[Openid-specs-ab] Issue #2163: Federation: Validation of metadata in entity statement (openid/connect)

[Marcus Almgren]

New issue 2163: Federation: Validation of metadata in entity statement
https://bitbucket.org/openid/connect/issues/2163/federation-validation-of-metadata-in

Marcus Almgren:

This question should be read in the light of conformance testing of federation entities:

Let's say that we've got an entity statement that contains the following metadata:

```
{
  "federation_entity": {
    "federation_fetch_endpoint": "https://example.com/fetch",
    "federation_list_endpoint": "https://example.com/list"
  },
  "oauth_authorization_server": {},
  "openid_relying_party": {}
}
```

`federation_entity` is valid, since all of its properties are optional. But what about `oauth_authorization_server` and `openid_relying_party`?

One one hand, the spec says that

> When an Entity participates in a federation or federations with one or more Entity Types, its Entity Configuration MUST contain a `metadata` claim with JSON object values for each of the corresponding Entity Type Identifiers, even if the values are the empty JSON object `{}`

but on the other hand, if we take `openid_relying_party` as an example, it says

> All parameters defined in Section 2 of [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-federation-1_0.html#OpenID.Registration) \[[OpenID.Registration](https://openid.net/specs/openid-federation-1_0.html#OpenID.Registration)\] and [Section 5.2](https://openid.net/specs/openid-federation-1_0.html#common_metadata) are applicable, as well as additional parameters registered in the IANA "OAuth Dynamic Client Registration Metadata" registry \[[IANA.OAuth.Parameters](https://openid.net/specs/openid-federation-1_0.html#IANA.OAuth.Parameters)\].

But what does “applicable” mean? Does it mean that all of the properties and their optionality \(or lack thereof\) as defined in the DCR spec apply, meaning that we should run the same set of verifications that we do for RP DCR client registration metadata, or does it mean that the properties in the DCR spec may occur inside this metadata section, but are not subject to any validation rules?

If you could please enlighten me a little bit in this matter, that would be helpful.