[Openid-specs-ab] Issue #2141: [Federation] Adjust "constraints" claim requirements for Subordinate Statements and Entity Configurations (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Fri Apr 5 14:52:30 UTC 2024
New issue 2141: [Federation] Adjust "constraints" claim requirements for Subordinate Statements and Entity Configurations
https://bitbucket.org/openid/connect/issues/2141/federation-adjust-constraints-claim
Vladimir Dzhuvinov:
To guarantee that the “constraints” claim can be picked up and observed, whenever a Trust Anchor or an Intermediate Authority has defined one, it must place it in the Subordinate Statement. If it’s placed in an Entity Configuration the “constraints” will not get picked up in `trust_chain` params because they contain only Subordinate Statements \(and the TA EC at the end of the chain is optional\).
The current spec doesn’t clarify this, which can lead to the “constraints” not being “seen”. Current implementers, to ensure the “constraints” don’t get missed must fetch the EC.
[https://openid.bitbucket.io/connect/openid-federation-1\_0.html#name-constraints](https://openid.bitbucket.io/connect/openid-federation-1_0.html#name-constraints)
I suspect when the `trust_chain` got introduced this particular section was not updated and hence the spec was left with this discrepancy.
More information about the Openid-specs-ab
mailing list