Clarify that a null value is distinct from being omitted
We should use language parallel to this from Core 5.3.2:
"If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value."
Comments (8)
-
reporter -
reporter - changed status to open
-
reporter We talked about this on the 22-Sep-23 Federation Editors' call. It seems that the impetus behind this discussion was a statement by @Vladimir Dzhuvinov that
The objective is to define a policy that removes a metadata parameter (by setting it to null).
We agreed that if we need this capability, we should add an explicit operator that does this - not to do it by assigning a special meaning to the value null. It's a separate question whether we need a delete_value operator or something along those lines. Is there a concrete use case for it?
-
This is incorrect. The impetus was my discovery how trivial it is to bypass
default
andessential
policies whennull
is treated as a value and the underlying metadata parser treatsnull
values as no parameter.How to create an attack that bypasses these operators:
- The Trust Chain includes policy operators
default
and / oressential
for the metadata parameter. - The Entity Configuration sets a metadata parameter with a
null
value. - Assuming the
null
is treated as a distinct value, the Trust Chain validation will leave thenull
parameter as it is. - The Trust Chain thus validates successfully.
- The metadata JSON object is taken and passed to say an RP metadata parser that treats no metadata parameter and parameter a with
null
identically, i.e. it doesn’t produce aninvalid_metadata
error. - The RP gets registered with metadata that has violated the policy.
The JSON RFC 8259 defines
null
as a value. Quite a number of JSON parser implementations however don’t make this distinction.https://www.rfc-editor.org/rfc/rfc8259#section-3
For instance, in Java JSON objects can be represented as a java.util.Map object, and developers would then often use a simple Map.get call to check if the JSON member is present and has a value. The
get
method returnsnull
in both cases - parameter omitted and parameter withnull
value. The proper way to do this is to use thecontainsKey
method ofMap
, however this doesn’t seem to be used much in practise.My proposal is to specify that
default
andessential
treat anull
in the same way as a missing metadata parameter.Unless we have a good use case for
null
valued metadata parameters? Do we have such a use case?To clarify, I don’t have a use case for metadata parameter deletion and this proposal is not to facilitate deletion policies (even though it will have this effect when
null
is treated the same as no parameter). - The Trust Chain includes policy operators
-
reporter By describing the attack when
the underlying metadata parser treats
null
values as no parameterI believe you just strengthened the case to not treat
null
values as no parameter.
-
reporter Oops, I just saw that https://www.rfc-editor.org/rfc/rfc7592#section-2.2 says this:
Valid values of client metadata fields in this request MUST replace, not augment, the values previously associated with this client. Omitted fields MUST be treated as null or empty values by the server, indicating the client's request to delete them from the client's registration. The authorization server MAY ignore any null or empty value in the request just as any other value.
Filip’s response got me to look there. (So it wasn’t DCR itself that assigned a value to
null
- I looked there for it. It was DCR Management.)I’ve come to the conclusion, after all the discussion and evidence of likely implementation problems in Java and Python, that we need to follow suit. I’ll create a PR.
-
Thank you for discovering this. I never thought about looking there
-
reporter - changed status to resolved
- Log in to comment
We discussed this on the 21-Sep-23 working group call. People agreed that
null
is a potential value that is not the same as omitting a value.