[Openid-specs-ab] Issue #2060: [Federation] 5.1.5. Applying Policies: Specify concrete order for all policy operators under pt. 5 (openid/connect)

[Vladimir Dzhuvinov]

New issue 2060: [Federation] 5.1.5. Applying Policies: Specify concrete order for all policy operators under pt. 5
https://bitbucket.org/openid/connect/issues/2060/federation-515-applying-policies-specify

Vladimir Dzhuvinov:

Section [5.1.5. ](https://openid.bitbucket.io/connect/openid-connect-federation-1_0.html#section-5.1.5)[Applying Policies](https://openid.bitbucket.io/connect/openid-connect-federation-1_0.html#name-applying-policies) specifies the order in which the policy operators must be applied to a metadata parameter.

Point #5 currently does not put the `subset_of` and `superset_of` in a concrete place in this order of applying policy operators. This is crucial to make sure policies behave consistently and implementations interop.

The OIDC Federation policy language works by first modifying \(shaping\) a selected metadata parameter, and then checking the compliance of the resulting value. Following this, the `subset_of` \(which can behave as a value modifier\), should be applied before a `superset_of`.

Section [5.1.8. ](https://openid.bitbucket.io/connect/openid-connect-federation-1_0.html#section-5.1.8)[Extending the Policy Language](https://openid.bitbucket.io/connect/openid-connect-federation-1_0.html#name-extending-the-policy-langua) could also say that the specification of a custom operator must include its position relative to the general order defined in 5.1.5.