity identifier, public key and a set of metadata that restricts
the delegated trust that is represented in the entity statement about
the joining party.
The following example, assumes the following trust relations are
established, and the following entities are able to issue entity
statements:
Foodle issues an entity statement about itself
NTNU issues an entity statement about Foodle
SWAMID issues an entity statement about Foodle
Feide issues an entity statement about NTNU
eduGAIN issues an entity statement about Feide
eduGAIN issues an entity statement about SWAMID
eudGAIN issues an entity statement about itself
SWAMID issues an entity statement about the university of Umea
- an OP for employees and students at the university of Umea
SWAMID issues an entity statement about itself
Foodle has a local trust root configuration that contains public
signing keys for known federations:
"https://www.sunet.se/swamid"
Let us assume a student from Umeå would like to login at
Foodle. Some sort of discovery process involves the end user choosing
an OP. OpenID Discovery using the e-mail address is one
option. Foodle presenting a list of available OPs for the user
to choose from is another.
After the discovery process, Foodle knows that the user would like
to login using the OP with entity identifier
https://www.umu.se/openid.
Foodle
performs a request to fetch the self-issued entity statement using the
Federation API of the OP.
Yielding this response:
The API endpoint returns a signed entity statement. In
this case we looked for a self-issued statement from the Umeå
university. We then decode and inspect the content:
In order to establish trust with this OP, the Foodle RP
would need to fetch sufficient entity statements to represent
a complete chain from the self-issued statement to the locally
configured trust root, which contains SWAMID.
The information found in the authority_hints is critical in order
to dynamically discover the trust chain. If such hints are not
present, the RP may fall back to fixed configured trust roots
to ask for entity statements.
In this example, Foodle now fetches an entity statement from SWAMID
using the Federation API endpoint of SWAMID, discovered in the
authority_hints claim.
Yielding this response:
The decoded version of the entity statement is:
Notice that the entity statement about University of Umeå
also contains an entry for openid_relying_party metadata. This metadata policy indicates that
SWAMID expresses this university to be trusted to issue its own OpenID Relying Parties
and OpenID Providers without the need for registering these directly in SWAMID.
The last step then is that Foodle now fetches an entity statement
from SWAMID about SWAMID using the Federation API endpoint of
SWAMID, discovered in the authority_hints claim.
Yielding this response:
The decoded version of the entity statement is:
These three entity statements are sufficient to establish a path from
the locally configured trust anchor which trust SWAMID, to the
self-issued statement from the University of Umeå.
Here are the steps performed to validate the trust chain:
Find the trusted public keys for SWAMID in the local trust
configuration.
Use these keys to validate the signature of the signed entity
statement issued by SWAMID about SWAMID.
Extract the jwks entry from this entity statement.
These are the signing keys of SWAMID. If there are keys in this
field that do not appear in the local trust configuration,
add them to the local trust configuration.
This is a necessary step to allow SWAMID, in this case, to rotate their signing keys.
Use the SWAMID keys to validate the signature of the signed entity
statement issued by SWAMID about the University of Umeå.
Check that the sub from the trust configuration matches the iss
value of the first entity statement.
Extract the jwks entry from this entity statement. These are
the signing keys of the University of Umeå.
Validate the self-signed statement from University of
Umeå using the keys found above.
Check that the sub from the previous statement matches the iss
of the self-issued statement.
Check that the self-issued statement has the same values for
iss and sub.
The output from the trust chain validation is an ordered list of
entity statements. In order to extract the needed metadata, we need to
look at the metadata type relevant in the given context. In this case,
we are establishing trust with an OP, and we take the
openid_provider
metadata object from the
entity statement published by the OP and the policy statements from
the other entities in the trust chain:
SWAMID's metadata policy for an openid_provider:
UMU's metadata policy for an openid_provider:
and finally
The OP's metadata statement:
Applying the metadata policies to the metadata
produces the following result:
Foodle after establishing trust with the University of
Umeå
and extracted metadata and a set of metadata policies, will send an
authentication request to the OP.
This example uses automatic registration.
Here is an example of an authentication request:
The OP receiving this authentication request will, unless the
RP is cached or statically configured, start to dynamically fetch and
establish trust with the RP.
The OP needs to establish a trust chain for the RP from which an
authentication was received. The OP in this example are configured
with public key of 2 federations:
"https://edugain.org/oidc"
and
"https://www.sunet.se/swamid"
The RP starts to resolve metadata for the client identifier
https://foodl.org/ by fetching the self-issued entity statement using
the Federation API, as described in .
In this case, there are two possible trust chains:
eduGAIN -> Feide -> NTNU -> Foodle
SWAMID -> Foodle
A research project has pooled resources and bought an extremely rare
and expensive equipment (EREE) that MUST be accessible by all project
participants disregarding which university/research
organization/company they belong for.
To that end, the research project has created its own federation (EREE)
and is expecting the participants to get their organization's OPs to
register with the EREE federation.
These OPs are, of course, expected to be members in one or more other
federations.
Therefore, we have to an EREE service and an EREE federation.
Since the EREE equipment is located in Sweden, the EREE service is also
member of the SWAMID federation.
The EREE service choose to use the entity identifier
https://srv.eree.example.org/. And upon
deployment, EREE is setup with an elliptic curve key pair, with the
following public key:
The EREE service is provided files containing authority_hints by its
superiors. From the EREE federation it gets:
from SWAMID:
and from UNINETT:
and so on...
On the federations side:
SWAMID is prepared to issue an entity statement about the EREE
service.
The EREE federation is prepared to issue an entity statement
about the EREE service.
UNINETT is prepared to issue an entity statement about the EREE
service.
And finally, from the federations the EREE service also receives the
public part of the federations signing keys.
A researcher from Umeå wants to access the EREE service.
The EREE service provides a discovery service which allows the
researcher to choose which OP to use. In this case,
https://op.umu.se/.
Using the entity ID (issuer ID) of the OP the service
performs a fetch entity statement request as described in
.
The decoded version of the entity statement is:
In order to establish trust with this OP, the EREE service
provider would need to fetch sufficient entity statements to
represent a complete chain from the self-issued statement to the
trust anchor that represents the EREE federations.
The authority_hints in the self-signed entity statement points to
2 trust anchors "https://eree.example.org" and "https://swamid.se"
of these only the EREE one is interesting.
The RP therefore chooses
to only follow that trust path. The next step being to fetch an
entity statement about "https://op.umu.se" signed by the EREE
federation. This is done by doing a fetch entity statement:
The decoded version of the returned entity statement is:
A thing worth noting about the response:
The federation does not have any restrictions on what the OP can
be configured to do. This means that there are no metadata
policies to apply to the metadata statement of the OP.
The final step is to get the federation's view of itself:
With the response:
The decoded version of the returned entity statement is:
A thing worth noting about the response:
There is no authority_hints entry,
which means this entity statement describes a trust anchor.
These three entity statements are sufficient to establish a path from
the locally configured trust anchor that trusts the EREE federation,
to the self-issued statement from the OP at the
University
of Umeå. Here are the steps performed to validate the trust
chain, as described in .
We start with the signed entity statement issued by EREE about
itself.
Verify that the sub in the entity statement is the EREE's entity
ID.
Extract the jwks from the entity statement
and add possible extra keys in it to the trusted public keys for the EREE federation.
Move on to the entity statement issued by EREE about the OP.
Verify that the sub in the entity statement is the OP's entity
ID.
Use the trusted public keys for the EREE federation to validate the signature of the signed entity
statement.
Extract the jwks from the entity statement.
Now we can work on the self-signed entity statement published by
the OP at UmU.
Verify that the sub and the iss in the entity statement is
the OP's entity ID.
Using the keys extracted above, verify the signature of the
signed entity statement.
The output from the trust chain validation is an ordered list of
entity statements. In order to extract the needed metadata, we need
to look at the metadata type relevant in the given context. In this
case, we are establishing trust with an OP, and we use
the openid_provider metadata and
metadata_policy objects
of the trust chain.
Metadata polices:
Metadata statement:
Since there is no metadata policy defined earlier in the trust chain,
the response will just be the metadata statement as it is.
Now when the RP has trusted information about the OP it can do a
dynamic client registration. To that end it collects information
about
itself that it wants to register. This should be no different from
what a normal OpenID Connect RP using dynamic client registration does.
To this it adds "federation_type"="explicit", the RP
federation signing keys, the sub and authority_hints.
Ones it has all that information it
creates an entity statement. The result of all this work may look
something like this:
Next, it self-signs this statement and sends it as a client
registration request to the federation_registration_endpoint of
the OP.
To collect the trust chains, the OP uses the authority_hints in the
self-signed entity statement it received from the RP (the client
registration request).
In this case, there is only one, which points to
https://eree.example.org.
Therefore, the OP fetches the entity
statement that the EREE federation publishes on the EREE RP.
With the response:
Unpacked this becomes:
The process here is the one described in
.
The OP applies the metadata policies on the leaf entity's
metadata, all from the trust chain and comes up with:
Happy with the information in the client registration request the
OP constructs its metadata policy and creates an entity statement by
adding sub and authority_hints:
The RP MUST collect the trust chain ending in the EREE trust anchor
using the process described in ,
but refrain from processing
the metadata. This since the entity statement issued by the EREE
federation about the UmU OP are only valid for that entity and not
for the EREE RP. The trust chain should only be used to verify that
the entity statement actually comes from the expected OP.
If the RP is OK with what the OP decided on regarding the RP's
metadata, then it will store this to be used in the following OpenID Connect
protocol exchange with the OP.
In this example, the RP decided on one specific trust anchor before
sending the registration request. If that was not the case but the
RP had chosen to send a registration request with more than one
authority hint, then this by time the RP could not apply any
metadata polices to the metadata statement, since it would not know
which to use.
Copyright (c) 2019 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer,
implementer, or other interested party a non-exclusive, royalty free,
worldwide copyright license to reproduce, prepare derivative works from,
distribute, perform and display, this Implementers Draft or Final
Specification solely for the purposes of (i) developing specifications,
and (ii) implementing Implementers Drafts and Final Specifications based
on such documents, provided that attribution be made to the OIDF as the
source of the material, but that such attribution does not indicate an
endorsement by the OIDF.
The technology described in this specification was made available
from contributions from various sources, including members of the OpenID
Foundation and others. Although the OpenID Foundation has taken steps to
help ensure that the technology is available for distribution, it takes
no position regarding the validity or scope of any intellectual property
or other rights that might be claimed to pertain to the implementation
or use of the technology described in this specification or the extent
to which any license under such rights might or might not be available;
neither does it represent that it has made any independent effort to
identify any such rights. The OpenID Foundation and the contributors to
this specification make no (and hereby expressly disclaim any)
warranties (express, implied, or otherwise), including implied
warranties of merchantability, non-infringement, fitness for a
particular purpose, or title, related to this specification, and the
entire risk as to implementing this specification is assumed by the
implementer. The OpenID Intellectual Property Rights policy requires
contributors to offer a patent promise not to assert certain patent
claims against other contributors and against implementers. The OpenID
Foundation invites any interested party to bring to its attention any
copyrights, patents, patent applications, or other proprietary rights
that may cover technology that may be required to practice this
specification.
The authors wish to acknowledge the contributions of the following individuals and organizations to this specification:
Heather Flanagan,
Misha Salle,
Peter Schober,
Michael Schwartz,
and
the JRA3T3 task force of GEANT4-2.
The following open issues remain to be addressed in this specification.
The representation for RPs that are native applications needs to be defined.
How are federation operator keys retrieved?
A mechanism is needed for key rotation of federation operator keys
for long-term security and maintainability of federations.
A mechanism may be needed for bounding key lifetimes.
Discuss that key IDs may be chosen as the JWK Thumbprint [RFC 7638] of the key.
Discuss localization of human-readable strings.
SAML2 as used in Research and Education federations uses post-/prefix
matching on metadata in some cases. We might need something
similar or just use regular expressions.
Define the relationship between trust roots and Federation Operators,
as people will expect to find the Federation Operator term in the specification.
Add a diagram showing the relationships between FOs, orgs, sub-orgs, and leaf entities.
[[ To be removed from the final specification ]]
-08
Incorporated review feedback from Michael B. Jones.
Major changes were as follows.
Deleted sub_is_leaf entity statement since it was redundant.
Added federation_type RP registration metadata value
and federation_types_supported OP metadata value.
Deleted openid_discovery metadata type identifier
since its purpose is already served by openid_provider.
Entity identifier paths are now included when using the Federation API,
enabling use in multi-tenant deployments sharing a common domain name.
Renamed sub_is_leaf to is_leaf
in the Entity Listings Request operation parameters.
Added crit and policy_language_crit,
enabling control over which entity statement and policy language extensions
MUST be understood and processed.
Renamed openid_client to openid_relying_party.
Renamed oauth_service to oauth_authorization_server.
Renamed implicit registration to automatic registration
to avoid naming confusion with the implicit grant type.
Renamed op to operation
to avoid naming confusion with the use of "OP" as an acronym for "OpenID Provider".
Renamed url to uri in several identifiers.
Restored Open Issues appendix.
Corrected document formatting issues.
-07
Split metadata into metadata and metadata_policy
Updated example
-06
Some rewrites
Added example of explicit client registration
-05
A major rewrite.
-04
Changed client metadata names
scopes
to rp_scopes and
claims
to rp_claims.
Added Open Issues appendix.
Added additional references.
Editorial improvements.
Added standard Notices section, which is present in all OpenID
specifications.