OpenID Connect Federation | December 2022 | |
Hedberg, et al. | Standards Track | [Page] |
A federation can be expressed as an agreement between parties that trust each other. In bilateral federations, direct trust can be established between two organizations belonging to the same federation. In a multilateral federation, bilateral agreements might not be practical, in which case, trust can be mediated by a third party. That is the model used in this specification.¶
An Entity in the federation must be able to trust that other entities it is interacting with belong to the same federation. It must also be able to trust that the information the other entities publish about themselves has not been tampered with during transport and that it adheres to the federation's policies.¶
This specification describes the basic components to build a multilateral federation and it provides a guide on how to apply them when the underlying protocol used is OpenID Connect.¶
This specification describes how two entities that would like to interact can dynamically fetch and resolve trust and metadata for a given protocol through the use of third-party Trust Anchor. A trust anchor is an Entity whose main purpose is to issue statements about entities, such as OpenID Connect Relying Parties, OpenID Providers, and participating organizations. An identity federation can be realized using this specification using one or more levels of trust issuers. This specification does not mandate a specific way or restrict how a federation may be built. Instead, the specification provides the basic technical trust infrastructure building blocks needed to build a dynamic and distributed trust network such as a federation.¶
Note that this specification only concerns itself with how entities in a federation get to know about each other. Furthermore, note that a company, as with any real-world organization, MAY be represented by more than one Entity in a federation. It is also true that an Entity can be part of more than one federation.¶
OpenID Connect Federation Trust Chains rely on cryptographically signed JSON Web Token (JWT) [RFC7519] documents, and the Trust Chain does not at all rely on TLS [RFC8446] to establish trust.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
This specification uses the terms "Claim Name", "Claim Value", "JSON Web Token (JWT)", defined by JSON Web Token (JWT) [RFC7519] and the terms "OpenID Provider (OP)" and "Relying Party (RP)" defined by OpenID Connect Core 1.0 [OpenID.Core].¶
This specification also defines the following terms:¶
The basic component is the Entity Statement, which is a cryptographically signed JSON Web Token (JWT) [RFC7519]. A set of Entity Statements can form a path from a Leaf Entity to a Trust Anchor. Entity Configurations issued by Entities about themselves control the Trust Chain resolution process.¶
The Entity Configuration of a Leaf Entity contains one or more references to its superiors, found in the authority_hints (Section 3.1) parameter. These references can be used to download the Entity Configuration of each superior. One or more Entity Configurations can occur, during the Federation Entity Discovery, until the Trust Anchor is reached.¶
The Trust Anchor and its intermediaries issue Entity Statements about their descendants. The sequence of Entity Configurations and Entity Statements that validate the relationship between a superior and a descendant, along a path towards the Trust Anchor, forms the proof that a Leaf Entity is part of the Federation configured by the Trust Anchor.¶
The chain that links the statements to one another is verifiable with the signature of each statement, as described in Section 3.2.¶
With a verified Trust Chain, the federation policy is finally applied and the metadata describing a Leaf Entity within the Federation is then derived. How this is done is described in Section 5.¶
This specification deals with trust operations; it doesn't cover or touch protocol operations outside those of metadata derivation and exchange. In OpenID Connect terms, these are protocol operations other than OpenID Connect Discovery 1.0 [OpenID.Discovery] and OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration].¶
OpenID Connect is used in all of the examples in this specification, however this doesn't mean that this specification can only be used together with OpenID Connect. On the contrary, it can equally be used to build OAuth 2.0 federations or other protocols that depend on the dynamic exchange of Entity metadata.¶
An Entity Statement contains the information needed for the Entity that is the subject of the Entity Statement to participate in federation(s). An Entity Statement is always a signed JWT. The subject of the JWT is the Entity itself. The issuer of the JWT is the party that issued the Entity Statement. All Entities in a federation SHOULD be prepared to publish an Entity Statement about themselves (Entity Configuration).¶
Entity Statement JWTs MUST be explicitly typed, by setting the
typ
header parameter to
entity-statement+jwt
. This is done to
prevent cross-JWT confusion (see [RFC8725], section 3.11).¶
An Entity Statement is composed of the following claims:¶
iss
and
the sub
are identical, the
issuer is making a statement about itself and this Entity Statement
is an Entity Configuration.¶
metadata
element of the respective Entity Statement.
This claim is only OPTIONAL for the Entity Statement returned
from an OP when the client is doing Explicit Registration.
In all other cases it is REQUIRED.
Every JWK in the JWK Set MUST have a Key ID (kid
).
It is RECOMMENDED that the Key ID be the JWK Thumbprint [RFC7638]
using the SHA-256 hash function of the key.¶
metadata
claim.
If iss
and
sub
are not the same,
then the Entity Statement MAY contain a
metadata
claim containing metadata asserted by a superior about the
Entity identified by sub
.
If a metadata
claim appears beside a
metadata_policy
claim in an
Entity Statement then for each entity type, claims that appear in
metadata
MUST NOT appear in
metadata_policy
¶
metadata_policy
from
metadata
which only applies to the
subject itself.
Each key of the JSON object represents a metadata type
identifier, and each value MUST be a JSON object representing
the metadata policy according to the metadata schema of that
metadata type. An Entity Statement MAY contain multiple
metadata policy statements, but only one for each metadata type.
Only non Leaf Entities MAY contain a
metadata_policy
claim. Leaf entities MUST NOT contain a
metadata_policy
claim.¶
crit
(critical) Entity Statement
claim
indicates that extensions to Entity Statement claims defined by
this specification
are being used that MUST be understood and processed.
It is used in the same way that
crit
is used for extension JWS [RFC7515] header
parameters that MUST be understood and processed.
Its value is an array listing the Entity Statement claims
present in the Entity Statement that use those extensions.
If any of the listed extension Entity Statement claims are not
understood and supported by the recipient, then the Entity
Statement is invalid.
Producers MUST NOT include Entity Statement claim names defined by
this specification or
names that do not occur as Entity Statement claim names in the
Entity Statement
in the crit
list.
Producers MUST NOT use the empty list
[]
as the crit
value.¶
policy_language_crit
(critical)
Entity Statement claim
indicates that extensions to the policy language defined by this
specification
are being used that MUST be understood and processed.
It is used in the same way that
crit
is used for extension
JSON Web Signature (JWS) [RFC7515]
header parameters that MUST be
understood and processed.
Its value is an array listing the policy language extensions
present in the policy language statements that use those
extensions.
If any of the listed extension policy language extensions are not
understood and supported by the recipient, then the Entity
Statement is invalid.
Producers MUST NOT include policy language names defined by this
specification or
names that do not occur in policy language statements in the
Entity Statement
in the policy_language_crit
list.
Producers MUST NOT use the empty list
[]
as the policy_language_crit
value.¶
OPTIONAL. A JSON array of objects, each representing a Trust Mark. Each JSON object MUST contain the following two claims and MAY contain other claims if needed. All the claims in the JSON object MUST have the same values as those contained in the Trust Mark JSON Web Token.¶
id
claim contained in the
Trust Mark JSON Web Token.¶
There is more about Trust Marks in Section 5.3.¶
trust_anchor_id
is the
Entity Identifier of a Trust Anchor.¶
The Entity Statement is signed using the private key of the issuer
Entity, in the form of a JSON Web Signature
(JWS) [RFC7515].
Implementations SHOULD support signature verification with
the RSA SHA-256 algorithm because OpenID Connect Core
requires support for it (alg
value of RS256
).
Federations MAY also specify different mandatory-to-implement algorithms.¶
The following is a non-normative example of
a trust_marks_issuers
claim value:¶
{ "https://openid.net/certification/op": ["*"], "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf": ["https://swamid.se"] }¶
The following is a non-normative example of an Entity Statement
before
serialization and adding a signature. The example contains
a critical extension jti
(JWT ID) to the
Entity Statement and one critical extension to the policy language
regexp
(Regular expression).¶
{ "iss": "https://feide.no", "sub": "https://ntnu.no", "iat": 1516239022, "exp": 1516298022, "crit": ["jti"], "jti": "7l2lncFdY6SlhNia", "policy_language_crit": ["regexp"], "metadata": { "openid_provider": { "issuer": "https://ntnu.no", "organization_name": "NTNU", }, "oauth_client": { "organization_name": "NTNU" } }, "metadata_policy": { "openid_provider": { "id_token_signing_alg_values_supported": {"subset_of": ["RS256", "RS384", "RS512"]}, "op_policy_uri": { "regexp": "^https:\/\/[\\w-]+\\.example\\.com\/[\\w-]+\\.html"} }, "oauth_client": { "grant_types": { "subset_of": ["authorization_code", "client_credentials"]}, "scope": { "subset_of": ["openid", "profile", "email", "phone"]} } }, "constraints": { "max_path_length": 2 }, "jwks": { "keys": [ { "alg": "RS256", "e": "AQAB", "key_ops": ["verify"], "kid": "key1", "kty": "RSA", "n": "pnXBOusEANuug6ewezb9J_...", "use": "sig" } ] } }¶
In an OpenID Connect identity federation, entities that together build a Trust Chain can be categorized as:¶
A Trust Chain begins with a Leaf Entity Configuration, has zero or more Entity Statements issued by intermediates about subordinates, including the Entity Statement issued by the Trust Anchor about the top-most intermediate (if there are intermediates) or the Leaf Entity (if there are no intermediates). The Trust Chain MAY end with the Entity Configuration of the Trust Anchor.¶
If present, the Trust Anchor's Entity Configuration at the end of the chain contains configuration of the federation, such as the public keys of the Trust Anchor and other parameters considered within the trust evaluation. When this is this case, the Trust Chain consequentially contains the configuration of the federation at the date of the evaluation of the chain.¶
A simple example: If we have an RP that belongs to organization A that is a member of federation F, the Trust Chain for such a setup will contain the following Entity Statements:¶
A Trust Chain MUST always be possible to order such that: If we name the Entity Statements ES[0] (the Leaf Entity's Entity Configuration) to ES[i] (an Entity Statement issued by the Trust Anchor), i>0 then:¶
iss
Entity in one Entity Statement
is always the
sub
Entity in the next.
ES[j]['iss'] == ES[j+1]['sub'], j=0,...,i-1 .¶
jwks
claim in
ES[j] that can be used to verify the signature of ES[j-1],
j=i,...,1 .¶
The signing key that MUST be used to verify ES[i] is distributed from the Trust Anchors to any Entity that needs to verify a Trust Chain in some secure out-of-band way not described in this document.¶
This specification does allow new metadata types to be defined, to support use cases outside OpenID Connect federations. The metadata type identifier will uniquely identify which metadata specification to utilize.¶
The metadata document MUST be a JSON object. Beyond that there is no restriction.¶
Metadata used in federations typically reuses existing metadata standards. If needed, the metadata schema is extended with additional properties relevant in a federated context.¶
For instance, for OpenID Connect federations, this specification uses metadata values from OpenID Connect Discovery 1.0 [OpenID.Discovery] and OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration] and adds additional values used for federations.¶
For OAuth2 federations, this specification uses metadata values from OAuth 2.0 Authorization Server Metadata as specified in [RFC8414].¶
For both OpenID Connect and OAuth2 metadata the following additional properties are defined.¶
OPTIONAL. A URI pointing to a signed JWT having the Entity's
JWK Set as its payload. The JWT MUST be signed using a Federation
Entity Key.
A signed JWT can contain the following claims, all except
keys
defined in
[RFC7519]:¶
There are more claims defined in [RFC7519]; of
these, aud
SHOULD NOT be used, since
the issuer cannot know who the audience is.
nbf
and jti
are deemed to not be very useful in this context and are therefore
to be omitted.¶
The following is a non-normative example of a signed JWKS before serialization and adding a signature.¶
{ "keys": [ { "kty": "RSA", "kid": "SUdtUndEWVY2cUFDeDV5NVlBWDhvOXJodVl2am1mNGNtR0pmd", "n": "y_Zc8rByfeRIC9fFZrDZ2MGH2ZnxLrc0ZNNwkNet5rwCPYeRF3Sv 5nihZA9NHkDTEX97dN8hG6ACfeSo6JB2P7heJtmzM8oOBZbmQ90n EA_JCHszkejHaOtDDfxPH6bQLrMlItF4JSUKua301uLB7C8nzTxm tF3eAhGCKn8LotEseccxsmzApKRNWhfKDLpKPe9i9PZQhhJaurwD kMwbWTAeZbqCScU1o09piuK1JDf2PaDFevioHncZcQO74Obe4nN3 oNPNAxrMClkZ9s9GMEd5vMqOD4huXlRpHwm9V3oJ3LRutOTxqQLV yPucu7eHA7her4FOFAiUk-5SieXL9Q", "e": "AQAB" }, { "kty": "EC", "kid": "MFYycG1raTI4SkZvVDBIMF9CNGw3VEZYUmxQLVN2T21nSWlkd3", "crv": "P-256", "x": "qAOdPQROkHfZY1daGofOmSNQWpYK8c9G2m2Rbkpbd4c", "y": "G_7fF-T8n2vONKM15Mzj4KR_shvHBxKGjMosF6FdoPY" } ], "iss": "https://example.org/op", "iat": 1618410883 }¶
The following is a non-normative example of an RP's Entity Configuration:¶
{ "iss": "https://openid.sunet.se", "sub": "https://openid.sunet.se", "iat": 1516239022, "exp": 1516298022, "metadata": { "openid_relying_party": { "application_type": "web", "redirect_uris": [ "https://openid.sunet.se/rp/callback" ], "organization_name": "SUNET", "logo_uri": "https://www.sunet.se/sunet/images/32x32.png", "grant_types": [ "authorization_code", "implicit" ], "signed_jwks_uri": "https://openid.sunet.se/rp/jwks.jose", "jwks_uri":"https://openid.sunet.se/rp/signed_jwks.json" } }, "jwks": { "keys": [ { "alg": "RS256", "e": "AQAB", "key_ops": [ "verify" ], "kid": "key1", "kty": "RSA", "n": "pnXBOusEANuug6ewezb9J_...", "use": "sig" } ] }, "authority_hints": [ "https://edugain.org/federation" ] }¶
signed_jwks_uri
parameter.
One significant downside of jwks
is that it does not enable key rotation
(which signed_jwks_uri
and
jwks_uri
do).¶
It is RECOMMENDED that an Entity Configuration
use only one of
jwks
,
jwks_uri
, and
signed_jwks_uri
in its OpenID Connect or OAuth2 metadata.
However, there may be circumstances in which is it desirable to use multiple
JWK Set representations, such as when an Entity is in multiple federations and the
federations have different policies about the JWK Set representation to be used.
When multiple JWK Set representations are used, the keys present in each
representation SHOULD be the same. Even if they are not completely the
same at a given instant in time (which may be the case during key rollover operations),
implementations MUST make them consistent in a timely manner.¶
The metadata type identifier is
openid_relying_party
.¶
All parameters defined in Section 2 of OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration] are allowed in a metadata statement.¶
In addition, the parameters defined in Section 4 for OpenID Connect and OAuth2 entities and the following are added:¶
automatic
and explicit
.¶
The metadata type identifier is
openid_provider
.¶
All parameters defined in Section 3 of OpenID Connect Discovery 1.0 [OpenID.Discovery] are applicable.¶
In addition, the parameters defined in Section 4 for OpenID Connect and OAuth2 entities and the following are added:¶
automatic
and explicit
.¶
OPTIONAL. A JSON Object defining the client authentications supported for each endpoint. The endpoint names are defined in the IANA "OAuth Authorization Server Metadata" registry [IANA.OAuth.Parameters]. Other endpoints and authentication methods are possible, if made recognizable according to established standards and not in conflict with the operating principles of this specification. In OpenID Connect Core, no client authentication is performed at the authentication endpoint. Instead, because the request itself is authenticated. What it amounts to is that the OP maps information in the request (like the redirect_uri) to information it has gained on the client, through static or dynamic registration. If the map is successful, then the request is permitted to be processed. If the RP uses Automatic Registration, as defined in Section 10.1, the OP has no prior knowledge of the RP. Therefore, the OP must start by gathering information about the RP using the process outlined in Section 6. Once it has the RP's metadata, the OP can then verify the request in the same way as if it had known the RP's metadata beforehand. To make the request verification more secure we demand the use of a client authentication or verification method that proves that the RP is in possession of a key that appears in the RP's metadata.¶
Client authentication methods are for instance:¶
private_key_jwt
.
This authentication process is described in Section 9 of
OpenID Connect Core 1.0 [OpenID.Core].
Note that if private_key_jwt
is
used, the audience of the signed JWT MUST be either the URL of
the Authorization Server's Authorization Endpoint or the
Authorization Server's Entity Identifier.¶
A client verification method, on the other hand, is something like:¶
The claim value of this parameter is a JSON object with members representing authentication request methods and as values lists of client authentication/verification methods that can be used together with the authentication request method.¶
Examples of authentication request methods are¶
If AR is used, then a client verification method like
request_object
can be used.
If PAR is used then client authentication methods like
private_key_jwt
,
tls_client_auth
and
self_signed_tls_client_auth
can be used.¶
alg
values)
supported for the signature on the JWT [RFC7519]
used in the request_object
contained in the request parameter of an authorization request or
in the private_key_jwt
of a pushed authorization request.
This entry MUST be present if either of these authentication methods are specified
in the request_authentication_methods_supported
entry.
No default algorithms are implied if this entry is omitted.
Servers SHOULD support RS256
.
The value none
MUST NOT be used.¶
The following is a non-normative example of an OP's Entity Configuration:¶
{ "iss":"https://op.umu.se", "sub":"https://op.umu.se", "exp":1568397247, "iat":1568310847, "metadata":{ "openid_provider":{ "issuer":"https://op.umu.se/openid", "signed_jwks_uri":"https://op.umu.se/openid/signed_jwks.jose", "authorization_endpoint":"https://op.umu.se/openid/authorization", "client_registration_types_supported":[ "automatic", "explicit" ], "grant_types_supported":[ "authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "id_token_signing_alg_values_supported":[ "ES256", "RS256" ], "logo_uri":"https://www.umu.se/img/umu-logo-left-neg-SE.svg", "op_policy_uri":"https://www.umu.se/en/legal-information/", "response_types_supported":[ "code", "code id_token", "token" ], "subject_types_supported":[ "pairwise", "public" ], "token_endpoint":"https://op.umu.se/openid/token", "federation_registration_endpoint":"https://op.umu.se/openid/fedreg", "token_endpoint_auth_methods_supported":[ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt" ], "pushed_authorization_request_endpoint":"https://op.umu.se/openid/par", "request_authentication_methods_supported": { "authorization_endpoint": [ "request_object" ], "pushed_authorization_request_endpoint": [ "request_object", "private_key_jwt", "tls_client_auth", "self_signed_tls_client_auth" ] } } }, "authority_hints":[ "https://umu.se" ], "jwks":{ "keys":[ { "e":"AQAB", "kid":"dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...", "kty":"RSA", "n":"x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..." } ] }, }¶
The metadata type identifier is
oauth_authorization_server
.¶
All parameters defined in Section 2 of RFC 8414 [RFC8414] and Section 4.1 are applicable. In addition, all the parameters defined for Section 4.4 are applicable for this Entity.¶
The metadata type identifier is
oauth_client
.¶
All parameters defined in Section 2 of RFC 7591 [RFC7591] are applicable. In addition, the parameters defined in Section 4 for OpenID Connect and OAuth2 entities are added.¶
The metadata type identifier is
oauth_resource
.
In addition to those defined in
draft-jones-oauth-resource-metadata (Section 12.2.1),
the parameters defined in Section 4
for OpenID Connect and OAuth2 entities are added.¶
The metadata type identifier is
federation_entity
.¶
All Entities in a federation MAY expose this metadata type. The Entities that expose federation API endpoints MUST expose this metadata type.¶
The following properties are allowed:¶
federation_fetch_endpoint
.
Leaf entities MUST NOT.¶
federation_list_endpoint
.
Leaf entities MUST NOT.¶
federation_resolve_endpoint
.¶
federation_trust_mark_status_endpoint
.¶
Example¶
"federation_entity": { "federation_fetch_endpoint": "https://example.com/federation_fetch", "federation_list_endpoint": "https://example.com/federation_list", "federation_trust_mark_status_endpoint": "https://example.com/status" "organization_name": "The example cooperation", "homepage_uri": "https://www.example.com" }¶
An Entity can publish metadata policies pertaining to subordinate entities of a specific type. Entity type identifiers specified in this document can be found in Section 4.¶
A metadata_policy
for a specific entity
type has the following structure:¶
id_token_signed_response_alg
.¶
It SHOULD be noted that claim names without language tags are different from the same claim but with language tags.¶
An example of a policy entry:¶
"id_token_signed_response_alg": { "default": "ES256", "one_of" : ["ES256", "ES384", "ES512"] }¶
Which fits into a metadata policy like this:¶
"metadata_policy" : { "openid_relying_party": { "id_token_signed_response_alg": { "default": "ES256", "one_of" : ["ES256", "ES384", "ES512"] } } }¶
Value modifiers are:¶
Value checks are:¶
true
, then the parameter MUST have a value.¶
Note that when a parameter is defined to be a space-separated
list of strings like for scope
in
[RFC7591] subset_of
,
superset_of
and
default
are still expressed as lists of strings.
This language from [RFC6749] also applies for such space-separated lists of strings:
"If the value contains multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the requested scope."¶
As stated, a policy entry can contain one or more operators. Not all operators are allowed to appear together in a policy entry.¶
subset_of
and
superset_of
applies to parameters
that can have more than
one value (for instance, contacts
)
while one_of
applies to
parameters that can only have one value (for instance,
id_token_signed_response_alg
).
This means that one_of
cannot
appear beside
subset_of
/
superset_of
in a policy entry.¶
value
overrides everything else.
So having value
together with any
other operator (except for
essential
) does not make sense.¶
Other restrictions are:¶
subset_of
and
superset_of
both appear as operators, then the
list of values in
subset_of
MUST be a superset of the values in
superset_of
.¶
add
appears in a policy entry
together with
subset_of
then the value/values of add
MUST
be a subset of subset_of
.¶
add
appears in a policy entry
together with
superset_of
then
the values of add
MUST be a
superset of superset_of
.¶
default
appears in a policy
entry together with
subset_of
then
the values of default
MUST be a
subset of subset_of
.¶
default
appears in a policy entry
together with
superset_of
then the values of default
MUST be a
superset of
superset_of
.¶
add
appears in a policy entry
together with one_of
then
the
value of add
MUST be a member
of one_of
.¶
default
appears in a policy entry
together with
one_of
then the
value default
MUST be a member
of one_of
.¶
If there is more than one metadata policy in a Trust Chain, then the policies MUST be combined before they are applied to the metadata statement.¶
Using the notation we have defined in Section 3.2, policies are combined starting with ES[i] and then adding the policies from ES[j] j=i-1,..,1 before applying the combined policy to the Entity's metadata.¶
After each combination, the policy for each parameter MUST adhere to the rules defined in Section 5.1.3.¶
subset_of
operators is the
intersection of the operator values.¶
one_of
operators is the
intersection of the operator values.¶
superset_of
operators is the
union of the operator values.¶
add
operators is the union of the values.¶
value
operators is
NOT allowed unless the two operator values are equal.¶
default
operators is
NOT allowed unless the two operator values are equal.¶
essential=true
,
then a subordinate
cannot change that. If a superior has specified
essential=false
, then a
subordinate is allowed to change that to
essential=true
.
If a superior has not specified
essential
, then a subordinate
can set essential
to
true
or false
.¶
Once combining the Metadata policies has been accomplished, the next step is to apply the combined policy to the metadata.¶
Doing that, one follows these steps for each parameter in the policy.¶
value
operator in the
policy, its value would be applied without any additional action.¶
add
operator.¶
default
if there is one.¶
essential
is
missing as an operator,
essential
is to be treated as if set to false
.
If essential
is defined to be
true
,
then the claim
MUST have a value by now. Otherwise applying the operator MUST
fail.¶
one_of
or that the
values are subset_of
/superset_of
. If the parameter values
do not fall within the allowed boundaries,
applying the operator MUST fail.¶
one_of
and the Leaf Entity
does not specify the metadata claim for which
one_of
is referred to,
it is an implementation choice which of the values in
the one_of
array will be used.¶
A federation's policy for OAuth2 clients:¶
{ "scope": { "subset_of": [ "openid", "eduperson", "phone" ], "superset_of": [ "openid" ], "default": [ "openid", "eduperson" ] }, "token_endpoint_auth_method": { "one_of": [ "client_secret_post", "client_secret_basic" ] }, "contacts": { "add": "helpdesk@federation.example.org" } }¶
An organization's policy for OAuth2 clients:¶
{ "scope": { "subset_of": [ "openid", "eduperson", "address" ], "default": [ "openid", "eduperson" ] }, "token_endpoint_auth_method": { "one_of": [ "client_secret_post", "client_secret_basic" ], "default": "client_secret_basic" }, "contacts": { "add": "helpdesk@org.example.org" } }¶
The combined metadata policy then becomes:¶
{ "scope": { "subset_of": [ "openid", "eduperson" ], "superset_of": [ "openid" ], "default": [ "openid", "eduperson" ] }, "token_endpoint_auth_method": { "one_of": [ "client_secret_post", "client_secret_basic" ], "default": "client_secret_basic" }, "contacts": { "add": [ "helpdesk@federation.example.org", "helpdesk@org.example.org" ] } }¶
If applying policies to a metadata statement results in incorrect metadata, then such a metadata statement MUST be regarded as broken and MUST NOT be used.¶
There might be parties that want to extend the policy language
defined here. If that happens then the rule is that if
software compliant with this specification
encounters a keyword it does not understand,
it MUST ignore it unless it is listed in a
policy_language_crit
list,
as is done for JWS [RFC7515] header parameters
with the crit
parameter.
If the policy language extension keyword
is listed in the policy_language_crit
list
and not understood, then the metadata MUST be rejected.¶
The following is a non-normative example of a set of policies being applied to an RP's metadata.¶
The RP's metadata:¶
{ "contacts": [ "rp_admins@cs.example.com" ], "redirect_uris": [ "https://cs.example.com/rp1" ], "response_types": [ "code" ] }¶
The federation's policy for RPs:¶
{ "id_token_signed_response_alg": { "one_of": [ "ES256", "ES384" ], "default": "ES256", }, "response_types": { "subset_of": [ "code", "code id_token" ] } }¶
The organization's policy for RPs:¶
{ "metadata_policy": { "openid_relying_party": { "contacts": { "add": "helpdesk@example.com" }, "logo_uri": { "one_of": [ "https://example.com/logo_small.svg", "https://example.com/logo_big.svg" ], "default": "https://example.com/logo_small.svg" } } }, "metadata": { "openid_relying_party": { "policy_uri": "https://example.com/policy.html", "tos_uri": "https://example.com/tos.html" } } }¶
The metadata for the Entity in question, after applying the policies above, would then become:¶
{ "contacts": [ "rp_admins@cs.example.com", "helpdesk@example.com" ], "logo_uri": "https://example.com/logo_small.svg", "policy_uri": "https://example.com/policy.html", "tos_uri": "https://example.com/tos.html", "id_token_signed_response_alg": "ES256", "response_types": [ "code" ], "redirect_uris": [ "https://cs.example.com/rp1" ] }¶
A constraint specification can contain the following claims:¶
The following is a non-normative example of such a specification:¶
{ "naming_constraints": { "permitted": [ "https://.example.com" ], "excluded": [ "https://east.example.com" ] }, "max_path_length": 2, "allowed_leaf_entity_types": ["openid_provider", "openid_relying_party"] }¶
If a subordinate Entity Statement contains a constraint specification that is more restrictive than the one in effect, then the more restrictive constraint is in effect from here on.¶
If a subordinate Entity Statement contains a constraint specification that is less restrictive than the one in effect, then it MUST be ignored.¶
The max_path_length
constraint specifies
the maximum number of
Entity Statements a Trust Chain can have between the Entity Statement
that contains the constraint specification and the Leaf's Entity
Statement.¶
A max_path_length
constraint of zero
indicates that no
intermediaries MAY appear between this Entity and the
Leaf Entity. Where it appears, the
max_path_length
constraint
MUST have a value that is greater than or equal to zero.¶
Not adding a max_path_length constraint just means that there is no additional constraints apart from those already in effect.¶
Assuming that we have a Trust Chain with four Entity Statements:¶
Then the Trust Chain fulfills the constraints if for instance:¶
max_path_length
that
is equal to or bigger than 2.¶
max_path_length
of 2,
I2 specifies max_path_length
of 1,
and I1 sets no max_path_length
constraint.¶
max_path_length
constraint
while I1 sets max_path_length
to 0.¶
The Trust Chain does not fulfill the constraints if for instance the:¶
max_path_length
to
1.¶
The naming_constraints
member
specifies a namespace within which all subject
Entity Identifiers in subordinate Entity Statements in a Trust Chain
MUST be located.¶
Restrictions are defined in terms of permitted or excluded name subtrees. Any name matching a restriction in the excluded claim is invalid regardless of information appearing in the permitted claim.¶
Domain name constraints are as specified in Section 4.2.1.10 of [RFC5280]. As stated there, a domain name constraint MUST be specified as a fully qualified domain name and MAY specify a host or a domain. Examples are "host.example.com" and ".example.com". When the domain name constraint begins with a period, it MAY be expanded with one or more labels. That is, the domain name constraint ".example.com" is satisfied by both host.example.com and my.host.example.com. However, the domain name constraint ".example.com" is not satisfied by "example.com". When the domain name constraint does not begin with a period, it specifies a host.¶
The allowed_leaf_entity_types
constraint
specifies what entity types are possible for Leaf Entities beneath an
entity. If there is no allowed_leaf_entity_types
defined it means that any type is allowed.¶
Technically, Trust Marks as used by this specification are signed JWTs.¶
The Trust Marks are signed by a federation accredited authority. The validation of such a signed statement is performed in the same way that an Entity Configuration is validated. To make this validation possible the key used by the Trust Mark Issuer to sign Trust Marks MUST be one of its the Federation Entity Keys.¶
Note that a federation MAY allow an Entity to self-sign some Trust Marks.¶
Trust Mark JWTs MUST be explicitly typed, by setting the
typ
header parameter to
trust-mark+jwt
. This is done to prevent
cross-JWT confusion (see [RFC8725], section 3.11).¶
These are the Trust Mark Claims:¶
id
MUST be collision-resistant
across multiple federations.
It is RECOMMENDED that the
id
value is built
using the unique URL that uniquely identifies the federation,
or the trust framework,
within which it was issued. This is required to prevent
Trust Marks issued in different federations
from having colliding identifiers.¶
Other claims MAY be used in conjunction with the claims outlined above. The claim naming recommendations outlined in Section 5.1.2 of OpenID Connect Core 1.0 [OpenID.Core] apply.¶
An Entity SHOULD NOT try to validate a Trust Mark until it knows which Trust Anchors it wants to use.¶
Validating a Trust Mark issuer follows the procedure set out in Section 8. Validating the Trust Mark itself is described in Section 7.4¶
Note that the Entity representing the accreditation authority
SHOULD be well known and trusted for a given Trust Mark identifier.
A Trust Anchor MAY publish a list of accreditation authorities
of Trust Marks that SHOULD be trusted by other Entities.
A Trust Anchor uses the trust_marks_issuers
claim
in its Entity Configuration to publish this information.¶
For other externally issued Trust Marks, it is an out-of-band process to define and announce accreditation authorities to other entities and it is left to the discretion of the receiving party to assign an appropriate level of trust to such Trust Marks.¶
A non-normative example of a Trust Mark claim inside an Entity Configuration is:¶
{ "iss": "https://rp.example.it/spid/", "sub": "https://rp.example.it/spid/", "iat": 1516239022, "exp": 1516298022, "trust_marks": [ { "id": "https://www.spid.gov.it/certification/rp/", "trust_mark": "eyJraWQiOiJmdWtDdUtTS3hwWWJjN09lZUk3Ynlya3N5a0E1bDhPb2RFSXVyOH" "JoNFlBIiwidHlwIjoidHJ1c3QtbWFyaytqd3QiLCJhbGciOiJSUzI1NiJ9.eyJ" "pc3MiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi8vc" "nAuZXhhbXBsZS5pdC9zcGlkIiwiaWF0IjoxNTc5NjIxMTYwLCJpZCI6Imh0dHB" "zOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAiLCJsb2dvX3Vya" "SI6Imh0dHBzOi8vd3d3LmFnaWQuZ292Lml0L3RoZW1lcy9jdXN0b20vYWdpZC9" "sb2dvLnN2ZyIsInJlZiI6Imh0dHBzOi8vZG9jcy5pdGFsaWEuaXQvZG9jcy9zc" "GlkLWNpZS1vaWRjLWRvY3MvaXQvdmVyc2lvbmUtY29ycmVudGUvIn0.AGf5Y4M" "oJt22rznH4i7Wqpb2EF2LzE6BFEkTzY1dCBMCK-8P_vj4Boz7335pUF45XXr2j" "x5_waDRgDoS5vOO-wfc0NWb4Zb_T1RCwcryrzV0z3jJICePMPM_1hZnBZjTNQd" "4EsFNvKmUo_teR2yzAZjguR2Rid30O5PO8kJtGaXDmz-rWaHbmfLhlNGJnqcp9" "Lo1bhkU_4Cjpn2bdX7RN0JyfHVY5IJXwdxUMENxZd-VtA5QYiw7kPExT53XcJO" "89ebe_ik4D0dl-vINwYhrIz2RPnqgA1OdbK7jg0vm8Tb3aemRLG7oLntHwqLO-" "gGYr6evM2_SgqwA0lQ9mB9yhw" } ], "metadata": { "openid_relying_party": { "application_type": "web", "client_registration_types": ["automatic"], "client_name": "https://rp.example.it/spid/", "contacts": [ "ops@rp.example.it" ], ... follows other claims ... ... follows other claims ...¶
An example of a decoded Trust Mark issued to a RP, attesting the conformance to a national public service profile:¶
{ "id":"https://federation.id/openid_relying_party/public/", "iss": "https://trust-anchor.gov.id", "sub": "https://rp.cie.id", "iat": 1579621160, "organization_name": "Organization name", "policy_uri": "https://rp.cie.id/privacy_policy", "tos_uri": "https://rp.cie.id/info_policy", "service_documentation": "https://rp.cie.id/api/v1/get/services", "ref": "https://rp.cie.id/documentation/manuale_operativo.pdf" }¶
An example of a decoded Trust Mark issued to a RP, attesting its conformance to the rules for data management of underage users:¶
{ "id":"https://federation.id/openid_relying_party/private/under-age", "iss": "https://trust-anchor.gov.id", "sub": "https://rp.cie.id", "iat": 1579621160, "organization_name": "Organization name", "policy_uri": "https://rp.cie.id/privacy_policy", "tos_uri": "https://rp.cie.id/info_policy" }¶
An example of a Trust Mark attesting a stipulation of an agreement between a RP and an Attribute Authority:¶
{ "id": "https://deleghedigitali.gov.it/openid_relying_party/sgd/", "iss": "https://deleghedigitali.gov.it", "sub": "https://rp.cie.id", "iat": 1579621160, "logo_uri": "https://deleghedigitali.gov.it/sgd-cmyk-150dpi-90mm.svg", "organization_type": "public", "id_code": "123456", "email": "info@rp.cie.id", "organization_name#it": "Nome dell'organizazzione", "policy_uri#it": "https://rp.cie.id/privacy_policy", "tos_uri#it": "https://rp.cie.id/info_policy", "service_documentation": "https://rp.cie.id/api/v1/get/services", "ref": "https://deleghedigitali.gov.it/documentation/manuale_operativo.pdf" }¶
An example of a Trust Mark asserting conformance to a security profile:¶
{ "iss": "https://secusign.org", "sub": "https://example.com/op", "iat": 1579621160, "id": "https://secusign.org/level/A", "logo_uri": "https://secusign.org/static/levels/ certification-level-A-150dpi-90mm.svg", "ref": "https://secusign.org/conformances/" }¶
An example of a decoded self-signed Trust Mark:¶
{ "iss": "https://example.com/op", "sub": "https://example.com/op", "iat": 1579621160, "id": "https://openid.net/certification/op", "logo_uri": "http://openid.net/wordpress-content/uploads/2016/ 05/oid-l-certification-mark-l-cmyk-150dpi-90mm.svg", "ref": "https://openid.net/wordpress-content/uploads/2015/ 09/RolandHedberg-pyoidc-0.7.7-Basic-26-Sept-2015.zip" }¶
An example of a third-party accreditation authority:¶
{ "iss": "https://swamid.se", "sub": "https://umu.se/op", "iat": 1577833200, "exp": 1609369200, "id": "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf" }¶
The Entity Configuration of every participant SHOULD be exposed at a well-known endpoint.
The configuration endpoint is found using the
Well-Known URIs [RFC8615]
specification, with the suffix
openid-federation
. The scheme, host, and port
are taken directly from the Entity Identifier combined with the following
path: /.well-known/openid-federation
.¶
If the Entity Identifier contains a path, it is concatenated after
/.well-known/openid-federation
in the same
manner
that path components are concatenated to the well-known identifier in
the OAuth 2.0 Authorization Server Metadata
[RFC8414]
specification.
Of course, in real multi-tenant deployments, in which the Entity
identifier
might be of the form
https://multi-tenant-service.example.com/my-tenant-identifier
the tenant is very likely to not have control over the path
https://multi-tenant-service.example.com/.well-known/openid-federation/my-tenant-identifier
whereas it is very likely to have control over the path
https://multi-tenant-service.example.com/my-tenant-identifier/.well-known/openid-federation
.
Therefore, if using the configuration endpoint at the URL with the
tenant path
after the well-known part fails,
it is RECOMMENDED that callers retry at the URL with the tenant path
before the well-known part
(even though this violates [RFC8615]).¶
Entities SHOULD make an Entity Configuration document available at the configuration endpoint. There is only one exception to this rule and that is for an RP that only does Explicit Registration. Since it posts the Entity Configuration to the OP during client registration, the OP has everything it needs from the RP.¶
An Entity Configuration document MUST be queried using an
HTTP GET request at the previously specified path.
The requesting party would make the following request to the Entity
https://openid.sunet.se
to obtain its configuration information:¶
GET /.well-known/openid-federation HTTP/1.1 Host: openid.sunet.se¶
The response is an Entity Configuration, as described in
Section 3.1.
If the Entity is an intermediate Entity or a Trust Anchor, the
response MUST contain metadata for a federation Entity
(federation_entity
).¶
A successful response MUST use the HTTP status code 200
and the content type set to
application/entity-statement+jwt
,
to make it clear that the response contains a signed Entity Statement.
In case of an error, the response
SHOULD be produced in accordance with what is defined in
Section 7.6.¶
The following is a non-normative example response from an intermediate Entity, before serialization and adding a signature:¶
200 OK Content-Type: application/entity-statement+jwt { "iss": "https://openid.sunet.se", "sub": "https://openid.sunet.se", "iat": 1516239022, "exp": 1516298022, "metadata": { "openid_provider": { "issuer": "https://openid.sunet.se", "signed_jwks_uri": "https://openid.sunet.se/jwks.jose", "authorization_endpoint": "https://openid.sunet.se/authorization", "client_registration_types_supported": [ "automatic", "explicit" ], "grant_types_supported": [ "authorization_code" ], "id_token_signing_alg_values_supported": [ "ES256", "RS256" ], "logo_uri": "https://www.umu.se/img/umu-logo-left-neg-SE.svg", "op_policy_uri": "https://www.umu.se/en/website/legal-information/", "response_types_supported": [ "code" ], "subject_types_supported": [ "pairwise", "public" ], "token_endpoint": "https://openid.sunet.se/token", "federation_registration_endpoint": "https://op.umu.se/openid/fedreg", "token_endpoint_auth_methods_supported": [ "private_key_jwt" ] } }, "jwks": { "keys": [ { "alg": "RS256", "e": "AQAB", "key_ops": [ "verify" ], "kid": "key1", "kty": "RSA", "n": "pnXBOusEANuug6ewezb9J_...", "use": "sig" } ] }, "authority_hints": [ "https://edugain.org/federation" ] }¶
The federation endpoints of an Entity can be found in the configuration response as described in Section 6 or by other means.¶
All Entities that are expected to publish Entity Statements about other entities MUST expose a Fetch endpoint.¶
Fetching Entity Statements is performed to collect Entity Statements one by one to gather Trust Chains.¶
To fetch an Entity Statement, an Entity needs to know the identifier of the Entity to ask (the issuer), the fetch endpoint of that Entity and the identifier of the Entity, that is the subject of the statement.¶
The request MUST be an HTTP request using the GET method and
the https scheme to a resolved federation endpoint with the
following query string parameters, encoded in
application/x-www-form-urlencoded
format.¶
The following is a non-normative example of an API request for an Entity Statement:¶
GET /federation_fetch_endpoint? iss=https%3A%2F%2Fedugain.org%2Ffederation& sub=https%3A%2F%2Fopenid%2Esunet%2Ese HTTP/1.1 Host: edugain.org¶
A successful response MUST use the HTTP status code 200
and the content type set to
application/entity-statement+jwt
,
to make it clear that the response contains a signed Entity Statement.
If it is a negative response, it will be a JSON object and the
content type MUST be set to
application/json
.
See more about error responses in Section 7.6.¶
The following is a non-normative example of a response, before serialization and adding a signature:¶
200 OK Content-Type: application/entity-statement+jwt { "iss": "https://edugain.org/federation", "sub": "https://openid.sunet.se" "exp": 1568397247, "iat": 1568310847, "jwks": { "keys": [ { "e": "AQAB", "kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...", "kty": "RSA", "n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..." } ] }, "metadata":{ "organization_name":"SUNET" } "metadata_policy": { "openid_provider": { "subject_types_supported": { "value": [ "pairwise" ] }, "token_endpoint_auth_methods_supported": { "default": [ "private_key_jwt" ], "subset_of": [ "private_key_jwt", "client_secret_jwt" ], "superset_of": [ "private_key_jwt" ] } } } }¶
An Entity MAY use the resolve endpoint to fetch resolved metadata and Trust Marks for an Entity as seen/trusted by the resolver. The resolver is supposed to fetch the subject's Entity Configuration, collect a Trust Chain that starts with the subject's Entity Statement and ends with the specified Trust Anchor, verify the Trust Chain and then apply all the policies present in the Trust Chain to the Entity Statements metadata. The resolver is also expected to verify that the present Trust Marks are active. If it finds Trust Marks that are not active, then those should be left out of the response set.¶
The request MUST be an HTTP request using the GET method and
the https scheme to a resolve endpoint with the
following query string parameters, encoded in
application/x-www-form-urlencoded
format.¶
The following is a non-normative example of a resolve request:¶
GET /resolve? sub=https%3A%2F%2Fop.example.it%2Fspid& type=openid_provider& anchor=https%3A%2F%2Fswamid.se HTTP/1.1 Host: openid.sunet.se¶
A successful response MUST use the HTTP status code 200
and the content type set to
application/resolve-response+jwt
,
containing resolved metadata and
verified Trust Marks.
The resolve response JWT MAY also contain
the sequence of the Entity Statements that compose the Trust Chain,
sorted as shown in Section 3.2.
The key used by the resolver to sign the response MUST be one of its
Federation Entity Keys.
The response SHOULD contain the
aud
claim only
if the requesting client is authenticated.¶
These are the resolve response Claims:¶
exp
value of
the Trust Chain from which the resolve response was derived.¶
type
and expressed in the metadata
format
defined in Section 3.1.¶
Other claims MAY be used in conjunction with the claims outlined above. The claim naming recommendations outlined in Section 5.1.2 of OpenID Connect Core 1.0 [OpenID.Core] apply.¶
If the response is negative, the response SHOULD be produced in accordance with what is defined in Section 7.6.¶
The following is a non-normative example of a response, before serialization and adding a signature:¶
{ "iss": "https://resolver.spid.gov.it/", "sub": "https://op.example.it/spid/", "iat": 1516239022, "exp": 1516298022, "metadata": { "openid_provider": { "contacts": ["legal@example.it", "technical@example.it"], "logo_uri": "https://op.example.it/static/img/op-logo.svg", "op_policy_uri": "https://op.example.it/en/about-the-website/legal-information/", "federation_registration_endpoint":"https://op.example.it/spid/fedreg/", "authorization_endpoint": "https://op.example.it/spid/authorization/", "token_endpoint": "https://op.example.it/spid/token/", "response_types_supported": [ "code", "code id_token", "token" ], "grant_types_supported": [ "authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "subject_types_supported": ["pairwise"], "id_token_signing_alg_values_supported": ["RS256"], "issuer": "https://op.example.it/spid/", "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "n": "1Ta-sE ...", "e": "AQAB", "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs" } ] } } }, "trust_marks": [ {"id": "https://www.spid.gov.it/certification/op/", "trust_mark": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRGRTFjMFF4UzBFdFFrWmxNRXR3ZWxOQl" "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijh4c3VLV2lWZndTZ0hvZjFUZTRPVWRjeT" "RxN2RKcktmRlJsTzV4aEhJYTAifQ.eyJpc3MiOiJodHRwczovL3d3dy5hZ2lkL" "mdvdi5pdCIsInN1YiI6Imh0dHBzOi8vb3AuZXhhbXBsZS5pdC9zcGlkLyIsIml" "hdCI6MTU3OTYyMTE2MCwiaWQiOiJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9jZ" "XJ0aWZpY2F0aW9uL29wLyIsImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cuYWdpZC5" "nb3YuaXQvdGhlbWVzL2N1c3RvbS9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0c" "HM6Ly9kb2NzLml0YWxpYS5pdC9pdGFsaWEvc3BpZC9zcGlkLXJlZ29sZS10ZWN" "uaWNoZS1vaWRjL2l0L3N0YWJpbGUvaW5kZXguaHRtbCJ9" } ], "trust_chain" : [ "eyJhbGciOiJSUzI1NiIsImtpZCI6Ims1NEhRdERpYnlHY3M5WldWTWZ2aUhm ...", "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ...", "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ..." ] }¶
The basic assumption of this specification is that an entity should have direct trust in no one except the Trust Anchor and its own capabilities. However, Entities may establish a kind of transistive trust in other entities. For example, the Trust Anchor states who its subordinates are and Entities may choose to trust these. If a party uses the resolve service of another Entity to obtain federation data, it is trusting the resolver to perform the validation of the cryptographically protected metadata correctly and to provide it with authentic results.¶
An Entity MAY query another Entity for a list of all the entities immediately subordinate to that Entity and about which that Entity is prepared to issue statements about. (In some cases, this MAY be a very large list.)¶
The request MUST be an HTTP request using the GET method and
the https scheme to a list endpoint with the
following query parameters, encoded in
application/x-www-form-urlencoded
format.¶
application/json
, with
the error code set to
unsupported_parameter
.¶
The following is a non-normative example of an API request for a list of entities:¶
GET /list HTTP/1.1 Host: openid.sunet.se¶
A successful response MUST use the HTTP status code 200
and the content type set to application/json
,
containing a JSON list with the known Entity
Identifiers.¶
If the response is negative, the response should be produced in accordance with what is defined in Section 7.6.¶
The following is a non-normative example of a response:¶
200 OK Content-Type: application/json [ "https://ntnu.andreas.labs.uninett.no/", "https://blackboard.ntnu.no/openid/callback", "https://serviceprovider.andreas.labs.uninett.no/application17" ]¶
This is to allow an Entity to check whether a Trust Mark is still active or not. The query MUST be sent to the Trust Mark issuer.¶
The request MUST be an HTTP request using the POST method and
the https scheme to a status endpoint with the
following parameters, encoded in
application/x-www-form-urlencoded
format.¶
iat
is not specified and the
trust issuer have issued several Trust Marks with the
id
specified in the request to the
Entity identified by sub
; the
last one is assumed.¶
If trust_mark
is used then
sub
and id
are not needed. If trust_mark
is not used,
then sub
and id
are required.¶
The following is a non-normative example of a request using
sub
and id
:¶
GET /federation_trust_mark_status_endpoint? sub=https%3A%2F%2Fopenid.sunet.se%2FRP &id=https%3A%2F%2Frefeds.org%2Fsirtfi HTTP/1.1 Host: operations.swamid.se¶
A successful response MUST use the HTTP status code 200
and the content type set to
application/json
,
to make it clear that the response contains a JSON
object containing the claim below.¶
If the response is negative, the response SHOULD be produced in accordance with what is defined in Section 7.6.¶
The following is a non-normative example of a response:¶
200 OK Content-Type: application/json { "active": true }¶
The Trust Anchor MAY publish its expired
federation public keys at the endpoint
/.well-known/openid-federation-historical-jwks
.
The purpose of this endpoint is to provide
the list of keys previously used by the Trust Anchor
in order to provide non-repudiation of statements signed by
the Trust Anchor after key rotation.
The historical keys of the Trust Anchor
guarantees participants the verifiability of the Trust Chains
even when the federation keys are changed.¶
The request MUST be an HTTP request using the GET method and
the https scheme to the well known endpoint
openid-federation-historical-jwks
.¶
The following is a non-normative example of a request:¶
GET /.well-known/openid-federation-historical-jwks HTTP/1.1 Host: trust-anchor.example.com¶
A successful response MUST use the HTTP status code 200
and the content type set to
application/jwk-set+jwt
.
The response is a signed JWT containing the following
paramenters:¶
iat
claim in
[RFC7519].¶
REQUIRED. A JSON Web Key Set (JWKS) [RFC7517] representing the public part of the Trust Anchor signing keys.¶
The JWK Set in the jwks
claim,
in addition to what is defined in
JSON Web Key Set (JWKS) [RFC7517]
also adopts the following claims:¶
iat
claim in
[RFC7519].¶
exp
claim in
[RFC7519].
on or after which the JWK MUST NOT be considered as valid.¶
The following is a non-normative example of a response, before serialization and adding a signature:¶
HTTP/1.1 200 OK Content-Type: application/jwk-set+jwt { "iss": "https://trust-anchor.federation.example.com", "iat": 123972394272, "keys": [ { "kty":"RSA", "n":"5s4qi …", "e":"AQAB", "kid":"2HnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs", "iat": 123972394872, "exp": 123974395972 }, { "kty":"RSA", "n":"ng5jr …", "e":"AQAB", "kid":"8KnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMJJr", "iat": 123972394872, "exp": 123974394972 } ] }¶
The Federation Historical Keys endpoint solves the problem of verifying historical Trust Chains when the Trust Anchor Federation Entity Keys are changed.¶
The Federation Historical Keys endpoint publishes the list of public keys used in the past by Trust Anchor. The given public keys are needed by all the Entities to verify the Trust Chains evaluated in the past with the Federation Entity Keys not published anymore in the Trust Anchor's Entity Configuration.¶
Federation Historical Keys endpoint response contains a signed JWT that attests all the expired Trust Anchor Keys.¶
On the basis of the attributes contained in the Entity Statements
that form a Trust Chain, it MAY be also possible to verify
the non-federation public keys used in the past by a Leaf for the
signature operations related to the OpenID Connect
requests and responses.
For example an Entity Statement issued for a Leaf
MAY also include the
jwks
claim,
respectively in the claims
metadata
or
metadata_policy
.¶
A simple example: In the following Trust Chain the
Federation Intermediary attests the Leaf's OpenID Connect
jwks
in the Entity Statement issued for the Leaf. The result is
a Trust Chain that contains the Leaf's OIDC Core jwks,
needed to verify historical signature on
request objects, ID Tokens and any other signed JWT issued by the Leaf,
if it is an RP or an OP.¶
If the request was malformed, or some error occurred during
processing of the request,
the response body SHOULD be a JSON object with the content type
set to application/json
.¶
In compliance with [RFC6749], the following standardized error format SHOULD be used:¶
REQUIRED. One of the following error codes SHOULD be used.¶
The following is a non-normative example of an error response:¶
400 Bad request Content-Type: application/json { "error": "invalid_request", "error_description": "Required request parameter [sub] was missing." }¶
An Entity (e.g., the consumer) that wants to establish trust with a remote peer MUST have the remote peer's Entity Identifier and a list of Entity Identifiers of Trust Anchors together with the public version of their signing keys. The consumer will first have to fetch sufficient Entity Statements to establish at least one chain of trust from the remote peer to one or more of the configured Trust Anchors. After that the Entity MUST validate the Trust Chains independently, and -- if there are multiple valid Trust Chains and if the application demands it -- choose one.¶
Depending on the circumstances, the consumer MAY either be handed the remote peer's Entity Configuration, or it may have to fetch it by itself. If it needs to fetch it, it will use the process described in Section 6 based on the Entity Identifier of the remote peer.¶
The next step is to iterate through the list of
intermediates listed in
authority_hints
, ignoring the authority
hints that end in an unknown Trust Anchor, requesting an Entity
Configuration from each of the intermediates.
If the received Entity Configuration contains an authority hint this
process is repeated.¶
With the list of all intermediates and the Trust Anchor, the respective federation API (see Section 7) is used to fetch Entity Statements about the intermediates and the remote peer.¶
Note: The consumer SHOULD NOT attempt to fetch Entity Statements it already has fetched during this process (loop prevention).¶
A successful operation will return one or more lists of Entity Statements. Each of the lists terminating in a self-signed Entity Statement is issued by a Trust Anchor.¶
If there is no path from the remote peer to at least one of the trusted Trust Anchors, then the list will be empty and there is no way of establishing trust in the remote peer's information. How the consumer deals with this is out of scope for this specification.¶
As described in Section 3.2, a Trust Chain consists of an ordered list of Entity Statements. So whichever way the consumer has acquired the set of Entity Statements, it MUST now verify that it is a proper Trust Chain using the rules laid out in that section.¶
To validate the chain, the following MUST be done:¶
For each Entity Statement ES[j] j=i,..,0:¶
iss
==
sub
.¶
Verifying the signature is a much more expensive operation than verifying the correctness of the statement and the timestamps. An implementer MAY therefore choose to not verify the signature until all the other checks have been done.¶
Consumers MAY cache Entity Statements or signature verification results for a given time until they expire, per Section 8.4.¶
Note that the second bullet point means that, at each step in the
Trust Chain resolution, it MUST be verified that the signing JWK is
also present in the jwks
statement claim issued by the superior.¶
If multiple valid Trust Chains are found, the consumer will need to decide on which one to use.¶
One simple rule would be to prefer a shorter chain over a longer one.¶
Consumers MAY follow other rules according to local policy.¶
Each Entity Statement in a Trust Chain is signed and MUST have an
expiration time (exp
) set.
The expiration time of the whole Trust
Chain is set to the minimum value of
(exp
) within the chain.¶
This specification allows for a smooth process of updating metadata and public keys.¶
As described above in Section 8.4, each Trust Chain has an expiration time. A consumer of metadata using this specification MUST support refreshing a Trust Chain when it expires. How often a consumer SHOULD re-evaluate the Trust Chain depends on how quickly the consumer wants to find out that something has changed in the Trust Chain.¶
If a Leaf Entity publishes its public keys in the metadata part
using jwks
, setting an expiration time on
the self-signed Entity
Statement can be used to control how often the receiving Entity is
fetching an updated version of the public key.¶
A Trust Anchor MUST publish an Entity Configuration about itself. The Trust Anchor SHOULD set a reasonable expiration time on that Statement, such that the consumers will re-fetch the Entity Configuration at reasonable intervals. If the Trust Anchor wants to roll over its signing keys it would have to:¶
jwks
representing
the Trust Anchor's signing keys.¶
It is RECOMMENDED that Federation Operators provide a means of retrieving the public keys for Trust Anchors that it administers that is independent of the Entity Configurations for those Trust Anchors. This is intended to provide redundancy in the eventuality of the compromise of the Web PKI infrastructure underlying retrieval of public keys from Entity Configurations.¶
The keys retreived via the independent mechanism specified by the Federation Operator SHOULD be be compared to those retreived via the Trust Anchor's Entity Configuration. If they do not match, both SHOULD be retrieved again. If they still do not match, it is indicative of a security or configuration problem. The appropriate remediation steps in that eventuality SHOULD be specified by the Federation Operator.¶
Since the consumers are expected to check the Trust Chain at regular, reasonably frequent times, this specification does not specify a standard revocation process. Specific federations MAY make a different choice and will then have to add such a process.¶
This section describes how the trust framework in this specification is used to establish trust between an RP and an OP that have no explicit configuration or registration in advance.¶
There are two alternative approaches to establish trust between an RP and an OP, which we call Automatic and Explicit Registration. Members of a federation or a community SHOULD agree upon which one to use. While implementations should support both methods, deployments MAY choose to disable the use of one of them.¶
Independent of whether the RP uses Automatic or Explicit Registration, the way that the RP learns about the OP is the same. It will use the procedure that is described in Section 8.¶
Automatic Registration enables an RP to make Authentication Requests without a prior registration step with the OP. The OP resolves the RP's Entity Configuration from the Client ID in the Authentication Request, following the process defined in Section 8.¶
Automatic Registration has the following characteristics:¶
request_authentication_methods_supported
.¶
The Authentication Request is performed by passing a Request Object by value as described in Section 6.1 in OpenID Connect Core 1.0 [OpenID.Core] or using pushed authorization as described in Pushed Authorization Requests [RFC9126].¶
In the case where a Request Object is used, the value of the
request
parameter is a JWT whose Claims are the request parameters
specified in Section 3.1.2 in
OpenID Connect Core 1.0 [OpenID.Core].
The JWT MUST be signed and MAY be encrypted.
The following restrictions apply to the JWT:¶
iss
MUST contain the client identifier.¶
aud
SHOULD make reuse of the statement for
private_key_jwt
client authentication not feasible.¶
request_uri
or
Pushed Authorization Request [RFC9126]
for the request.¶
The following is a non-normative example of the Claims in a Request Object before base64url encoding and signing:¶
{ "aud": "https://op.example.org/authorization", "client_id": "https://rp.example.com", "exp": 1589699162, "iat": 1589699102, "iss": "https://rp.example.com", "jti": "4d3ec0f81f134ee9a97e0449be6d32be", "nonce": "4LX0mFMxdBjkGmtx7a8WIOnB", "redirect_uri": "https://rp.example.com/authz_cb", "response_type": "code", "scope": "openid profile email address phone", "state": "YmX8PM9I7WbNoMnnieKKBiptVW0sP2OZ", "trust_chain" : [ "eyJhbGciOiJSUzI1NiIsImtpZCI6Ims1NEhRdERpYnlHY3M5WldWTWZ2aUhm ...", "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ...", "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ..." ] }¶
The following is a non-normative example of an Authentication Request using the request parameter (with line wraps within values for display purposes only):¶
https://server.example.com/authorize? redirect_uri=https%3A%2F%2Frp.example.com%2Fauthz_cb &scope=openid+profile+email+address+phone &response_type=code &client_id=https%3A%2F%2Frp.example.com &request=eyJhbGciOiJSUzI1NiIsImtpZCI6IjJIbm9GUzNZbkM5dGppQ2FpdmhXTFZVSjNB eHdHR3pfOTh1UkZhcU1FRXMifQ.eyJhdWQiOiJodHRwczovL29wLmV4YW1wbGUub 3JnL2F1dGhvcml6YXRpb24iLCJjbGllbnRfaWQiOiJodHRwczovL3JwLmV4YW1wb GUuY29tIiwiZXhwIjoxNTg5Njk5MTYyLCJpYXQiOjE1ODk2OTkxMDIsImlzcyI6I mh0dHBzOi8vcnAuZXhhbXBsZS5jb20iLCJqdGkiOiI0ZDNlYzBmODFmMTM0ZWU5Y Tk3ZTA0NDliZTZkMzJiZSIsIm5vbmNlIjoiNExYMG1GTXhkQmprR210eDdhOFdJT 25CIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9ycC5leGFtcGxlLmNvbS9hdXRoe l9jYiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwic2NvcGUiOiJvcGVuaWQgcHJvZ mlsZSBlbWFpbCBhZGRyZXNzIHBob25lIiwic3RhdGUiOiJZbVg4UE05STdXYk5vT W5uaWVLS0JpcHRWVzBzUDJPWiIsInN1YiI6Imh0dHBzOi8vcnAuZXhhbXBsZS5jb 20iLCJ0cnVzdF9wYXRoX2hpbnQiOlsiaHR0cHM6Ly9pbnRlcm1lZGlhcnktb25lL m9yZyIsImh0dHBzOi8vaW50ZXJtZWRpYXJ5LXR3by5vcmciLCJodHRwczovL3Ryd XN0LWFuY2hvci5vcmciXX0.yJz8KKF-TZPzxG1iKRkhldlVzn6NtNpgpFK0Bm93v AGnDu6XxSfK1pHFOTYCnG8DH-c8k2QsL4zHQQjwVElcWJyNJKXUAkOhNufssJD09 6CizIjDdHuzMs9-LAJH6e7eKbsE_-17xY7JvtxZGLDNAx9Dm4gBEl7H_8U5SorGW dSN8biVe3gySBivy7czrG2_afitpaEFMxDgy7wuU5aWKo9L1aaRSpcKpDHNq45Mz Ir4JTaSzob0Eil8H-QYUqqQR-ob86_gy7bHFhQMN-0lfXHkIl3riCo2JlxnjLctf IRa4r6OKgFMNDqPzGqgwPuXMbjhBTuJptUgsmbEwdsGYw¶
When the OP receives an incoming Authentication Request, the OP supports OpenID Connect Federation, the incoming Client ID is a valid URL, and the OP does not have the Client ID registered as a known client, then the OP SHOULD resolve the Trust Chains related to the requestor.¶
An RP MAY present to the OP a Trust Chain related to itself,
using the trust_chain (Section 10.1.1.1)
parameter.
If the OP doesn't have a valid registration for the RP or
its registration has expired, the OP MAY use the received
Trust Chain as a hint which path to take from the
Leaf Entity to the Trust Anchor.
The OP MAY evaluate the statements in the
trust_chain
to make its Federation Entity Discovery procedure more efficient,
especially if the RP shows more than a single authority hint in
its Entity Configuration.
If the OP already has a valid registration for the RP it MAY
use the received Trust Chain to update the RP's registration.
Whenever the OP uses a Trust Chain submitted by an RP, the
OP MUST fully verify it, with every statement contained in it.
A Trust Chain may be relied upon by the OP because it has validated
all of its statements. This is true whether these statements
are retrieved from their URLs or whether they
are provided via the trust_chain
parameter.¶
If the RP doesn't include the
trust_chain (Section 10.1.1.1)
in the request or the OP doesn't support this feature, it then MUST
validate the possible Trust Chains, starting with the RP's Entity
Configuration as described in Section 8.1,
and resolve the RP metadata with type
openid_relying_party
.¶
The OP SHOULD furthermore consider the resolved metadata of the RP, and verify that it complies with the client metadata specification in OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration].¶
Once the OP has the RP's metadata, it can verify that the client
was actually the one sending the Authentication Request by
verifying the signature of the Request Object using the key
material the client published through its metadata (underneath
metadata/openid_relying_party
).¶
Pushed Authorization Requests [RFC9126]
provides an
interoperable way to push the payload of a Request Object
directly to the AS in exchange for a
request_uri
.¶
When it comes to request authentication, the applicable methods are four:¶
private_key_jwt
in Section 9
of
OpenID Connect Core 1.0 [OpenID.Core].¶
x5c
claim for one key in the JWK Set describing
the RP's keys.¶
Note that if mTLS is used, TLS client authentication MUST be configured and, in case of self-signed certificates, the server must omit the certificate chain validation.¶
Using the example above, a request could look like this:¶
POST /par HTTP/1.1 Host: op.example.org Content-Type: application/x-www-form-urlencoded redirect_uri=https%3A%2F%2Frp.example.com%2Fauthz_cb &scope=openid+profile+email+address+phone &response_type=code &nonce=4LX0mFMxdBjkGmtx7a8WIOnB &state=YmX8PM9I7WbNoMnnieKKBiptVW0sP2OZ &client_id=https%3A%2F%2Frp.example.com &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A client-assertion-type%3Ajwt-bearer &client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRVTjJ hMDF3Umtoa1NXcGxRVGh2Y1ZCSU5VSXdUVWRPVUZVMlRtVnJTbW hFUVhnelpYbHBUemRRTkEifQ.eyJzdWIiOiAiaHR0cHM6Ly9ycC 5leGFtcGxlLmNvbSIsICJpc3MiOiAiaHR0cHM6Ly9ycC5leGFtc GxlLmNvbSIsICJpYXQiOiAxNTg5NzA0NzAxLCAiZXhwIjogMTU4 OTcwNDc2MSwgImF1ZCI6ICJodHRwczovL29wLmV4YW1wbGUub3J nL2F1dGhvcml6YXRpb24iLCAianRpIjogIjM5ZDVhZTU1MmQ5Yz Q4ZjBiOTEyZGM1NTY4ZWQ1MGQ2In0.oUt9Knx_lxb4V2S0tyNFH CNZeP7sImBy5XDsFxv1cUpGkAojNXSy2dnU5HEzscMgNW4wguz6 KDkC01aq5OfN04SuVItS66bsx0h4Gs7grKAp_51bClzreBVzU4g _-dFTgF15T9VLIgM_juFNPA_g4Lx7Eb5r37rWTUrzXdmfxeou0X FC2p9BIqItU3m9gmH0ojdBCUX5Up0iDsys6_npYomqitAcvaBRD PiuUBa5Iar9HVR-H7FMAr7aq7s-dH5gx2CHIfM3-qlc2-_Apsy0 BrQl6VePR6j-3q6JCWvNw7l4_F2UpHeanHb31fLKQbK-1yoXDNz DwA7B0ZqmuSmMFQ¶
All the assumptions and requirements already defined in Section 10.1.1.1.1 also apply to Pushed Authorization Requests [RFC9126].¶
Once the OP has the RP's metadata, it can verify the client
using the keys published underneath the
metadata/openid_relying_party
element.
This is where it diverges depending on which client
authentication method was used.¶
x5c
claim for one key in the JWK Set describing the RP's
keys.¶
If the OP fails to establish trust with the RP, it SHOULD use an
appropriate error code, and an
error_description
that aids the RP to understand what is wrong.¶
In addition to the error codes defined in Section 3.1.2.6 of OpenID Connect Core, this specification also defines the following error codes:¶
The following is a non-normative example error response:¶
HTTP/1.1 302 Found Location: https://client.example.org/cb? error=missing_trust_anchor &error_description= Could%20not%20find%20a%20trusted%20anchor &state=af0ifjsldkj¶
Note that we anticipate that Automatic Registration could be employed for use cases beyond OpenID Connect Federation. If used with pure OAuth 2.0, for instance, Automatic Registration would occur during Authorization Requests. If for a particular such use case the client does not need to be securely identified, then the requirement for signed requests could be relaxed.¶
This method involves performing an explicit registration step for a new client before the RP interacts with an OP for the first time, similarly to the process specified by OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration], but where the client registration request contains the Entity Configuration or an entire Trust Chain.¶
An OP that supports OpenID Dynamic Client Registration as extended
by this specification, signals this by having the claim
federation_registration_endpoint
in the OP's metadata.¶
Given that the OP supports Explicit Registration, the RP progresses as follows:¶
authority_hints
from the hints that are available to it. Each hint MUST,
when used as a starting point for Trust Chain collection,
lead to at least one of the Trust Anchors in the subset.¶
authority_hints
included are picked by the process described above.¶
federation_registration_endpoint
defined in this document.¶
application/entity-statement+jwt
if it contains only the Entity Configuration of the
requestor. Otherwise if it contains the Trust Chain, the
content type of the Registration Request MUST be set to
application/trust-chain+json
.¶
authority_hints
in the Entity Configuration of the requestor.
After it has verified at least one Trust Chain it
MUST verify that the signature on the received registration
request is correct.
If the OP finds more than one acceptable Trust Chain,
it MUST choose one Trust Anchor from those chains as the one it will
proceed with.¶
trust_anchor_id
claim, containing the Trust Anchor chosen in step 2.¶
application/jose
.¶
authority_hints
it added to the registration request will lead to the
Trust Anchor the OP named using the claim
trust_anchor_id
.¶
A client registration using the explicit method is not expected to be valid forever. The Entity Statements exchanged all have expiration times, which means that the registration will eventually time out. An OP can also, for administrative reasons, decide that a client registration is not valid anymore. An example of this could be the OP leaving the federation used to register an RP.¶
The temporary nature of explicit registration means that an RP must expect its registration to become invalidated at any time, causing RP requests to the OP, such as authorization, token or UserInfo requests, to fail. An RP MAY devise appropriate strategies to re-register with the OP and restart the transaction when such a condition occurs.¶
At regular intervals, the RP MUST:¶
What is regarded as reasonable intervals will depend on federation policies and risk assessment by the maintainer of the RP.¶
At regular intervals, the OP MUST:¶
An OP MUST NOT assign an expiration time to an RP's registration that is later than the trust chain's expiration time.¶
The primary differences between Automatic Registration and Explicit Registration are:¶
Both Automatic and Explicit Client Registration support the submission of the Trust Chain embedded in the Request, calculated by the requestor and related to itself. This enables the following benefits in a federation:¶
It solves the problem of OPs using RP metadata that has become stale. This may occur when the OP uses cached RP metadata from a Trust Chain that hasn't reached its expiration time yet. By passing the trust_chain (Section 10.1.1.1) in the Request the RP can notify the OP that a change has taken place, thus letting the OP update its client registration and prevent potential temporary faults due to stale metadata.¶
It enables the RP to pass a verifiable hint which trust path to take in order to build the Trust Chain. This can reduce the costs of RP Federation Entity Discovery for OPs in complex federations where the RP has multiple Trust Anchors or the Trust Chain resolution may result in dead-ends.¶
It enables direct passing of the Entity Configuration, including
any present Trust Marks, thus saving the OP from having to make
an HTTP request to the RP
/.well-known/openid-federation
endpoint.¶
Human-readable Claim Values and Claim Values that reference human-readable values MAY be represented in multiple languages and scripts. This specification enables such representations in the same manner as defined in Section 5.2 of OpenID Connect Core 1.0 [OpenID.Core]. The paragraphs that follow are excerpted from there.¶
To specify the languages and scripts, BCP47 [RFC5646] language tags are added to member names,
delimited by a #
character. For example,
family_name#ja-Kana-JP
expresses the
Family Name in Katakana in Japanese, which is commonly used to index
and represent the phonetics of the Kanji representation of the same
represented as family_name#ja-Hani-JP
.
As another example, both website
and
website#de
Claim Values might be returned,
referencing a Web site in an unspecified language and a Web site
in German.¶
Since Claim Names are case sensitive, it is strongly RECOMMENDED that language tag values used in Claim Names be spelled using the character case with which they are registered in the IANA "Language Subtag Registry" [IANA.Language]. In particular, normally language names are spelled with lowercase characters, region names are spelled with uppercase characters, and scripts are spelled with mixed case characters. However, since BCP47 language tag values are case insensitive, implementations SHOULD interpret the language tag values supplied in a case-insensitive manner.¶
Per the recommendations in BCP47, language tag values for Claims
SHOULD only be as specific as necessary.
For instance, using fr
might be sufficient
in many contexts, rather than fr-CA
or
fr-FR
.
Where possible, OPs SHOULD try to match requested Claim locales with
Claims it has. For instance, if the Client asks for a Claim with
a de
(German) language tag and the OP
has a value tagged with de-CH
(Swiss German)
and no generic German value, it would be appropriate for the OP
to return the Swiss German value to the Client.
(This intentionally moves as much of the complexity of language tag
matching to the OP as possible, to simplify Clients.)¶
This specification registers the following metadata names in the IANA "OAuth Authorization Server Metadata" registry [IANA.OAuth.Parameters] established by [RFC8414].¶
client_registration_types_supported
¶
organization_name
¶
federation_registration_endpoint
¶
request_authentication_methods_supported
¶
request_authentication_signing_alg_values_supported
¶
signed_jwks_uri
¶
jwks
¶
This specification registers the following client metadata definition in the IANA "OAuth Dynamic Client Registration Metadata" registry [IANA.OAuth.Parameters] established by [RFC7591].¶
This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 protected resource.¶
client_registration_types
¶
organization_name
¶
signed_jwks_uri
¶
This section registers the following values in the IANA "OAuth Extensions Error Registry" registry [IANA.OAuth.Parameters] established by [RFC6749].¶
This section registers the following media types [RFC2046] in the "Media Types" registry [IANA.MediaTypes] in the manner described in [RFC6838].¶
Additional information:¶
Person & email address to contact for further information:¶
Michael B. Jones, mbj@microsoft.com¶
Additional information:¶
Person & email address to contact for further information:¶
Michael B. Jones, mbj@microsoft.com¶
Additional information:¶
Person & email address to contact for further information:¶
Michael B. Jones, mbj@microsoft.com¶
Additional information:¶
Person & email address to contact for further information:¶
Michael B. Jones, mbj@microsoft.com¶
This specification registers the following parameter name in the IANA "OAuth Parameters" registry [IANA.OAuth.Parameters] established by [RFC6749].¶
trust_chain
¶
Some of the interfaces defined in this specification could be used for Denial-of-Service attacks (DoS), most notably, the Resolve endpoint (Section 7.3), Explicit Client Registration (Section 10.2), and Automatic Client Registration (Section 10.1), can be exploited as vectors of http propagation attacks. If these endpoints are provided, some adequate defense methods are required, such as those described below and in [RFC4732].¶
A Trust Mark can be statically validated, using the public key of its issuer. The static validation of the Trust Marks represent a filter against a propagation attacks. An attacker could exploit the Federation Entity Discovery mechanism and use an OIDC Federation to propagate many http requests. For each authorization request, crafted by an anonymous client, the OP would produce ~3 http requests to third parties in absence of intermediaries, and at least 5 http requests with at least one intermediary. If an OP doesn't find at least one valid Trust Mark in an Entity Configuration it should reject the request and temporary bans the requestor.¶
If client authentication is not demanded at the Resolve endpoint then incoming requests should not by default result in immediate collection (Federation Entity Discovery process) and evaluation of Trust Chains.¶
One of the fundamental design goals of this protocol is to protect messages end-to-end. This can not be accomplished by demanding TLS since TLS, in lots of cases, is not end-to-end but ends in a HTTPS to HTTP Reverse Proxy. Allowing unsigned error messages therefore opens up an attack vector for someone who wants to run a Denial of Service attack. This is not specific to OpenID Connect Federation but equally valid for other protocols when HTTPS to HTTP reverse proxies are used.¶
Let us assume the following: The project LIGO would like to offer access to its wiki to all OPs in EduGAIN. LIGO is registered to the InCommon federation.¶
The players¶
EduGAIN | +------------------+------------------+ | | SWAMID InCommon | | umu.se | | | op.umu.se wiki.ligo.org¶
Both SWAMID and InCommon are identity federations in their own right. They also have in common that they are both members of the EduGAIN federation.¶
SWAMID and InCommon are different in how they register entities. SWAMID registers organizations and lets the organizations register entities that belong to the organization, while InCommon registers all entities directly and not beneath any organization Entity. Hence the differences in depth in the federations.¶
Let us assume a researcher from Umeae University would like to login at the LIGO Wiki. At the Wiki, the researcher will use some kind of discovery service to find the home identity provider (op.umu.se)¶
Once the RP-part of the Wiki knows which OP it SHOULD talk to it has to find out a couple of things about the OP. All of those things can be found in the metadata. But finding the metadata is not enough; the RP also has to trust the metadata.¶
Let us make a detour and start with what it takes to build a federation.¶
These are the steps to set up a federation infrastructure.¶
Once the previous requirements have been satisfied, a Federation Operator can add Entities to the federation. Adding an Entity comes down to:¶
Now before the federation operator starts adding entities, there have to be policies in place on who can be part of the federation and the layout of the federation. Is it supposed to be a one-layer federation like InCommon, a two-layer one like the SWAMID federation, or a multi-layer federation? The federation may also want to think about implementing other policies using the federation policy framework, as described in Section 5.¶
With the federation in place, things can start happening.¶
Federation Entity Discovery is a sequence of steps that starts with the RP fetching the Entity Configuration of the Leaf Entity (in this case https://op.umu.se) using the process defined in Section 6. What follows thereafter is this sequence of steps:¶
How many times this has to be repeated depends on the depth of the federation. What follows below is the result of each step the RP has to take to find the OP's metadata using the federation setup described above.¶
When building the Trust Chain, the Entity Statements issued by a superior about its subordinate are used together with the Entity Configuration issued by the Leaf.¶
The Entity Configuration concerning intermediates is not part of the Trust Chain.¶
The LIGO WIKI RP fetches the Entity Configuration from the OP (op.umu.se) using the process defined in Section 6.¶
The result is this Entity Configuration.¶
{ "authority_hints": [ "https://umu.se" ], "exp": 1568397247, "iat": 1568310847, "iss": "https://op.umu.se", "sub": "https://op.umu.se", "jwks": { "keys": [ { "e": "AQAB", "kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...", "kty": "RSA", "n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..." } ] }, "metadata": { "openid_provider": { "issuer": "https://op.umu.se/openid", "signed_jwks_uri": "https://op.umu.se/openid/jwks.jose", "authorization_endpoint": "https://op.umu.se/openid/authorization", "client_registration_types_supported": [ "automatic", "explicit" ], "request_parameter_supported": true, "grant_types_supported": [ "authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "id_token_signing_alg_values_supported": [ "ES256", "RS256" ], "logo_uri": "https://www.umu.se/img/umu-logo-left-neg-SE.svg", "op_policy_uri": "https://www.umu.se/en/website/legal-information/", "response_types_supported": [ "code", "code id_token", "token" ], "subject_types_supported": [ "pairwise", "public" ], "token_endpoint": "https://op.umu.se/openid/token", "federation_registration_endpoint": "https://op.umu.se/openid/fedreg", "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt" ] } } }¶
The authority_hints
points to the
intermediate https://umu.se. So that is the next step.¶
This Entity Configuration is the first link in the Trust Chain.¶
The LIGO RP fetches the Entity Configuration from "https://umu.se" using the process defined in Section 6.¶
The request will look like this:¶
GET /.well-known/openid-federation HTTP/1.1 Host: umu.se¶
And the GET will return:¶
{ "authority_hints": [ "https://swamid.se" ], "exp": 1568397247, "iat": 1568310847, "iss": "https://umu.se", "sub": "https://umu.se", "jwks": { "keys": [ { "e": "AQAB", "kid": "endwNUZrNTJsX2NyQlp4bjhVcTFTTVltR2gxV2RV...", "kty": "RSA", "n": "vXdXzZwQo0hxRSmZEcDIsnpg-CMEkor50SOG-1XUlM..." } ] }, "metadata": { "federation_entity": { "contacts": "ops@umu.se", "federation_fetch_endpoint": "https://umu.se/oidc/fedapi", "homepage_uri": "https://www.umu.se", "organization_name": "UmU" } } }¶
The only piece of information that is used from this Entity
Statement is
the federation_fetch_endpoint
,
which is used in the next step.¶
The RP uses the fetch endpoint provided by https://umu.se as defined in Section 7.1.1 to fetch information about "https://op.umu.se".¶
The request will look like this:¶
GET /oidc/fedapi?sub=https%3A%2F%2Fop.umu.se& iss=https%3A%2F%2Fumu.se HTTP/1.1 Host: umu.se¶
and the result is this:¶
{ "exp": 1568397247, "iat": 1568310847, "iss": "https://umu.se", "jwks": { "keys": [ { "e": "AQAB", "kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...", "kty": "RSA", "n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..." } ] }, "metadata_policy": { "openid_provider": { "contacts": { "add": [ "ops@swamid.se" ] }, "organization_name": { "value": "University of Ume\u00e5" }, "subject_types_supported": { "value": [ "pairwise" ] }, "token_endpoint_auth_methods_supported": { "default": [ "private_key_jwt" ], "subset_of": [ "private_key_jwt", "client_secret_jwt" ], "superset_of": [ "private_key_jwt" ] } } }, "sub": "https://op.umu.se" }¶
This is the second link in the Trust Chain.¶
Notable here is that this path leads to two Trust Anchors using the same next step ("https://swamid.se").¶
The LIGO Wiki RP fetches the Entity Configuration from "https://swamid.se" using the process defined in Section 6.¶
The request will look like this:¶
GET /.well-known/openid-federation HTTP/1.1 Host: swamid.se¶
And the GET will return:¶
{ "authority_hints": [ "https://edugain.geant.org" ], "exp": 1568397247, "iat": 1568310847, "iss": "https://swamid.se", "jwks": { "keys": [ { "e": "AQAB", "kid": "N1pQTzFxUXZ1RXVsUkVuMG5uMnVDSURGRVdhUzdO...", "kty": "RSA", "n": "3EQc6cR_GSBq9km9-WCHY_lWJZWkcn0M05TGtH6D9S..." } ] }, "metadata": { "federation_entity": { "contacts": "ops@swamid.se", "federation_fetch_endpoint": "https://swamid.se/fedapi", "homepage_uri": "https://www.sunet.se/swamid/", "organization_name": "SWAMID" } }, "sub": "https://swamid.se" }¶
The only piece of information that is used from this Entity
Statement is
the federation_fetch_endpoint
,
which is used in the next step.¶
The LIGO Wiki RP uses the fetch endpoint provided by "https://swamid.se" as defined in Section 7.1.1 to fetch information about "https://umu.se".¶
The request will look like this:¶
GET /fedapi?sub=https%3A%2F%2Fumu.se& iss=https%3A%2F%2Fswamid.se HTTP/1.1 Host: swamid.se¶
and the result is this:¶
{ "exp": 1568397247, "iat": 1568310847, "iss": "https://swamid.se", "jwks": { "keys": [ { "e": "AQAB", "kid": "endwNUZrNTJsX2NyQlp4bjhVcTFTTVltR2gxV2RV...", "kty": "RSA", "n": "vXdXzZwQo0hxRSmZEcDIsnpg-CMEkor50SOG-1XUlM..." } ] }, "metadata_policy": { "openid_provider": { "id_token_signing_alg_values_supported": { "subset_of": [ "RS256", "ES256", "ES384", "ES512" ] }, "token_endpoint_auth_methods_supported": { "subset_of": [ "client_secret_jwt", "private_key_jwt" ] }, "userinfo_signing_alg_values_supported": { "subset_of": [ "ES256", "ES384", "ES512" ] } } }, "sub": "https://umu.se" }¶
This is the third link in the Trust Chain.¶
If we assume that the issuer of this Entity Statement is not in the list of Trust Anchors the LIGO Wiki RP has access to, we have to go one step further.¶
RP fetches the Entity Configuration from "https://edugain.geant.org" using the process defined in Section 6.¶
The request will look like this:¶
GET /.well-known/openid-federation HTTP/1.1 Host: edugain.geant.org¶
And the GET will return:¶
{ "exp": 1568397247, "iat": 1568310847, "iss": "https://edugain.geant.org", "sub": "https://edugain.geant.org", "jwks": { "keys": [ { "e": "AQAB", "kid": "Sl9DcjFxR3hrRGdabUNIR21KT3dvdWMyc2VUM2Fr...", "kty": "RSA", "n": "xKlwocDXUw-mrvDSO4oRrTRrVuTwotoBFpozvlq-1q..." } ] }, "metadata": { "federation_entity": { "federation_fetch_endpoint": "https://geant.org/edugain/api" } } }¶
Again, the only thing we need is the
federation_fetch_endpoint
.
As described in
Section 9.2,
note SHOULD also be
taken to jwks
as the Trust Anchor MAY be
performing a key rollover.¶
The LIGO Wiki RP uses the fetch endpoint of https://edugain.geant.org as defined in Section 7.1.1 to fetch information about "https://swamid.se".¶
The request will look like this:¶
GET /edugain/api?sub=https%3A%2F%2Fswamid.se& iss=https%3A%2F%2Fedugain.geant.org HTTP/1.1 Host: geant.org¶
and the result is this:¶
{ "exp": 1568397247, "iat": 1568310847, "iss": "https://edugain.geant.org", "jwks": { "keys": [ { "e": "AQAB", "kid": "N1pQTzFxUXZ1RXVsUkVuMG5uMnVDSURGRVdhUzdO...", "kty": "RSA", "n": "3EQc6cR_GSBq9km9-WCHY_lWJZWkcn0M05TGtH6D9S..." } ] }, "metadata_policy": { "openid_provider": { "contacts": { "add": "ops@edugain.geant.org" } }, "openid_relying_party": { "contacts": { "add": "ops@edugain.geant.org" } } }, "sub": "https://swamid.se" }¶
If we assume that the issuer of this statement appears in the list of Trust Anchors the LIGO Wiki RP has access to this would be the fourth and final Entity Statement in the Trust Chain.¶
We now have the whole chain from the Entity Configuration of the Leaf Entity up until the last one that is issued by a Trust Anchor. All in all, we have:¶
Using the public keys of the Trust Anchor that the LIGO Wiki RP has been provided with in some secure out-of-band way, it can now verify the Trust Chain as described in Section 8.2.¶
Having verified the chain, the LIGO Wiki RP can proceed with the next step.¶
Combining the metadata policies from the tree Entity Statements we have by a superior about its subordinate and applying the combined policy to the metadata statement that the Leaf Entity presented, we get:¶
{ "authorization_endpoint": "https://op.umu.se/openid/authorization", "claims_parameter_supported": false, "contacts": [ "ops@swamid.se" ], "federation_registration_endpoint": "https://op.umu.se/openid/fedreg", "client_registration_types_supported": [ "automatic", "explicit" ], "grant_types_supported": [ "authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "id_token_signing_alg_values_supported": [ "RS256", "ES256" ], "issuer": "https://op.umu.se/openid", "signed_jwks_uri": "https://op.umu.se/openid/jwks.jose", "logo_uri": "https://www.umu.se/img/umu-logo-left-neg-SE.svg", "organization_name": "University of Ume\u00e5", "op_policy_uri": "https://www.umu.se/en/website/legal-information/", "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": true, "response_types_supported": [ "code", "code id_token", "token" ], "subject_types_supported": [ "pairwise" ], "token_endpoint": "https://op.umu.se/openid/token", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_jwt" ] }¶
We have now reached the end of the Provider Discovery process.¶
As described in Section 10, there are two ways which can be used to do client registration:¶
federation_registration_endpoint
,
which provides the metadata for the RP to use. The OP MAY return a
metadata policy that adds restrictions over and above what the
Trust Chain already has defined.¶
The LIGO Wiki RP does not do any registration but goes directly to sending an Authentication Request.¶
Here is an example of such an Authentication Request:¶
GET /openid/authorization? request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRVTjJhMDF3Umtoa1NXc GxRVGh2Y1ZCSU5VSXdUVWRPVUZVMlRtVnJTbWhFUVhnelpYbHBUemRR TkEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic2NvcGUiOiAi b3BlbmlkIHByb2ZpbGUgZW1haWwiLCAiY2xpZW50X2lkIjogImh0dHB zOi8vd2lraS5saWdvLm9yZyIsICJzdGF0ZSI6ICIyZmY3ZTU4OS0zOD Q4LTQ2ZGEtYTNkMi05NDllMTIzNWU2NzEiLCAibm9uY2UiOiAiZjU4M WExODYtYWNhNC00NmIzLTk0ZmMtODA0ODQwODNlYjJjIiwgInJlZGly ZWN0X3VyaSI6ICJodHRwczovL3dpa2kubGlnby5vcmcvb3BlbmlkL2N hbGxiYWNrIiwgImlzcyI6ICIiLCAiaWF0IjogMTU5MzU4ODA4NSwgIm F1ZCI6ICJodHRwczovL29wLnVtdS5zZSJ9.cRwSFNcDx6VsacAQDcIx 5OAt_Pj30I_uUKRh04N4QJd6MZ0f50sETRv8uspSt9fMa-5yV3uzthX _v8OtQrV33gW1vzgOSRCdHgeCN40StbzjFk102seDwtU_Uzrcsy7KrX YSBp8U0dBDjuxC6h18L8ExjeR-NFjcrhy0wwua7Tnb4QqtN0QCia6DD 8QBNVTL1Ga0YPmMdT25wS26wug23IgpbZB20VUosmMGgGtS5yCI5AwK Bhozv-oBH5KxxHzH1Oss-RkIGiQnjRnaWwEOTITmfZWra1eHP254wFF 2se-EnWtz1q2XwsD9NSsOEJwWJPirPPJaKso8ng6qrrOSgw &response_type=code &client_id=https%3A%2F%2Fwiki.ligo.org &redirect_uri=https%3A%2F%2Fwiki.ligo.org/openid/callback &scope=openid+profile+email HTTP/1.1 Host: op.umu.se¶
The OP receiving this Authentication Request will, unless the RP is already registered, start to dynamically fetch and establish trust with the RP.¶
The OP needs to establish a Trust Chain for the RP (wiki.ligo.org). The OP in this example is configured with public keys of two federations:¶
The OP starts to resolve metadata for the client identifier https://wiki.ligo.org by fetching the Entity Configuration using the process described in Section 6.¶
The process is the same as described in Appendix A.2 and will result in a Trust Chain with the following Entity Statements:¶
Using the public keys of the Trust Anchor that the LIGO Wiki RP has been provided with in some secure out-of-band way, it can now verify the Trust Chain as described in Section 8.2.¶
We will not list the complete Entity Statements but only the
metadata
and metadata_policy
parts.
There are two metadata policies:¶
"metadata_policy": { "openid_provider": { "contacts": { "add": "ops@edugain.geant.org" } }, "openid_relying_party": { "contacts": { "add": "ops@edugain.geant.org" } } }¶
"metadata_policy": { "openid_relying_party": { "application_type": { "one_of": [ "web", "native" ] }, "contacts": { "add": "ops@incommon.org" }, "grant_types": { "subset_of": [ "authorization_code", "refresh_token" ] } } }¶
Combining these and apply them to the metadata for wiki.ligo.org:¶
"metadata": { "application_type": "web", "client_name": "LIGO Wiki", "contacts": [ "ops@ligo.org" ], "grant_types": [ "authorization_code", "refresh_token" ], "id_token_signed_response_alg": "RS256", "signed_jwks_uri": "https://wiki.ligo.org/jwks.jose", "redirect_uris": [ "https://wiki.ligo.org/openid/callback" ], "response_types": [ "code" ], "subject_type": "public" }¶
The final result is:¶
{ "application_type": "web", "client_name": "LIGO Wiki", "contacts": [ "ops@ligo.org", "ops@edugain.geant.org", "ops@incommon.org" ], "grant_types": [ "refresh_token", "authorization_code" ], "id_token_signed_response_alg": "RS256", "signed_jwks_uri": "https://wiki.ligo.org/jwks.jose", "redirect_uris": [ "https://wiki.ligo.org/openid/callback" ], "response_types": [ "code" ], "subject_type": "public" }¶
Having that, the registration is done, and the OP MUST now use
the keys found at the URL specified in
signed_jwks_uri
to verify the signature on the Request Object in the
Authentication Request.¶
Here the LIGO Wiki RP sends a client registration request to the
federation_registration_endpoint
of the OP (op.umu.se).
What it sends is an Entity Configuration.¶
Once the OP has the Entity Statement, it proceeds with the same sequence of steps as laid out in Appendix A.2.¶
The OP will end up with the same RP metadata as was described in Appendix A.3.1.2, but what it now can do is return a metadata policy that it wants to be applied to the RP's metadata. This metadata policy will be combined with the Trust Chain's combined metadata policy before being applied to the RP's metadata.¶
If we assume that the OP does not support refresh tokens, it MAY want to add a metadata policy that says:¶
"metadata_policy": { "openid_relying_party": { "grant_types": { "subset_of": [ "authorization_code" ] } } }¶
Thus, the Entity Statement returned by the OP to the RP MAY look like this:¶
{ "trust_anchor_id": "https://edugain.geant.org", "metadata_policy": { "openid_relying_party": { "application_type": { "one_of": [ "web", "native" ] }, "contacts": { "add": [ "ops@incommon.org", "ops@edugain.geant.org" ] }, "grant_types": { "subset_of": [ "authorization_code", "refresh_token" ] } } }, "metadata": { "openid_relying_party": { "client_id": "m3GyHw", "client_secret_expires_at": 1604049619, "client_secret": "cb44eed577f3b5edf3e08362d47a0dc44630b3dc6ea99f7a79205" "client_id_issued_at": 1601457619, } }, "authority_hints": [ "https://incommon.org" ], "aud": "https://wiki.ligo.org", "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "kid": "U2JTWHY0VFg0a2FEVVdTaHptVDJsNDNiSDk5MXRBVEtNSFVkeXZwb", "e": "AQAB", "n": "4AZjgqFwMhTVSLrpzzNcwaCyVD88C_Hb3Bmor97vH-2AzldhuVb8K..." }, { "kty": "EC", "use": "sig", "kid": "LWtFcklLOGdrW", "crv": "P-256", "x": "X2S1dFE7zokQDST0bfHdlOWxOc8FC1l4_sG1Kwa4l4s", "y": "812nU6OCKxgc2ZgSPt_dkXbYldG_smHJi4wXByDHc6g" } ] }, "iss": "https://op.umu.se", "iat": 1601457619, "exp": 1601544019 }¶
And the resulting metadata used by the RP could look like:¶
{ "application_type": "web", "client_name": "LIGO Wiki", "contacts": [ "ops@edugain.geant.org", "ops@incommon.org", "ops@ligo.org" ], "grant_types": [ "authorization_code" ], "id_token_signed_response_alg": "RS256", "signed_jwks_uri": "https://wiki.ligo.org/jwks.jose", "redirect_uris": [ "https://wiki.ligo.org/openid/callback" ], "response_types": [ "code" ], "subject_type": "public" }¶
Copyright (c) 2022 The OpenID Foundation.¶
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.¶
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that MAY cover technology that MAY be required to practice this specification.¶
The authors wish to acknowledge the contributions of the following individuals and organizations to this specification: Heather Flanagan, Samuel Gulliksson, Takahiko Kawasaki, Torsten Lodderstedt, Roberto Polli, Jouke Roorda, Mischa Salle, Marcos Sanz, Peter Schober, Michael Schwartz, Kristina Yasuda, and the JRA3T3 task force of GEANT4-2.¶
[[ To be removed from the final specification ]]¶
-25¶
-24¶
-23¶
-22¶
-21¶
-20¶
id_token_signed_response_alg
.¶
signed_jwks_uri
is preferred over
jwks_uri
and jwks
.¶
id_token_signed_response_alg
.¶
missing_trust_anchor
and validation_failed
.¶
organization_name
,
request_authentication_methods_supported
,
request_authentication_signing_alg_values_supported
,
signed_jwks_uri
,
and
jwks
and the RP Metadata parameters
client_registration_types
(which was previously misregistered as client_registration_type
),
organization_name
,
and
signed_jwks_uri
.¶
client_registration_type
to client_registration_types_supported
.¶
federation_api_endpoint
to federation_fetch_endpoint
.¶
request_parameter_supported
to examples.¶
-19¶
trust_mark
claim from federation entity metadata.¶
trust_chain
and removed is_leaf
.¶
jwks
claim in OP metadata.¶
request_authentication_methods_supported
.¶
request_authentication_signing_alg_values_supported
OP metadata parameter.¶
trust_marks
definition.¶
-18¶
client_registration_types_supported
and
federation_registration_endpoint
authorization server metadata parameters.¶
client_registration_type
dynamic client registration parameter.¶
application/entity-statement+jwt
media type.¶
application/trust-mark+jwt
media type.¶
mark
has been renamed to logo_uri
.¶
iss
parameter is optional.¶
-17¶
trust_marks_issuers
claim,
and the Setting Up a Federation section.¶
-16¶
-15¶
signed_jwks_uri
,
which had been lost somewhere along the road.¶
-14¶
client authentication
in connection
with automatic client registration is now changed to be
request authentication
.¶
essential
is absent.¶
-13¶
/.well-known/openid-federation
.¶
-12¶
-11¶
-10¶
-09¶
-08¶
sub_is_leaf
entity statement
since it was redundant.¶
client_registration_type
RP registration
metadata value
and client_registration_types_supported
OP
metadata value.¶
openid_discovery
metadata type
identifier
since its purpose is already served by
openid_provider
.¶
sub_is_leaf
to
is_leaf
in the Entity Listings Request operation parameters.¶
crit
and
policy_language_crit
,
enabling control over which entity statement and policy language
extensions
MUST be understood and processed.¶
openid_client
to
openid_relying_party
.¶
oauth_service
to
oauth_authorization_server
.¶
implicit
registration to
automatic
registration
to avoid naming confusion with the implicit grant type.¶
op
to
operation
to avoid naming confusion with the use of "OP" as an acronym for
"OpenID Provider".¶
url
to
uri
in several identifiers.¶
-07¶
-06¶
-05¶
-04¶