[Federation] Federation Entity Discovery definition

Comments (10)

1. 

   Giuseppe De Marco

   See https://bitbucket.org/openid/connect/pull-requests/671

   • 2024-02-16T17:05:26+00:00
2. 

   Michael Jones

   • changed status to open

   Removing Leaf is something that we will do when we address https://bitbucket.org/openid/connect/issues/2082/federation-remove-requirement-for-trust .

   • 2024-02-16T17:06:01+00:00
3. 

   Michael Jones

   • removed milestone

   • 2024-02-16T18:27:36+00:00
4. 

   Nat Sakimura

   It was asked on the Feb 27 call what is the motivating use cases.

   It was pointed out that the definition of the leaf is wrong and changed to something like “no subordinates for the current transaction”.

   • 2024-02-26T23:55:45+00:00
5. 

   Vladimir Dzhuvinov reporter

   In the current draft we actually have several of locations that use the term “Leaf Entity” in the context of a Trust Chain. A suitable and “more” correct way to say this is “the Entity that is the subject of the Trust Chain”, or simply “the Trust Chain subject”.

   For example:

   A max_path_length constraint of zero indicates that no Intermediates MAY appear between this Entity and the Leaf Entity

   →

   A max_path_length constraint of zero indicates that no Intermediates MAY appear between this Entity and the Entity that is the subject of the Trust Chain

   ‌

   • 2024-03-12T17:59:12+00:00
6. 

   Michael Jones

   We could choose to go this route, but if we do, we should still include language in the general descriptions saying that a Leaf Entity is typically the subject of the Trust Chain, in order to set people’s expectations appropriately.

   Separately, what are the use cases for building a trust chain to an Intermediate Entity? Unless we have evidence that it’s useful and needed, the spec would be simpler if we don’t talk about the possibility. Without such evidence, I remain to be convinced of the need for a change.

   • 2024-03-12T20:12:29+00:00
7. 

   Vladimir Dzhuvinov reporter

   There are two cases that argue for this:

   1. The most common is likely to be orgs that are Intermediates choosing to run their OpenID provider (or servers in general) on their “main” domain. I believe this will become a common pattern, because of the obvious convenience to combine an OP + INT in the same server.
   2. If you need to use the federation endpoint (say resolve endpoint) at some Intermediate Entity, and before you use it you want to check its trust_chain.

   This change is going to be rather low impact. I checked the individual instances where this term comes up and we’ll need the edits in only 9 of these places.

   • 2024-03-12T20:40:54+00:00
8. 

   Michael Jones

   So 1 is about an Intermediate that also plays a non-Federation Entity role, such as being an OpenID OP or RP. I agree that that could occur.

   And 2 is about deciding whether to trust a Federation service offered by an Intermediate node, correct?

   If we’re going to add this to the spec, we should describe these possibilities motivate the possibility, rather than leaving people wondering “Why would I do that?”. ;-) It might even merit its own subsection titled something like “Trust Chains from non-Leaf Entities”.

   • 2024-03-12T21:02:16+00:00
9. 

   Giuseppe De Marco

   • assigned issue to
     
     Michael Jones

   • 2024-03-22T16:13:41+00:00
10. 

    Michael Jones

    • changed status to resolved

    Fixed by https://bitbucket.org/openid/connect/pull-requests/729

    • 2024-05-01T19:59:00+00:00
11. Log in to comment