OpenID Connect Federation 1.0: enforce equality of json array in MetadataPolicy

Comments (10)

1. 

   Vladimir Dzhuvinov

   The value operator should do this trick, even though it isn’t a check.

   value

   Disregarding what value the parameter has, if any, the metadata parameter MUST be set to the specified value.

   ‌

   • 2023-02-10T10:24:13+00:00
2. 

   Yavor Vasilev

   • changed status to open

   Added value test example here: 98ad9a49

   • 2023-02-11T08:49:28+00:00
3. 

   Vladimir Dzhuvinov

   Roland Hedberg, who devised the policy language in the OIDC Federation spec, suggested adding an equals check to the policy checks for this purpose.

   • 2023-02-13T13:15:35+00:00
4. 

   Pasquale Barbaro reporter

   Would this new “equals” operator check for exact equality (e.g. check if it is a list, object, or a primitive and verify it matches a specific value) ?
   Thanks for your replies, we await news

   • 2023-02-13T13:32:45+00:00
5. 

   Vladimir Dzhuvinov

   When the operand is a JSON array the equality should be set based.

   I just filed a ticked in the WG tracker: https://bitbucket.org/openid/connect/issues/1819/federation-policy-language-new-equals

   • 2023-02-13T13:34:33+00:00
6. 

   Vladimir Dzhuvinov

   We are having a discussion on the new equals / set equals policy check:

   https://bitbucket.org/openid/connect/pull-requests/459/openid-connect-federation-10-new-equals

   Let us know what you think, there are several somewhat conflicting considerations and at least me the matter isn’t settled yet.

   • 2023-02-27T09:14:54+00:00
7. 

   Yavor Vasilev

   Pasquale, hi!

   The policy engine was updated to the latest draft 29.

   The JUnit tests showed that a combination of subset_of + superset_of where the policies are configured identically cannot work as a reliable set “equals” check:

   https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/37edf2568c952f68f9936645f871e7b18e4e3e63/src/test/java/com/nimbusds/openid/connect/sdk/federation/policy/MetadataPolicyEntryTest.java#lines-76

   This appears to be a specification bug, and a ticket will be filed there.

   • 2023-06-29T08:52:37+00:00
8. 

   Pasquale Barbaro reporter

   Hi @Yavor Vasilev !
   Yeah, I already knew that.
   Since the subset_of definition is a value modifier more than a check, a combination of it and superset_of cannot be a check.
   We can think of a simple example:

   policy:
   {
         subset_of = [a, b, c]
         superset_of = [a, b, c]
   }
   
   input:
         [a, b, c, d, e, f, g]
   
   output:
         [a, b, c]
   

   So it is more like a force equality than check equality…

   • 2023-06-29T09:24:41+00:00
9. 

   Vladimir Dzhuvinov

   Hi Pasquale,

   Do you think the current spec (29) should be changed in some regard?

   https://openid.net/specs/openid-connect-federation-1_0.html#section-5.1.2

   In particular the

   A "set equals" value check can be expressed by combining a subset_of and a superset_of with identical string list values.

   ‌

   • 2023-06-29T09:41:35+00:00
10. 

    Pasquale Barbaro reporter

    @Vladimir Dzhuvinov Maybe we could add a note below the sentence, like this:

    A "set equals" value check can be expressed by combining a subset_of and a superset_of with identical string list values.
    Note: if a superset of the one specified in the policy is provided, it is still accepted and the output will be the equal to the one specified in the policy, since the subset_of restricts the input set to the specified one.

    I cannot find a clearer way to say this, because it’s a particular case. Maybe an example like the one written in my previous answer could be helpful.

    • 2023-06-29T09:59:25+00:00
11. Log in to comment