From 1759ab02b5087c2d6d313f8e0c960c9140f24b18 Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Sat, 30 Nov 2024 12:24:13 -0800 Subject: [PATCH 1/3] Allow multiple Trust Anchor values in resolve requests --- openid-federation-1_0.xml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index cb9c35b..e225268 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -4145,11 +4145,18 @@ Content-Type: application/json REQUIRED. The Entity Identifier of the Entity whose resolved data is requested. - + REQUIRED. The Trust Anchor that the resolve endpoint MUST use when resolving the metadata. The value is an Entity identifier. + + The anchor request parameter + MAY occur multiple times, in which case, + the resolver may return a successful resolve response + using any one of the Trust Anchor values provided + and the trust_chain claim + MUST be included in the resolve response JWT. @@ -9976,6 +9983,9 @@ Host: op.umu.se -41 + + Fixed #130: Allow multiple Trust Anchor values to be passed in resolve requests. + Fixed #136: Defined additional error codes and rationalized naming. Renamed trust_chain_validation_failed From 3a318713f4a7e0871211b438a19aac3758138711 Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Sat, 30 Nov 2024 13:03:54 -0800 Subject: [PATCH 2/3] Require trust_chain claim in resolve response --- openid-federation-1_0.xml | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index e225268..35bf8e5 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -4153,10 +4153,8 @@ Content-Type: application/json The anchor request parameter MAY occur multiple times, in which case, - the resolver may return a successful resolve response - using any one of the Trust Anchor values provided - and the trust_chain claim - MUST be included in the resolve response JWT. + the resolver MAY return a successful resolve response + using any one of the Trust Anchor values provided. @@ -4217,7 +4215,7 @@ Host: openid.sunet.se with its value being the Key ID of the signing key used. - The resolve response JWT MAY return the Trust Chain + The resolve response JWT MUST return the Trust Chain from the subject to the Trust Anchor in its trust_chain parameter, sorted as shown in . @@ -4286,6 +4284,13 @@ Host: openid.sunet.se and expressed in the metadata format defined in . + + + REQUIRED. Array containing the sequence of Entity Statements + that compose the Trust Chain, starting with the subject and + ending with the selected Trust Anchor, + sorted as shown in . + OPTIONAL. Array of objects, each representing a Trust Mark, @@ -4294,14 +4299,6 @@ Host: openid.sunet.se issuers trusted by the Trust Anchor to issue such Trust Marks MAY appear in the resolver response. - - - OPTIONAL. Array containing the sequence of Entity Statements - that compose - the Trust Chain, starting with the subject and - ending with the selected Trust Anchor, - sorted as shown in . - @@ -9985,6 +9982,7 @@ Host: op.umu.se Fixed #130: Allow multiple Trust Anchor values to be passed in resolve requests. + Require trust_chain claim in resolve response. Fixed #136: Defined additional error codes and rationalized naming. From e262dc6fc4c5a30476623cd59fb2d6761d321272 Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Wed, 18 Dec 2024 15:33:54 -0800 Subject: [PATCH 3/3] Apply Roland's suggestion --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 99c0655..35809b1 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -4166,7 +4166,7 @@ Content-Type: application/json The trust_anchor request parameter MAY occur multiple times, in which case, the resolver MAY return a successful resolve response - using any one of the Trust Anchor values provided. + using any of the Trust Anchor values provided.