Trust Negotiation Request and Response
Issue #1384
resolved
As defined here, an entity MAY use the trust negotiation operation to fetch resolved metadata about itself as seen/trusted by a remote peer.
I wish to extend the release of resolved metadata also for members who do not represent the subject of the requested metadata.
Trust negotiation would be a useful metadata (and trust) resolution service optionally provided within a federation by one or more intermediaries or trust anchors.
Comments (13)
-
-
reporter
Can we consider to improve the text for a better reading, that disambifies questions and doubts similar to those expounded in my issue?
-
Sure
-
reporter
-
- changed status to open
As discussed on the 10-Jan-22 call, we're in favor of the clarifications proposed but not the change to return metadata not about the subject. Currently, it's clear what the metadata returned is about. If we also returned metadata about other subjects, this would introduce ambiguities and potential duplications that otherwise could not occur.
-
reporter
Can we suggest to add another endpoint to have this feature?
A RP can fetch a consolidated metadata related to an OP (and viceversa) from a trusted member (intermediary or trust anchor) that builds the trust chain for the requested subject.
All the members in a OIDC federation must support the dynamic trust chain method and endpoints, this endpoint would be entirely optional and for debug purpose
-
reporter
this is the related to PR
https://bitbucket.org/openid/connect/pull-requests/105 -
reporter
In Trust Negotiation Response we have a “metadata statement“ and this doesn’t contain trust marks.
I suggest instead to have an entity statement with trust marks inside. -
reporter
or, differently, we should simplify the things, leaving the trust negotiation response as it is with the trust marks placed inside the metadata.
This decision would change the example proposed here:https://bitbucket.org/openid/connect/issues/1393/trust-mark-non-normative-example-in-entity
-
reporter
Regarding having trust marks in Trust Negotiation Response
Solution A
following https://bitbucket.org/openid/connect/issues/1384/trust-negotiation
We could move trust_marks claim inside the metadata object.In this way we’ll have trust marks even from trust negotiation responses
{ "iss": "https://rp.example.it/spid", "sub": "https://rp.example.it/spid", "iat": 1516239022, "exp": 1516298022, "metadata": { "openid_relying_party": { "application_type": "web", "trust_marks": [ {"id": "https://www.spid.gov.it/certification/rp", "trust_mark": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRGRTFjMFF4UzBFdFFrWmxNRXR3ZWxOQlExSjRaVmxGTlhWUU1IcEZYelZ1Y0V4c1FuZzRlbXMxYXcifQ.eyJpc3MiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi8vcnAuZXhhbXBsZS5pdC9zcGlkIiwiaWF0IjoxNTc5NjIxMTYwLCJpZCI6Imh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAiLCJtYXJrIjoiaHR0cHM6Ly93d3cuYWdpZC5nb3YuaXQvdGhlbWVzL2N1c3RvbS9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0cHM6Ly9kb2NzLml0YWxpYS5pdC9pdGFsaWEvc3BpZC9zcGlkLXJlZ29sZS10ZWNuaWNoZS1vaWRjL2l0L3N0YWJpbGUvaW5kZXguaHRtbCJ9.r2SZDNlYvPAuCq8HnGSkCF17gvexEz_UhqPHfX0js5bjz_n_3QAbr8IVE6_5Um9grYfcc1YUwUGs_-s-_AN8uMsS6P3fL0zpjoEMIOMmkCMsn8F68zisNZ2SEJN_JEIp_FmG5Yf0ONHq9bCtc32fvCSo0daEGTQdMMCEfNSoIZNTMxsB8-bA4hVn9dkNYzGTvg7FHiHOP-_fEyFDlJr1AzgepIwRiApViRVVqX920GY624nHHbEXqv3xleX7mSE6uXSGqRMlVz6XFXLmceJsYvcaC0haC-JfOn2GR7D3C07Lt4TlBUVMM0f2DvZcC1CqWlxoXr3WxzdGD_CxGkYTIg" } ], ...Solution B
following some comments pointed out by Roland we could also consider to have a json object with two entries, trust marks and metadata, like this
200 OK Last-Modified: Wed, 22 Jul 2018 19:15:56 GMT Content-Type: application/json { "trust_marks": [ {"id": "https://www.spid.gov.it/certification/rp", "trust_mark": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRGRTFjMFF4UzBFdFFrWmxNRXR3ZWxOQlExSjRaVmxGTlhWUU1IcEZYelZ1Y0V4c1FuZzRlbXMxYXcifQ.eyJpc3MiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi8vcnAuZXhhbXBsZS5pdC9zcGlkIiwiaWF0IjoxNTc5NjIxMTYwLCJpZCI6Imh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAiLCJtYXJrIjoiaHR0cHM6Ly93d3cuYWdpZC5nb3YuaXQvdGhlbWVzL2N1c3RvbS9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0cHM6Ly9kb2NzLml0YWxpYS5pdC9pdGFsaWEvc3BpZC9zcGlkLXJlZ29sZS10ZWNuaWNoZS1vaWRjL2l0L3N0YWJpbGUvaW5kZXguaHRtbCJ9.r2SZDNlYvPAuCq8HnGSkCF17gvexEz_UhqPHfX0js5bjz_n_3QAbr8IVE6_5Um9grYfcc1YUwUGs_-s-_AN8uMsS6P3fL0zpjoEMIOMmkCMsn8F68zisNZ2SEJN_JEIp_FmG5Yf0ONHq9bCtc32fvCSo0daEGTQdMMCEfNSoIZNTMxsB8-bA4hVn9dkNYzGTvg7FHiHOP-_fEyFDlJr1AzgepIwRiApViRVVqX920GY624nHHbEXqv3xleX7mSE6uXSGqRMlVz6XFXLmceJsYvcaC0haC-JfOn2GR7D3C07Lt4TlBUVMM0f2DvZcC1CqWlxoXr3WxzdGD_CxGkYTIg" }, "metadata": { "organization_name": "University of Umea", "contacts": [ "legal@umu.se", "technical@umu.se" ], "logo_uri": "https://www.umu.se/SRWStatic/img/umu-logo-left-neg-SE.svg", "op_policy_uri": "https://www.umu.se/en/about-the-website/legal-information/", "authorization_endpoint": "https://idp.umu.se/openid/authorization", "token_endpoint": "https://idp.umu.se/openid/token", "response_types_supported": [ "code", "code id_token", "token" ], "grant_types_supported": [ "authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "subject_types_supported": [ "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "issuer": "https://idp.umu.se/openid", "jwks_uri": "https://idp.umu.se/openid/jwks_uri.json" } }
-
reporter
- changed title to Trust Negotiation Request and Response
-
reporter
-
reporter
- changed status to resolved
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
The text says “An entity MAY use the trust negotiation operation to fetch
resolved metadata about itself as seen/trusted by a remote peer.”
But in fact there is nothing that prevents anyone from asking for the resolved metadata about an entity disregarding who the consumer would be.
So, I would say that this is already supported and that the text is just one example on when this could be used, not the only one.