-
assigned issue to
Vladimir Dzhuvinov
[Federation] Processing of explicit registration requests with a trust chain
Issue #1957
resolved
In OpenID authentication requests with automatic client registration the inclusion of a Trust Chain (trust_chain) is entirely optional. The RP may include it and the OP is not required to process it (i.e. the OP may simply ignore it).
In explicit client registration requests the Trust Chain is again optional, however this is somewhat ambiguous for OPs. For RPs the spec says that a Trust Chain may be submitted instead of an Entity Configuration. For OPs we have this:
https://openid.net/specs/openid-connect-federation-1_0.html#section-10.2.1.2.1
If the request contains a Trust Chain, the OP MAY evaluate the statements in the Trust Chain to make its Federation Entity Discovery procedure more efficient, especially if the RP shows more than a single authority hint in its Entity Configuration.
My proposal is to add the sentence:
“If the OP chooses not to utilize the Entity Statements in the Trust Chain it MUST extract the RP Entity Configuration and proceed as if only the Entity Configuration was received”.
Comments (3)
-
-
reporter
- changed status to open
-
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
