- changed title to OpenID Connect Federation 1.0: Update policy engine to support one_of operator combined with essential=false
OpenID Connect Federation 1.0: Update policy engine to support one_of operator combined with essential=false
Issue #413
duplicate
Currently, if there is a metadata policy entry for a claim which have both "one_of" : [value1, ..., valueN] and "essential" : false, AND you don't provide any value for the claim, validation fails (see code below).
@Test
void essentialFalseCombinedWithOneOfShouldNotThrowException() {
var metadataPolicyMap = Map.of(
"claim1", Map.of(
"essential", false,
"one_of", List.of("val1", "val2", "val3")
)
);
var metadataPolicy = new JSONObject(metadataPolicyMap);
var emptyMetadata = new JSONObject();
assertDoesNotThrow(() -> MetadataPolicy.parse(metadataPolicy).apply(emptyMetadata));
}
Is that a desired behavior?
In our implementation we have a case in which we would like to check that
id_token_encrypted_response_alg is optional (and thus having "essential" : false) but if present it should be a value from a specific list (thus having at the same time "one_of" : [value1, ..., valueN]).
Comments (3)
-
reporter
-
- changed status to duplicate
Duplicate of
#411. -
This combination is not implemented because it is something that will appear in the future draft 27.
We are also not sure yet how to implement this without breaking the current policy engine
- Log in to comment
