[Openid-specs-ab] Issue #2102: New Entity Statement for subject data publication (openid/connect)

[Stefan Santesson]

New issue 2102: New Entity Statement for subject data publication
https://bitbucket.org/openid/connect/issues/2102/new-entity-statement-for-subject-data

Stefan Santesson:

I would like to propose a new claim for inclusion in Entity Statements that provide information about if, how and in what way the subject entity publishes Entity Configuration data.

I have outlined this new claim here: [https://github.com/oidc-sweden/specifications/blob/main/swedish-oidc-fed-profile.md#subject-data-publication-claim](https://github.com/oidc-sweden/specifications/blob/main/swedish-oidc-fed-profile.md#subject-data-publication-claim)

‌

The motivation behind this claim is to allow validation of leaf entities that do not have the capability to create and publish Entity Configuration. This claim then provides the necessary information to allow validation of entity data via the Entity Statement issued to this entity, even in the absence of an Entity Configuration.

It is fully understood that an entity that does not publish an Entity Configuration at a well-known location can’t be discovered using the regular mechanism in a bottom-up path building strategy. But it can still be validated and supported by a Resolver that traverse the federation entities top-down.

If this claim is supported, the Leaf Entity is given a choice:

* Choose the simplified alternative \(not publish Entity Configuration\) but accept that it will only be visible to entities that use a compatible Resolver, or;
* Choose the more advanced alternative \(publish Entity Configuration\) and be visible to all entities that do not use a Resolver.

As I believe that, at least in our case, all federation services will use Resolvers, the simplified approach will be a viable option. Especially for RP:s where they know that the few OP:s they use support interaction with them using a Resolver.

‌

This claim also has other advantages as it can provide information about the exact location of Entity Configuration data. This is helpful to avoid re-tries on multiple URL:s when publication does not strictly follow RFC8414. This is a great help for Resolvers doing top-down traversal of the federation infrastructure.