[Federation] Metadata policy: The space-separated list of strings exception should apply only to the "scope" oauth_client metadata parameter
Issue #2135
resolved
This is a proposal to narrow the scope of the “treat space-separated list of strings as JSON array” exception to apply only to the scope OAuth client metadata parameter in RFC 7591 and not be generally applicable. Declaring this exception to be generally applicable to metadata values can have unintended consequences, when processing metadata parameters for which a Federation library doesn’t have knowledge of the underlying parameter syntax, and may end up breaking the principle of deterministic operation of metadata_policy. I think we learned the lesson of the scope encoding in metadata and should discourage that in the new Federation spec.
https://openid.bitbucket.io/connect/openid-federation-1_0.html#section-6.1.1-9
Note that when a metadata parameter is defined as a space-separated list of strings, like
scopein [RFC7591], thesubset_of,superset_ofanddefaultoperator values are still expressed as lists of strings. This language from [RFC6749] also applies to metadata parameters for which values can be expressed as a space-separated lists of strings: "If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope."
Comments (6)
-
-
I agree with restricting this to “scope”. We can make it clear that this is a special case for that only.
-
reporter
- changed status to open
-
reporter
-
assigned issue to
Vladimir Dzhuvinov
-
assigned issue to
-
reporter
-
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
The OIDC/OAuth2 way of serialising lists of strings as one string with spaces in between the strings is just so wrong.
But set in stone at this point.