- edited description
- changed title to [Federation] Expand definition of the "essential" policy operator to express optionality
[Federation] Expand definition of the "essential" policy operator to express optionality
Issue #1753
resolved
To express federation policies like:
- If the RP metadata specifies encrypted ID tokens, the allowed “alg” and “enc” values are such and such.
- If the RP metadata specifies encrypted UserInfo, the allowed “alg” and “enc” values are such and such.
Example:
"id_token_signed_response_alg": {
"default": "RS256",
"subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
},
"id_token_encrypted_response_alg": {
"essential": false,
"subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
},
"id_token_encrypted_response_enc": {
"essential": false,
"subset_of": ["A128CBC-HS256", "A256CBC-HS512"]
},
"userinfo_signed_response_alg": {
"subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
},
"userinfo_encrypted_response_alg": {
"essential": false,
"subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
},
"userinfo_encrypted_response_enc": {
"essential": false,
"subset_of": ["A128CBC-HS256", "A256CBC-HS512"]
}
Comments (7)
-
reporter
-
i really don’t understand why you are putting these in the standard. They will all likely be deprecated within a year. In general with OIDF standards a list of crypto algs seems like a bad idea since they cannot be updated.
-
reporter
i really don’t understand why you are putting these in the standard. They will all likely be deprecated within a year. In general with OIDF standards a list of crypto algs seems like a bad idea since they cannot be updated.
What gives you reason for this?
-
i couldn’t find the original issue. This is the report it was based on. https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF
in summary - the current rsa and ec algs could be deprecated any day. They will no longer be supported in 2035 in gov’t transactions.
-
reporter
I posted this ticket to make it possible to define policies “if metadata X is present then it must be subset_of / one_of / superset_of”.
The particular userinfo algorithms were meant to be an example. The OIDC Federation spec is not concerned with the underlying crypto algorithms in OIDC.
-
reporter
- changed status to open
Addressed here: https://bitbucket.org/openid/connect/pull-requests/390
-
- changed status to resolved
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
Roland suggested to use the existing
essentialinstead of trying to introduce new operators.