[Openid-specs-ab] Issue #1661: language around server metadata is quite involved (openid/connect)
josephheenan
issues-reply at bitbucket.org
Thu Oct 6 12:13:28 UTC 2022
New issue 1661: language around server metadata is quite involved
https://bitbucket.org/openid/connect/issues/1661/language-around-server-metadata-is-quite
Joseph Heenan:
[https://openid.net/specs/openid-connect-federation-1\_0-23.html#section-4.1](https://openid.net/specs/openid-connect-federation-1_0-23.html#section-4.1) is quite involved.
It says:
> For instance, for OpenID Connect federations, this specification uses metadata values from [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-federation-1_0-23.html#OpenID.Discovery) \[[OpenID.Discovery](https://openid.net/specs/openid-connect-federation-1_0-23.html#OpenID.Discovery)\] and [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-federation-1_0-23.html#OpenID.Registration) \[[OpenID.Registration](https://openid.net/specs/openid-connect-federation-1_0-23.html#OpenID.Registration)\]and adds additional values used for federations.
>
> For OAuth2 federations, this specification uses metadata values from OAuth 2.0 Authorization Server Metadata as specified in \[[RFC8414](https://openid.net/specs/openid-connect-federation-1_0-23.html#RFC8414)\].
>
> For both OpenID Connect and OAuth2 metadata the following properties are defined.
I find it quite hard to follow, particularly how it distinguishes between OAuth2 federations and OpenID Connect federations. You can read it such that an OpenID Connect federation can only use values defined in the OIDC specs, meaning OIDC federations can’t use \(say\) CIBA or MTLS client auth as those metadata values would only be in the IANA registry.
Would we lose anything by replacing the above text with references to the respective IANA registries \(which then refer onto the OIDC specs for the OIDC items\)?
More information about the Openid-specs-ab
mailing list