[Openid-specs-ab] Issue #1753: [Federation] Consider defining policy operators to express optionality of an OP or RP metadata parameter (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Mon Dec 12 09:19:03 UTC 2022
New issue 1753: [Federation] Consider defining policy operators to express optionality of an OP or RP metadata parameter
https://bitbucket.org/openid/connect/issues/1753/federation-consider-defining-policy
Vladimir Dzhuvinov:
To express federation policies like:
* If the RP metadata specifies encrypted ID tokens, the allowed “alg” and “enc” values are such and such.
* If the RP metadata specifies encrypted UserInfo, the allowed “alg” and “enc” values are such and such.
Example:
```json
"id_token_signed_response_alg": {
"default": "RS256",
"subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
},
"id_token_encrypted_response_alg": {
"subset_of_optional": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
},
"id_token_encrypted_response_enc": {
"subset_of_optional": ["A128CBC-HS256", "A256CBC-HS512"]
},
"userinfo_signed_response_alg": {
"subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
},
"userinfo_encrypted_response_alg": {
"subset_of_optional": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
},
"userinfo_encrypted_response_enc": {
"subset_of_optional": ["A128CBC-HS256", "A256CBC-HS512"]
}
```
More information about the Openid-specs-ab
mailing list