[Openid-specs-ab] Issue #2111: [Federation] Location and scope of application of metadata_policy_crit (openid/connect)

Vladimir Dzhuvinov issues-reply at bitbucket.org
Thu Feb 1 06:12:55 UTC 2024 

New issue 2111: [Federation] Location and scope of application of metadata_policy_crit
https://bitbucket.org/openid/connect/issues/2111/federation-location-and-scope-of

Vladimir Dzhuvinov:

The current `metadata_policy_crit` spec is not clear where the claim may appear:

1. In Entity Configurations?
2. In Subordinate Statements?
3. In both?

Since a `metadata_policy` may only appear in a Subordinate Statement, and the `metadata_policy_crit` guides how the `metadata_policy` is to be processed, is it logical to require both to be in the same place, i.e. in Subordinate Statements?

This then leads to the following question:

When a `metadata_policy_crit` lists a critical custom operator, e.g. `lte` \(less than or equal than\), where does this apply to:

1. To the `metadata_policy` in the same Subordinate Statement?
2. To any subordinate `metadata_policy` claims in the Trust Chain also?

[https://openid.bitbucket.io/connect/openid-federation-1\_0.html#section-3-5.22](https://openid.bitbucket.io/connect/openid-federation-1_0.html#section-3-5.22)

> metadata\_policy\_crit 
>
> OPTIONAL. The `metadata_policy_crit` \(critical\) Entity Statement claim indicates that extensions to the policy language defined by this specification are being used that MUST be understood and processed. It is used in the same way that `crit` is used for extension JWS header parameters that MUST be understood and processed. Its value is an array listing the policy language extensions present in the policy language statements that use those extensions. If any of the listed extension policy language extensions are not understood and supported by the recipient, then the Entity Statement is invalid. Producers MUST NOT include policy language names defined by this specification or names that do not occur in metadata policy statements in the Entity Statement in the `metadata_policy_crit` list. Producers MUST NOT use the empty array `[]` as the `metadata_policy_crit` value.

More information about the Openid-specs-ab mailing list