OpenID Connect Federation 1.0: Align the sdk to the draft 27 for the metadata policy combination of essential=false and one_of

Issue #425 resolved
Pasquale Barbaro created an issue

Hello, we have the need for some claims to be validated with one_of operator but at same time not having them mandatory, so we tought to use the combination of essential=false and one_of like this:

{
    "claim" : {
        "essential" false,
        "one_of": [
            "value1",
            "value2",
            "value3"
        ]
    }
}

But this combination was only added since draft 27 of the specs: https://openid.net/specs/openid-connect-federation-1_0-27.html (section 5.1.2), and it’s not handled in current version of SDK (10.9.1).

Could you please tell when approximately there will be an update to align SDK to the specs?

Comments (8)

  1. Vladimir Dzhuvinov

    Hi Pasquale,

    This issue right now is not critical for us, but nevertheless we decided to go over the policy tickets to allow other adoptions to proceed.

  2. Pasquale Barbaro reporter

    @Yavor Vasilev Thanks for notifying me. I’ve tried your new version and I think I found a bug:

    As you can see in the screenshot, I used a policy with subset_of and essential=true, and as the input metadata, I provided an empty list. Since the essential is true, the intersection between the subset_of list and the metadata list must be computed, and in case it results in an empty list, it should return an error (that's why I expect an exception), as explained in section 5.1.2 of the specs for the subset_of operator:

  3. Pasquale Barbaro reporter

    @Yavor Vasilev I’ve just tried your fix and I can confirm it works fine.
    Thank you

  4. Log in to comment