[Openid-specs-ab] OpenID Federation: Multi Metadata statement example questions

Jeff LOMBARDO jeff.lombardo at gmail.com
Wed Jun 20 19:25:56 UTC 2018


Hi,

First post [ever on a RFC] so I hope I play by the rules. My apologies if I
don't.

I have a problem understanding the multi metadata statement. Maybe it is my
core understanding of OIDC which is too raw.

>From the rule:  *Given two metadata statements ms_i and ms_j (j > i, i=0,
..., n-1, j=1, ..., n) For every claim in ms_j: If the claim does not
appear in ms_i add it to ms_i. If the claim appears in ms_i then replace
the value of the claim in ms_i with the value of the claim in ms_j if and
only if the value in ms_j is a subset of the value in ms_i else an error
MUST be generated.*

How can one hope to modify the Metadata statement? Along the rule, a
modification of metadata statement can only occur if the new statement is a
subset of the old one. The example is consistent with the rule and may be
acceptable for *"response_types"* : *ms_1{"response_types": ["code", "code
id_token"]}* + *ms_2{"response_types: ["code"]}* gives
*sum(ms_0...2){"response_types:
["code"]}.*

But I found the expected behavior strange with *"contacts" *(and
*"logo_uri"*, *"policy_uri"*, *"tos_uri"*, etc...). With *ms_0 {"contacts":
["helpdesk at example.com <helpdesk at example.com>"]} *+ *ms_2{"contacts":
["rp_helpdesk at example.com <rp_helpdesk at example.com>"]**}*  one may want to
represent:
- a modification of *"contacts"* in the latest metadata statement bringing
the result to *sum(ms_0...2){"contacts": ["rp_helpdesk at example.com
<rp_helpdesk at example.com>"]} *and not *sum(ms_0...2){"contacts":
["helpdesk at example.com <helpdesk at example.com>"]}*
- an enrichment of *"contacts"*  bringing the result to
*sum(ms_0...2){"contacts":
[ "helpdesk at example.com <helpdesk at example.com>", "rp_helpdesk at example.com
<rp_helpdesk at example.com>"]}*. In fact, the attribute is labelled contact*S*
so we expect many contacts here... but this is not possible cause even if I
publish  *ms_2{"contacts": [ "helpdesk at example.com <helpdesk at example.com>",
"rp_helpdesk at example.com <rp_helpdesk at example.com>"]}*, *"contacts":
[ "helpdesk at example.com <helpdesk at example.com>", "rp_helpdesk at example.com
<rp_helpdesk at example.com>"] *is not a subset of  *"contacts":
["rp_helpdesk at example.com <rp_helpdesk at example.com>"]* so not change can
occur

In all cases, the result is not consistent with the rule as  *an error
should have been generated *cause *[**"rp_helpdesk at example.com
<rp_helpdesk at example.com>"]* is not a subset of  *["helpdesk at example.com
<helpdesk at example.com>"].*

Thanks for you feedback on that,

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180620/9f7229f7/attachment-0001.html>


More information about the Openid-specs-ab mailing list