[Openid-specs-ab] OpenID Federation: Multi Metadata statement example questions
Jeff LOMBARDO
jeff.lombardo at gmail.com
Tue Jun 26 14:54:49 UTC 2018
Hi,
First post [ever on a RFC] so I hope I play by the rules. My apologies if I
don't.
I have a problem understanding the multi metadata statement. Maybe it is my
core understanding of OIDC which is too raw.
>From the rule: *Given two metadata statements ms_i and ms_j (j > i, i=0,
..., n-1, j=1, ..., n) For every claim in ms_j: If the claim does not
appear in ms_i add it to ms_i. If the claim appears in ms_i then replace
the value of the claim in ms_i with the value of the claim in ms_j if and
only if the value in ms_j is a subset of the value in ms_i else an error
MUST be generated.*
How can one hope to modify the Metadata statement? Along the rule, a
modification of metadata statement can only occur if the new statement is a
subset of the old one. The example is consistent with the rule and may be
acceptable for *"response_types"* :*ms_1{"response_types": ["code", "code
id_token"]}* + *ms_2{"response_types: ["code"]}* gives
*sum(ms_0...2){"response_types:
["code"]}.*
But I found the expected behavior strange with *"contacts" *(and
*"logo_uri"*, *"policy_uri"*, *"tos_uri"*, etc...). With *ms_0 {"contacts":
["helpdesk at example.com <helpdesk at example.com>"]} *+ *ms_2{"contacts":
["rp_helpdesk at example.com <rp_helpdesk at example.com>"]**}* one may want to
represent:
- a modification of *"contacts"* in the latest metadata statement bringing
the result to *sum(ms_0...2){"contacts": ["rp_helpdesk at example.com
<rp_helpdesk at example.com>"]} *and not *sum(ms_0...2){"contacts":
["helpdesk at example.com <helpdesk at example.com>"]}*
- an enrichment of *"contacts"* bringing the result to
*sum(ms_0...2){"contacts":
[ "helpdesk at example.com <helpdesk at example.com>", "rp_helpdesk at example.com
<rp_helpdesk at example.com>"]}*. In fact, the attribute is labelled contact*S*
so we expect many contacts here... but this is not possible cause even if
I publish *ms_2{"contacts": [ "helpdesk at example.com
<helpdesk at example.com>", "rp_helpdesk at example.com
<rp_helpdesk at example.com>"]}*, *"contacts": [ "helpdesk at example.com
<helpdesk at example.com>", "rp_helpdesk at example.com
<rp_helpdesk at example.com>"] *is not a subset of *"contacts":
["rp_helpdesk at example.com <rp_helpdesk at example.com>"]* so not change can
occur
In all cases, the result is not consistent with the rule as *an error
should have been generated *cause *[**"rp_helpdesk at example.com
<rp_helpdesk at example.com>"]* is not a subset of *["helpdesk at example.com
<helpdesk at example.com>"].*
Thanks for you feedback on that,
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180626/7c22ba66/attachment.html>
More information about the Openid-specs-ab
mailing list