OpenID Connect Federation 1.0: Align the sdk to the draft 27 for the metadata policy combination of essential=false and one_of
Hello, we have the need for some claims to be validated with one_of operator but at same time not having them mandatory, so we tought to use the combination of essential=false and one_of like this:
{
"claim" : {
"essential" false,
"one_of": [
"value1",
"value2",
"value3"
]
}
}
But this combination was only added since draft 27 of the specs: https://openid.net/specs/openid-connect-federation-1_0-27.html (section 5.1.2), and it’s not handled in current version of SDK (10.9.1).
Could you please tell when approximately there will be an update to align SDK to the specs?
Comments (8)
-
-
- changed status to open
-
reporter @Vladimir Dzhuvinov thanks for approving my issue.
FYI I’ve opened an issue on openid Bitbucket regarding subset_of and essential combination: https://bitbucket.org/openid/connect/issues/1955/federation-policy-language-disambiguation
-
- changed status to resolved
Done here: 37edf2568c952f68f9936645f871e7b18e4e3e63
-
reporter @Yavor Vasilev Thanks for notifying me. I’ve tried your new version and I think I found a bug:
As you can see in the screenshot, I used a policy with
subset_of
andessential=true
, and as the input metadata, I provided an empty list. Since the essential is true, the intersection between thesubset_of
list and the metadata list must be computed, and in case it results in an empty list, it should return an error (that's why I expect an exception), as explained in section 5.1.2 of the specs for thesubset_of
operator:
-
Thanks for the bug report.
It was fixed here and will appear shortly as 10.10.1: c761649f6066656ed6ac19c51bd39687330a8f40
Today I’m having a bad day, but there’s still work to be done :)
-
reporter Thanks for your prompt fix.
I’ll try it and I’ll let you know. -
reporter @Yavor Vasilev I’ve just tried your fix and I can confirm it works fine.
Thank you - Log in to comment
Hi Pasquale,
This issue right now is not critical for us, but nevertheless we decided to go over the policy tickets to allow other adoptions to proceed.