OP metadata should indicate if empty arrays are okay or not
In https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID3.html#name-op-metadata some entries contain ‘This array must have at least one member.’ and some contain ‘This array may have zero or more members.’, but e.g. electronic_records
does not, and I presume falls into the ‘at least one member’ case, as do the other arrays that don’t explicitly refer to the allowed number of elements.
Comments (8)
-
reporter -
- changed status to open
-
-
assigned issue to
-
assigned issue to
-
reporter A further twist I just noticed is that https://datatracker.ietf.org/doc/html/rfc8414#section-3.2 says:
Claims that return multiple values are represented as JSON arrays. Claims with zero elements MUST be omitted from the response.
So I’m not entirely sure that a zero element array is permitted.
-
The OIDCD spec says the same: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
Claims that return multiple values are represented as JSON arrays. Claims with zero elements MUST be omitted from the response.
-
reporter So here’s a summary of what’s in id3 that I think needs changing:
evidence_supported
- says ‘REQUIRED’ and ‘zero or more entries’, but as per rfc8414-3.2 empty arrays aren’t permitted, so this should be ‘optional’ and ‘1 or more members’.documents_supported
- says 'REQUIRED whenevidence_supported
contains "document" or "id_document"' - I believe it should explicitly say '1 or more members'.documents_methods_supported
- says ‘OPTIONAL'. Should probably explicit say ‘if present, must contain 1 or more members’.documents_validation_methods_supported
- same asdocuments_methods_supported
documents_verification_methods_supported
- same asdocuments_methods_supported
electronic_records_supported
- says ‘REQUIRED when evidence_supported contains electronic_record’. I believe it should say ‘if present, must contain 1 or more members’claims_in_verified_claims_supported
- says ‘REQUIRED’. I believe should say ‘must contain 1 or more members’.attachments_supported
is a bit confusing currently - it says ‘REQUIRED when OP supports external attachments’ but I think ‘external’ wasn’t intended to be included there. I think it could be “OPTIONAL. If the OP supports attachments, it must include this with at least 1 member. Valid members are ‘external’ and ‘embedded’.”digest_algorithms_supported
is probably okay, though for consistency with other members (and upstream standard, where REQUIRED is never indicated as a conditional) as it’s optional I think it be tagged as optional.
-
addressed in PR #103
-
- changed status to resolved
Resolved in PR #103
- Log in to comment
A related question, is it valid to have
electronic_records
whenevidence_supported
does not containelectronic_record
?