You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As far as I can see, the following Federation hierarchy is allowed by the specification:
TA_____
/ \ \
Im1 Im2 OP
\ /
Im3
|
RP
Furthermore, the specification seems to allow for Im1 and Im2 to define conflicting metadata policies for, say, the openid_relying_party entity type.
For example, Im1 may require token_endpoint_auth_method to be private_key_jwt (i.e., using the value operator). Likewise, Im2 requires the token_endpoint_auth_method to be self_signed_tls_client_auth.
For example, how would RP register at OP in this case (Section 12.2)?
Side note: Whether or not RP accepts this registration (see Section 12.2.2.2 No. 4) now depends on which of the two possible Trust Chains RP uses when checking compliance of the registered metadata with the policy.
Intuitively, the outcome of the compliance check should be deterministic (i.e., disregarding transient issues, an honest OP's registration should always be acceptable to an honest RP).
The text was updated successfully, but these errors were encountered:
As far as I can see, the following Federation hierarchy is allowed by the specification:
Furthermore, the specification seems to allow for
Im1
andIm2
to define conflicting metadata policies for, say, theopenid_relying_party
entity type.For example,
Im1
may requiretoken_endpoint_auth_method
to beprivate_key_jwt
(i.e., using thevalue
operator). Likewise,Im2
requires thetoken_endpoint_auth_method
to beself_signed_tls_client_auth
.For example, how would
RP
register atOP
in this case (Section 12.2)?Side note: Whether or not
RP
accepts this registration (see Section 12.2.2.2 No. 4) now depends on which of the two possible Trust ChainsRP
uses when checking compliance of the registered metadata with the policy.Intuitively, the outcome of the compliance check should be deterministic (i.e., disregarding transient issues, an honest OP's registration should always be acceptable to an honest RP).
The text was updated successfully, but these errors were encountered: