[Openid-specs-ab] Issue #2158: Metadata parameter value arrays for RP metadata (openid/connect)

Stefan Santesson issues-reply at bitbucket.org
Fri Jun 14 14:10:30 UTC 2024 

New issue 2158: Metadata parameter value arrays for RP  metadata
https://bitbucket.org/openid/connect/issues/2158/metadata-parameter-value-arrays-for-rp

Stefan Santesson:

OpenID Federation opens up the possibility for federation entities to publish one metadata record that is consumed by multiple peer entities.  
  
For this to work properly, the federation entity need to be able to publish capabilities that can match more than one peer endpoint.  
  
Unfortunately, the RP \(and OAuth client\) metadata parameters were not designed with this federated scenario in mind.  
  
Example:

* If an RP can support several different token\_endpoint\_auth\_method options, it can still only signal a single value in its metadata.
* If an RP can accept both RS256 as well as ES256 signatures from the OP, depending on what type of signature key the OP has, it can still only signal one option in id\_token\_signed\_response\_alg.

‌

We have explored many ideas on how to solve this and we would like to offer the latest idea for consideration.  
  
In this proposal, the way to fix this is NOT by doing anything in the OID fed document \(more than identifying the solution\). Instead the proposal is to do a metadata extension document for OpenID federation saying the following:  
  
  
**Proposal:**  
Each metadata parameter name that provides a single value, where the RP/Client which to provide a list of acceptable values in the order of preference, that metadata parameter name can be extended by the string "\[\]". This forms the name of a companion metadata parameter with an array of values.

Example 1:

> "token\_endpoint\_auth\_method": "client\_secret\_post"  
> "token\_endpoint\_auth\_method\[\]": \["private\_key\_jwt","client\_secret\_post"\]

Example 2:

> "id\_token\_signed\_response\_alg": "RS256"  
> "id\_token\_signed\_response\_alg\[\]": \["RS256","ES256"\]

The semantics of these declarations are that the original parameter name is used by all legacy peers and is treated according to standard. Peers that suppor the metadata parameter array extension MAY use the corresponding parameter with the "\[\]" name extension to learn about the client/RP capabilities in the order of preference. If used, the array extension parameter overrides the original parameter.

‌

‌

More information about the Openid-specs-ab mailing list