[Federation] 5.1.5. Applying Policies: Specify concrete order for all policy operators under pt. 5

Section 5.1.5. Applying Policies specifies the order in which the policy operators must be applied to a metadata parameter.

Point #5 currently does not put the subset_of and superset_of in a concrete place in this order of applying policy operators. This is crucial to make sure policies behave consistently and implementations interop.

The OIDC Federation policy language works by first modifying (shaping) a selected metadata parameter, and then checking the compliance of the resulting value. Following this, the subset_of (which can behave as a value modifier), should be applied before a superset_of.

Section 5.1.8. Extending the Policy Language could also say that the specification of a custom operator must include its position relative to the general order defined in 5.1.5.

Comments (4)