[Openid-specs-ab] Issue #1655: trust_anchor_id in entity statement? (openid/connect)
tlodderstedt
issues-reply at bitbucket.org
Wed Oct 5 16:00:28 UTC 2022
New issue 1655: trust_anchor_id in entity statement?
https://bitbucket.org/openid/connect/issues/1655/trust_anchor_id-in-entity-statement
Torsten Lodderstedt:
> trust\_anchor\_id
>
> OPTIONAL. An OP MUST use this claim to tell the RP which Trust Anchor it chose to use when responding to an explicit client registration. The value of `trust_anchor_id` is the Entity Identifier of a trust anchor.
It seems the trust\_anchor\_id should better be a registration response parameter.
Why does the OP generate a new entity statement thus becoming an authoritative source of claims/policies about/regarding an RP? Shouldn’t that be the responsibility of the RP’s trust chain only?
Why doesn’t the OP just return the data as defined in OpenID Connect Dynamic Client Registration or RFC 7591 \+ additional response parameters relevant for OIDC federation?
The example in section A.3.2. “disables” the refresh token grant type via policy. I think this is not a policy decision but a discovery aspect.
More information about the Openid-specs-ab
mailing list