Skip to content

Adjust and simplify policy operator combinations #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Mar 5, 2025
Merged

Adjust and simplify policy operator combinations #177

merged 8 commits into from
Mar 5, 2025

Conversation

@vdzhuvinov
Copy link
Collaborator

@vdzhuvinov vdzhuvinov commented Jan 15, 2025
edited
Loading

Addresses issues #11 , #129 , #180.

The chief aim of this PR is to make it easier for architects to devise metadata policies in federations with multiple Trust Anchors or federations with complex topologies. In a single-anchored federation the current, limited operator combinations were okay, because one can simply lookup the policies of the Superior(s) and tweak the local policy where necessary. When dealing with multiple Trust Anchors the limited combinations become a problem. This PR fixes that. It also fixes the value + essential combination, which current spec may lead to policy conflict (#180).

This PR incorporates the contributions of @zachmann from PRs #111 and #112 (thanks!), with slight edits , plus several additional combination changes.

The proposed combinations were implemented in the Nimbus OIDC / OAuth SDK and were tested, including tests against a suite of several thousand generated test vectors: https://connect2id.com/blog/metadata-policy-test-vectors-openid-federation

The proposed combinations changes + fix, as a table:

image

The combinations in draft 41, for comparison. Notice that the updated version has more green or yellow squares for policies to "land", as it covers all logical combinations.

image

This PR also tightens the language in a few places.

This was referenced Jan 15, 2025
Closed
Closed
@zachmann
Copy link
Collaborator

zachmann commented Jan 16, 2025
edited
Loading

There is an error in the image: The "new" table states the check for value + add is The value of "value" MUST be a subset of the values "add". It should be the other way round: The value of "add" MUST be a subset of the values of "value".

The spec text is fine.

@vdzhuvinov
Copy link
Collaborator Author

vdzhuvinov commented Jan 16, 2025

The "new" table states the check for value + add is The value of "value" MUST be a subset of the values "add". It should be the other way round: The value of "add" MUST be a subset of the values of "value".

@zachmann Thanks for spotting this, I fixed the table.

@vdzhuvinov
Copy link
Collaborator Author

vdzhuvinov commented Jan 16, 2025

Please, ignore this PR for the time being. I had a chat with Roland and we also want to investigate an alternative change where in combinations of the value operator it always takes precedence.

@vdzhuvinov vdzhuvinov mentioned this pull request Jan 17, 2025
Closed
@peppelinux peppelinux marked this pull request as draft January 22, 2025 15:45
@rohe
Copy link
Collaborator

rohe commented Feb 7, 2025

For value+superset_of in the Combination checks table, the text should be:
The values of "value" MUST be a superset of the values of "superset_of".
not
The values of "default" MUST be a superset of the values of "superset_of".

@vdzhuvinov
Copy link
Collaborator Author

vdzhuvinov commented Feb 12, 2025

@rohe Fixed the table to mark the add + superset_of combination as unconditional (green).

@vdzhuvinov
Copy link
Collaborator Author

vdzhuvinov commented Feb 12, 2025

For value+superset_of in the Combination checks table, the text should be: The values of "value" MUST be a superset of the values of "superset_of". not The values of "default" MUST be a superset of the values of "superset_of".

@rohe Fixed that table cell too, thanks!

@vdzhuvinov vdzhuvinov mentioned this pull request Feb 12, 2025
Closed
selfissued
selfissued approved these changes Mar 5, 2025
View reviewed changes
Copy link
Member

@selfissued selfissued left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are test vectors for this at https://connect2id.com/blog/metadata-policy-test-vectors-openid-federation

@peppelinux peppelinux marked this pull request as ready for review March 5, 2025 15:12
@peppelinux peppelinux merged commit 4714300 into openid:main Mar 5, 2025
This was referenced Mar 5, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohe rohe rohe approved these changes

@peppelinux peppelinux peppelinux approved these changes

@selfissued selfissued selfissued approved these changes

@ve7jtb ve7jtb Awaiting requested review from ve7jtb

+1 more reviewer

@zachmann zachmann zachmann approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@vdzhuvinov @zachmann @rohe @peppelinux @selfissued