1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Flattening metadata claims in multiple languages

Issue #1041 closed
Andreas Åkre Solberg created an issue

An entity may craft langauge tags for human-readable Claim Values and Claim Values, that will be bypassed when an superior entity attempts to override the claims. Unless a mechanism is defined to avoid this as part of the metadata flattening process, this becomes a security issue.

In OpenID Connect Core 5.2, it says:

| Human-readable Claim Values and Claim Values that reference human-readable values MAY be represented in multiple languages and scripts.

http://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts

Comments (9)

  1. Roland Hedberg

    I'm not sure I understand the problem and what you want to happen.

    If we use these claims as example:

    • website
    • website#no
    • website#no-nyn
    • website#no-bok

    Should they be regarded as separate distinct claims such that if a superior specified website then that would not prevent a subordinate from using website#no ?

    And what about the other way around, what if the superior used website#no would a subordinate be able to use website ?

  2. Andreas Åkre Solberg reporter

    It would be very unfortunate if it was not possible to restrict the human readable claims from being overridden. As long as these claims are considered separate, it is very difficult to restrict these claims from being overridden.

    I don't have any ideas of how we can achieve this, any ideas?

  3. Roland Hedberg

    I guess we should use something like what's describe in RFC5646 about truncation of language tags.

    If we used that, then website without language tag by a superior would override website#no, website#no-nyn and website#no-bok any a subordinate.

    Website#no by a superior would override website#no-nyn and website#no-bok provide by a subordinate.

    But at the same time if a superior specified website#no a subordinate should not be allowed to add website.

    Something to ponder about.

  4. Roland Hedberg

    This basically leads to the rule that if a superior have used claims with or without language tag then a subordinate can only use the same set of claims.

    Example:

    If a superior has used website then the subordinate can not use website with a language tag.

    If a superior has used website#no then the subordinate can only use website#no.

    If a superior has used website#no-bok then the subordinate can only use website#no-bok.

    If a superior has used website and website#no then a subordinate can use both.

  5. Andreas Åkre Solberg reporter

    I like this. However, since the superior will override the values of the subordinate, it would in practice mean that:

    As long as the superior has used at least one version of website, all version of website provided by subordinate will be ignored or overridden.

    And I'm fine with that. How this affects other data types than strings, I don't know. Needs to be defined.

  6. Roland Hedberg

    My proposal is that a claim with a language tag will be treated as separate from the same claim without a language tag.

    website != website#no

    Which means that if the same claim name +/- language tag combination is defined by a superior and a subordinate, then the normal less or equal comparison rules should be applied to the values of that combination.

  8. Roland Hedberg

    It's noted in the draft that claim names without language tags are different from claim names with language tags.

  10. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Component
Federation
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!