Federation: Explicit defintion of entity identifier

Issue #1154 resolved
Vladimir Dzhuvinov created an issue

It occurred to me that the Federation spec is missing a clear explicit definition of what an “entity identifier” is.

In the definition of “Entity” we find out that “All entities in an OpenID Connect federation MUST have a globally unique identifier“ https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.1.2

In section 5 we find out that by appending `/.well-known/openid-federation` to it a config HTTP request can be made, which implies it should be an URL https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.5

My suggestion is to add an “Entity identifier” to the Terminology section spelling out that it must be an URI which is globally unique. “Entity identifier” appears 28 times in the spec, so this would make sense to me.

Comments (7)

  1. Tom Jones

    It’s not clear to me that the URI is the best sort of entity identifier. We are working through exactly that problem in healthcare right now, and i have heard problems in UK OBIE that lead me to believe we need to leave this definition open for further discussion.

    In general i would say that mappings between the real world and web/dns world are wobbly right now. There must be some better solution.

  2. Vladimir Dzhuvinov reporter

    What issues did you get in healthcare?

    URIs have some nice properties. They are standard, widely understood and map naturally to the web / DNS world. Having an URI as entity ID also makes it easy to get its metadata to resolve endpoints, etc.

    An alternative editorial suggestion: the nature of the entity identifiers can also be specified in the existing section for the “Entity” definition.

  3. Tom Jones

    It doesn’t map that well to the real world. Great for programmers, i know that. Until it fails to work when there is one enterprise, but multiple brands.

  4. Vladimir Dzhuvinov reporter

    I see what you mean. In many ways domain names have already become pretty much a “real world” thing in people’s minds, consider google.com vs c8af23ba-995a-46d6-920f-5669fa04ec8b for example. Is that the issue, that domain names (in URLs) are nowadays closely associated with brands or have de facto become brands?

  5. Roland Hedberg

    @tomcjones can you suggest an alternative definition of what an “Entity identifier” should be ?

    If it’s not an URI there MUST be a mapping function/service that maps every “entity identifier” to a unique URI.

  6. Log in to comment