Skip to content

Commit

Permalink
Merge branch 'main' into iss-35-metadata-policy-json-interop
Browse files Browse the repository at this point in the history
  • Loading branch information
@selfissued
selfissued authored Dec 18, 2024
2 parents e8153ec + e83739c commit 29c1273
Showing 1 changed file with 95 additions and 103 deletions.
198 changes: 95 additions & 103 deletions openid-federation-1_0.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@
</address>
</author>

<date day="10" month="December" year="2024"/>
<date day="18" month="December" year="2024"/>

<workgroup>OpenID Connect Working Group</workgroup>

Expand Down Expand Up @@ -659,10 +659,10 @@
contained in the Trust Mark JWT.

<list style="hanging">
<t hangText="id">
<t hangText="trust_mark_id">
The Trust Mark identifier.
It MUST be the same value as the
<spanx style="verb">id</spanx>
<spanx style="verb">trust_mark_id</spanx>
claim contained in the
Trust Mark JWT.
</t>
Expand Down Expand Up @@ -3254,12 +3254,15 @@
Trust Marks.
</t>
<t>
Trust Mark JWTs MUST be explicitly typed by setting the
<spanx style="verb">typ</spanx> header parameter to
<spanx style="verb">trust-mark+jwt</spanx> to prevent
Trust Mark JWTs MUST be explicitly typed by using the
<spanx style="verb">typ</spanx> header parameter to prevent
cross-JWT confusion, per Section 3.11 of <xref target="RFC8725"/>.
The <spanx style="verb">typ</spanx> header parameter value MUST be
<spanx style="verb">trust-mark+jwt</spanx>
unless the trust framework in use defines a more specific
media type value for the particular kind of Trust Mark.
Trust Marks without a <spanx style="verb">typ</spanx> header parameter
or with a different <spanx style="verb">typ</spanx> value MUST be rejected.
or an unrecognized <spanx style="verb">typ</spanx> value MUST be rejected.
</t>

<section title="Trust Mark Claims" anchor="trust_mark_claims">
Expand All @@ -3276,11 +3279,11 @@
<vspace/>
REQUIRED. String. Entity this Trust Mark applies to.
</t>
<t hangText="id">
<t hangText="trust_mark_id">
<vspace/>
REQUIRED.
The <spanx style="verb">id</spanx> (identifier) claim
defined in <xref target="idClaim"/> is used in Trust Marks
The <spanx style="verb">trust_mark_id</spanx> (identifier) claim
defined in <xref target="trust_mark_claims"/> is used in Trust Marks
to provide the identifier of the Trust Mark.
The Trust Mark identifier
MUST be collision-resistant
Expand Down Expand Up @@ -3398,7 +3401,7 @@
<vspace/>
REQUIRED. String. The Entity this delegation applies to.
</t>
<t hangText="id">
<t hangText="trust_mark_id">
<vspace/>
REQUIRED. String. The identifier of the Trust Mark.
</t>
Expand Down Expand Up @@ -3520,22 +3523,22 @@
"exp": 1516298022,
"trust_marks": [
{
"id": "https://www.spid.gov.it/certification/rp",
"trust_mark_id": "https://www.spid.gov.it/certification/rp",
"trust_mark":
"eyJraWQiOiJmdWtDdUtTS3hwWWJjN09lZUk3Ynlya3N5a0E1bDhPb2RFSXVyOH
JoNFlBIiwidHlwIjoidHJ1c3QtbWFyaytqd3QiLCJhbGciOiJSUzI1NiJ9.eyJ
pc3MiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi8vc
nAuZXhhbXBsZS5pdC9zcGlkIiwiaWF0IjoxNTc5NjIxMTYwLCJpZCI6Imh0dHB
zOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAiLCJsb2dvX3Vya
SI6Imh0dHBzOi8vd3d3LmFnaWQuZ292Lml0L3RoZW1lcy9jdXN0b20vYWdpZC9
sb2dvLnN2ZyIsInJlZiI6Imh0dHBzOi8vZG9jcy5pdGFsaWEuaXQvZG9jcy9zc
GlkLWNpZS1vaWRjLWRvY3MvaXQvdmVyc2lvbmUtY29ycmVudGUvIn0.AGf5Y4M
oJt22rznH4i7Wqpb2EF2LzE6BFEkTzY1dCBMCK-8P_vj4Boz7335pUF45XXr2j
x5_waDRgDoS5vOO-wfc0NWb4Zb_T1RCwcryrzV0z3jJICePMPM_1hZnBZjTNQd
4EsFNvKmUo_teR2yzAZjguR2Rid30O5PO8kJtGaXDmz-rWaHbmfLhlNGJnqcp9
Lo1bhkU_4Cjpn2bdX7RN0JyfHVY5IJXwdxUMENxZd-VtA5QYiw7kPExT53XcJO
89ebe_ik4D0dl-vINwYhrIz2RPnqgA1OdbK7jg0vm8Tb3aemRLG7oLntHwqLO-
gGYr6evM2_SgqwA0lQ9mB9yhw"
"eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoia29
zR20yd3VaaDlER21OeEF0a3VPNDBwUGpwTDMtakNmMU4tcVBPLVllVSJ9.eyJpc
3MiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi8vcnAu
ZXhhbXBsZS5pdC9zcGlkIiwiaWF0IjoxNTc5NjIxMTYwLCJ0cnVzdF9tYXJrX2l
kIjoiaHR0cHM6Ly93d3cuc3BpZC5nb3YuaXQvY2VydGlmaWNhdGlvbi9ycCIsIm
xvZ29fdXJpIjoiaHR0cHM6Ly93d3cuYWdpZC5nb3YuaXQvdGhlbWVzL2N1c3Rvb
S9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0cHM6Ly9kb2NzLml0YWxpYS5pdC9k
b2NzL3NwaWQtY2llLW9pZGMtZG9jcy9pdC92ZXJzaW9uZS1jb3JyZW50ZS8ifQ.
L_pSh1InEiFAcs3E-1HBM7fNZYwF5ru3UGA_8yc80dGS3sszfA_sbj4AoW_zAJW
QBdZpjxnHBBmybYXFrfZBcqxcedsrvUYrmbt1nPYxbUE54fRRoZK-sJmVqh1GzS
an5nOmkxuAtMinU8k_-aWnPWj83sYe2AzT2mMgkXiz8zhda3jZm8hoxZ4jR6B0Y
AvbMlq2pPWO5OWKdZhiFRMSprwh0GYluQkK0j1aLNMGXD3keMJd2zEoWX9D7w2f
XShAA48W3cNhuXyBVnCoum1K4IWK3s_fx4nIkp6W-V4jCBOpxp7Yo8LZ30o_xpE
OzGTIECGWVR86azOAlwVC8XSiAA"
}
],
"metadata": {
Expand Down Expand Up @@ -3563,7 +3566,7 @@
</name>
<artwork><![CDATA[
{
"id":"https://mushrooms.federation.example.com/openid_relying_party/public/",
"trust_mark_id":"https://mushrooms.federation.example.com/openid_relying_party/public/",
"iss": "https://epigeo.tm-issuer.example.it",
"sub": "https://porcino.example.com/rp",
"iat": 1579621160,
Expand All @@ -3588,7 +3591,7 @@
</name>
<artwork><![CDATA[
{
"id":"https://mushrooms.federation.example.com/openid_relying_party/private/under-age",
"trust_mark_id":"https://mushrooms.federation.example.com/openid_relying_party/private/under-age",
"iss": "https://trustissuer.pinarolo.example.it",
"sub": "https://vavuso.example.com/rp",
"iat": 1579621160,
Expand All @@ -3610,7 +3613,7 @@
</name>
<artwork><![CDATA[
{
"id": "https://mushrooms.federation.example.com/arrosto/agreements",
"trust_mark_id": "https://mushrooms.federation.example.com/arrosto/agreements",
"iss": "https://agaricaceae.example.it",
"sub": "https://coppolino.example.com",
"iat": 1579621160,
Expand All @@ -3636,7 +3639,7 @@
</name>
<artwork><![CDATA[
{
"id": "https://mushrooms.federation.example.com/ottimo/commestibile",
"trust_mark_id": "https://mushrooms.federation.example.com/ottimo/commestibile",
"iss": "https://cantharellus.cibarius.example.org",
"sub": "https://gallinaccio.example.com/op",
"iat": 1579621160,
Expand All @@ -3653,7 +3656,7 @@
</name>
<artwork><![CDATA[
{
"id": "https://mushrooms.federation.example.com/trust-marks/self-signed",
"trust_mark_id": "https://mushrooms.federation.example.com/trust-marks/self-signed",
"iss": "https://amanita.muscaria.example.com",
"sub": "https://amanita.muscaria.example.com",
"iat": 1579621160,
Expand All @@ -3676,7 +3679,7 @@
"sub": "https://umu.se/op",
"iat": 1577833200,
"exp": 1609369200,
"id": "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf"
"trust_mark_id": "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf"
}
]]></artwork>
</figure>
Expand All @@ -3700,20 +3703,20 @@
<artwork><![CDATA[
{
"delegation":
"eyJ0eXAiOiJ0cnVzdC1tYXJrLWRlbGVnYXRpb24rand0IiwiYWxnIjoiUlMyNTYiL
CJraWQiOiJUak5aZUVkcWREUlBTWHBvVWxoTE9VWmpjWE5KYjJ4amNpMDJWR3hDTV
dSa1ZVVXhNR2hqTmpkME1BIn0.
eyJzdWIiOiAiaHR0cHM
6Ly90bWkuZXhhbXBsZS5vcmciLCAiaWQiOiAiaHR0cHM6Ly9yZWZlZHMub3JnL3Np
cnRmaSIsICJpc3MiOiAiaHR0cHM6Ly90bV9vd25lci5leGFtcGxlLm9yZyIsICJpY
XQiOiAxNzI1MTc2MzAyfQ.MTPri3aSN4vxUL_yzZ16He2UsNAWE6u9u59oRl-u8kq
JFY95UZZxsZrCeSjLDJAclQmDfe2xHdV-UGI-zOu3wkeCW-AuIH6f8J-e_4pSHLzT
caZd8PvCbab2bZuQes5FYQ6xhpAQWPkry0TtHic5iN-0CZ5a1s1r3YCbj72_kicMz
F7WlLkMVgXDIA5TwQNuAwWavhh2c1faVYEV56uG-n_-bekIb3br6uuPtlMpRVUkoi
eKpwDcGxyJct-g0H436gvIm7lyKfvi0SmKxKK0AbL48-yRi1LSOXLx_60alAGHzQ-
XlnuREVu8VWgIPHelsyPHJPc6hQDuchyu52Nupg",
"eyJ0eXAiOiJ0cnVzdC1tYXJrLWRlbGVnYXRpb24rand0IiwiYWxnIjoiUl
MyNTYiLCJraWQiOiJrb3NHbTJ3dVpoOURHbU54QXRrdU80MHBQanBMMy1qQ
2YxTi1xUE8tWWVVIn0.eyJzdWIiOiJodHRwczovL3RtaS5leGFtcGxlLm9y
ZyIsInRydXN0X21hcmtfaWQiOiJodHRwczovL3JlZmVkcy5vcmcvc2lydGZ
pIiwiaXNzIjoiaHR0cHM6Ly90bV9vd25lci5leGFtcGxlLm9yZyIsImlhdC
I6MTcyNTE3NjMwMn0.ao0rWGpVjEgpNyFxsKawps8q71eYnp78TzRdY4P52
CT8QX6etXt-2L2Z1Vw5A6jx2mhjpPwWi_sOxfiOSA5TugJfN0Gbwj7teTzM
0IMciuasCWgnLrKyLZjS147ZE50I9e9P8Ot8UQwhmXcLiuwsbDxSdqM4pVp
75lfWnmzPH0L2pDZG5COFgIgSOAlK3TVMBOR8fziF-VmWNPzAfB0lSc-hjH
-7q66GyT43o3Exnm6DsoLxyB8bxG99BQltLxURDT90CzM6szGcF3OG64Rbe
0I4lT_LAOfvhlrRbT56eK4sJNCsbVbGnDBfFmyfB_HIeBMGP0L7T5JPMOUU
9bjIlA",
"iat": 1725176302,
"id": "https://refeds.org/sirtfi",
"trust_mark_id": "https://refeds.org/sirtfi",
"sub": "https://entity.example.org",
"exp": 1727768302,
"iss": "https://tmi.example.org"
Expand All @@ -3732,7 +3735,7 @@
{
"typ": "trust-mark-delegation+jwt",
"alg": "RS256",
"kid": "TjNZeEdqdDRPSXpoUlhLOUZjcXNJb2xjci02VGxCMWRkVUUxMGhjNjd0MA"
"kid": "kosGm2wuZh9DGmNxAtkuO40pPjpL3-jCf1N-qPO-YeU"
}
]]></artwork>
</figure>
Expand All @@ -3746,7 +3749,7 @@
<artwork><![CDATA[
{
"sub": "https://tmi.example.org",
"id": "https://refeds.org/sirtfi",
"trust_mark_id": "https://refeds.org/sirtfi",
"iss": "https://tm_owner.example.org",
"iat": 1725176302
}
Expand Down Expand Up @@ -4367,17 +4370,18 @@ Host: openid.sunet.se
}
},
"trust_marks": [
{"id": "https://www.spid.gov.it/certification/op/",
{"trust_mark_id": "https://www.spid.gov.it/certification/op/",
"trust_mark":
"eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiOH
hzdUtXaVZmd1NnSG9mMVRlNE9VZGN5NHE3ZEpyS2ZGUmxPNXhoSElhMCJ9.
eyJpc3MiOiJodHRwczovL3d3dy5hZ2lkL
mdvdi5pdCIsInN1YiI6Imh0dHBzOi8vb3AuZXhhbXBsZS5pdC9zcGlkLyIsIml
hdCI6MTU3OTYyMTE2MCwiaWQiOiJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9jZ
XJ0aWZpY2F0aW9uL29wLyIsImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cuYWdpZC5
nb3YuaXQvdGhlbWVzL2N1c3RvbS9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0c
HM6Ly9kb2NzLml0YWxpYS5pdC9pdGFsaWEvc3BpZC9zcGlkLXJlZ29sZS10ZWN
uaWNoZS1vaWRjL2l0L3N0YWJpbGUvaW5kZXguaHRtbCJ9"
eyJpc3MiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi
8vb3AuZXhhbXBsZS5pdC9zcGlkLyIsImlhdCI6MTU3OTYyMTE2MCwidHJ1c3Rf
bWFya19pZCI6Imh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb2
4vb3AvIiwibG9nb191cmkiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdC90aGVt
ZXMvY3VzdG9tL2FnaWQvbG9nby5zdmciLCJyZWYiOiJodHRwczovL2RvY3MuaX
RhbGlhLml0L2l0YWxpYS9zcGlkL3NwaWQtcmVnb2xlLXRlY25pY2hlLW9pZGMv
aXQvc3RhYmlsZS9pbmRleC5odG1sIn0.
xyz-PDQ_..."
}
],
"trust_chain" : [
Expand Down Expand Up @@ -4663,7 +4667,7 @@ Content-Type: application/json
Trust Mark Request
</name>
<artwork><![CDATA[
GET /trust_mark?trust_mark_id=https%3A%2F%2Ftuber.cert.example.org%2Fnero%2Fpregiato%2Fnorcia&sub=https%3A%2F%2Ftartufo.example.it HTTP/1.1
GET /trust_mark?trust_mark_id=https%3A%2F%2Fwww.spid.gov.it%2Fcertification%2Frp&sub=https%3A%2F%2Frp.example.it%2Fspid HTTP/1.1
Host: tuber.cert.example.org
]]></artwork>
</figure>
Expand Down Expand Up @@ -4697,17 +4701,19 @@ Host: tuber.cert.example.org
200 OK
Content-Type: application/trust-mark+jwt
eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoibVVFdHRpblI1
M2ktb0FzUmg3aXpuVjVHWGVoWHdDNnVpNFJwbVB5S3lkOCJ9.
eyJpc3MiOiJodHRwczovL3R1YmVyLmNlcnQuZXhhbXBsZS5vcmciL
CJzdWIiOiJodHRwczovL3RhcnR1Zm8uZXhhbXBsZS5pdCIsImlhdCI6MTU3OTYyMTE2MCwiZ
XhwIjoxNTc5NzIxMTYwLCJpZCI6Imh0dHBzOi8vdHViZXIuY2VydC5leGFtcGxlLm9yZy9uZ
XJvL3ByZWdpYXRvL25vcmNpYSJ9.HwzNAJVPDYC9AM-ILWfgmT5YDz-pjtklQhtEQbqhC7P0
nv88W8Wx74oE5IR5WgJP9Q3xPD-UO7o6O_Z0PMR186TzcBnaXtogn6-QxHRomCPwytviVGyk
XE1MkOnf9wTYWb5q13A53w8y0vUTlwZhBHt9qYNp3t4XwjR8eEZTptHeI_NHkaOsknT3cI16
FbxqXVdTudQCfPJEYKGGL1QDg2EdVGFgjq4V-2UTKlBQvnorNUmfNOxgRT0DR37ZezluvGJ5
NjK15h2rrJRN4e_8favIJNTNO8fhK7bjyUFJlVGYmLUpfCuJmxBv-EMhiAkeoDtk71Tc6ou6
2rxqFCU3LQ
eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoia29zR20yd3Va
aDlER21OeEF0a3VPNDBwUGpwTDMtakNmMU4tcVBPLVllVSJ9.eyJpc3MiOiJodHRwczovL3d
3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi8vcnAuZXhhbXBsZS5pdC9zcGlkIiwiaWF
0IjoxNTc5NjIxMTYwLCJ0cnVzdF9tYXJrX2lkIjoiaHR0cHM6Ly93d3cuc3BpZC5nb3YuaXQ
vY2VydGlmaWNhdGlvbi9ycCIsImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cuYWdpZC5nb3YuaXQ
vdGhlbWVzL2N1c3RvbS9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0cHM6Ly9kb2NzLml0YWx
pYS5pdC9kb2NzL3NwaWQtY2llLW9pZGMtZG9jcy9pdC92ZXJzaW9uZS1jb3JyZW50ZS8ifQ.
L_pSh1InEiFAcs3E-1HBM7fNZYwF5ru3UGA_8yc80dGS3sszfA_sbj4AoW_zAJWQBdZpjxnH
BBmybYXFrfZBcqxcedsrvUYrmbt1nPYxbUE54fRRoZK-sJmVqh1GzSan5nOmkxuAtMinU8k_
-aWnPWj83sYe2AzT2mMgkXiz8zhda3jZm8hoxZ4jR6B0YAvbMlq2pPWO5OWKdZhiFRMSprwh
0GYluQkK0j1aLNMGXD3keMJd2zEoWX9D7w2fXShAA48W3cNhuXyBVnCoum1K4IWK3s_fx4nI
kp6W-V4jCBOpxp7Yo8LZ30o_xpEOzGTIECGWVR86azOAlwVC8XSiAA
]]></artwork>
</figure>
</section>
Expand Down Expand Up @@ -6938,26 +6944,6 @@ HTTP/1.1 302 Found
</t>
</section>

<section anchor="idClaim" title='"id" (Identifier) Claim'>
<t>
The <spanx style="verb">id</spanx> (identifier) claim
is used for conveying an identifier that is a property of the JWT.
The <spanx style="verb">id</spanx> value is a case-sensitive string
containing a StringOrURI value.
Use of this claim is OPTIONAL.
</t>
<t>
For instance, an enterprise application might use
the <spanx style="verb">id</spanx> (identifier) claim
to convey an employee ID value.
Note that this is different than
the <spanx style="verb">jti</spanx> (JWT ID) claim,
which contains a unique identifier for the individual JWT itself.
This claim is used in this specification in <xref target="trust_mark_claims"/>
to provide the identifier of the Trust Mark.
</t>
</section>

<section anchor="refClaim" title='"ref" (Reference) Claim'>
<t>
The <spanx style="verb">ref</spanx> (reference) claim
Expand Down Expand Up @@ -8273,22 +8259,6 @@ HTTP/1.1 302 Found
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Claim Name: <spanx style="verb">id</spanx>
</t>
<t>
Claim Description: Identifier
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="idClaim"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Expand Down Expand Up @@ -8481,6 +8451,22 @@ HTTP/1.1 302 Found
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Claim Name: <spanx style="verb">trust_mark_id</spanx>
</t>
<t>
Claim Description: Trust Mark Identifier
</t>
<t>
Change Controller: OpenID Foundation Artifact Binding Working Group - [email protected]
</t>
<t>
Specification Document(s): <xref target="trust_mark_claims"/> of this specification
</t>
</list>
</t>
<t>
<list style="symbols">
<t>
Expand Down Expand Up @@ -10070,6 +10056,12 @@ Host: op.umu.se
4 and 8 of RFC 8259, may result in unpredictable metadata and metadata
policy behavior.
</t>
<t>
Fixed #162: Trust Mark claim <spanx style="verb">id</spanx>
renamed to <spanx style="verb">trust_mark_id</spanx>.
Other more specific Trust Mark JWT <spanx style="verb">typ</spanx> header parameter values
can be used if defined by trust frameworks in use and understood by the implementation.
</t>
</list>
</t>

Expand Down

0 comments on commit 29c1273

Please sign in to comment.