[Openid-specs-ab] Issue #1368: [federation_api] fetch entity statement - issuer paramenter is really required? (openid/connect)
peppelinux
issues-reply at bitbucket.org
Mon Dec 6 23:54:31 UTC 2021
New issue 1368: [federation_api] fetch entity statement - issuer paramenter is really required?
https://bitbucket.org/openid/connect/issues/1368/federation_api-fetch-entity-statement
Giuseppe De Marco:
In the federation\_api, as described in ”[7.1.1. Fetch Entity Statements Request](https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.7.1.1)”, it’s required to use the **iss** parameter.
I’m wondering instead that the **iss** parameter wouldn’t be mandatory in the fetch request.
The issuer should be the endpoint where request has been submitted. A federation entity, through its fetch endpoint, COULD support the response on behalf of other issuers. The verifier need to obtain the relevant information related to the sub, if available. The issuer is therefore not so relevant to be known a priori, during the request but only in the response.
I believe that only the sub parameter is necessary for fetch operations and that the iss paramenth should be optional if not possibly removed.
Last but not least, an issuer can answer for many subjects. having said that by asking for an iss and omitting the sub, in the url paramenter, shouldn’t we get more than one entity statement, according to a many to one model? This could be no less interesting, but not being able to get this result it might be as well to remove iss as mandatory.
If I have misinterpreted the text, have patience if anything
More information about the Openid-specs-ab
mailing list