This repository has been archived by the owner on Jun 14, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
openid-connect-federation-1_0.txt
4536 lines (3003 loc) · 139 KB
/
openid-connect-federation-1_0.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
R. Hedberg, Ed.
independent
M. Jones
Microsoft
A. Solberg
Uninett
S. Gulliksson
Schibsted
J. Bradley
Yubico
September 9, 2021
OpenID Connect Federation 1.0 - draft 17
openid-connect-federation-1_0
Abstract
A federation can be expressed as an agreement between parties that
trust each other. In bilateral federations, you can have direct
trust between the parties. In a multilateral federation, bilateral
agreements might not be practical, in which case, trust can be
mediated by a third party. That is the model used in this
specification.
An entity in the federation must be able to trust that other entities
it is interacting with belong to the same federation. It must also
be able to trust that the information the other entities publish
about themselves has not been tampered with during transport and that
it adheres to the federation's policies.
This specification describes the basic components you will need to
build a multilateral federation and it provides a guide on how to
apply them when the underlying protocol used is OpenID Connect.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Overall Architecture . . . . . . . . . . . . . . . . . . . . 5
3. Components . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Entity Statement . . . . . . . . . . . . . . . . . . . . 6
3.2. Trust Chain . . . . . . . . . . . . . . . . . . . . . . . 11
4. Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. RP Metadata . . . . . . . . . . . . . . . . . . . . . . . 12
4.2. OP Metadata . . . . . . . . . . . . . . . . . . . . . . . 14
4.3. OAuth Authorization Server . . . . . . . . . . . . . . . 16
Hedberg, et al. Expires March 13, 2022 [Page 1]
OpenID Connect Federation September 2021
4.4. OAuth Client . . . . . . . . . . . . . . . . . . . . . . 16
4.5. OAuth Protected Resource . . . . . . . . . . . . . . . . 17
4.6. Federation Entity . . . . . . . . . . . . . . . . . . . . 17
5. Federation Policy . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Metadata Policy . . . . . . . . . . . . . . . . . . . . . 18
5.1.1. Operators . . . . . . . . . . . . . . . . . . . . . . 19
5.1.2. Restrictions on Policy Entries . . . . . . . . . . . 19
5.1.3. Combining Policies . . . . . . . . . . . . . . . . . 20
5.1.3.1. Merging Operators . . . . . . . . . . . . . . . . 20
5.1.4. Applying Policies . . . . . . . . . . . . . . . . . . 21
5.1.5. Policy Combination Example . . . . . . . . . . . . . 22
5.1.6. Enforcing Policy . . . . . . . . . . . . . . . . . . 24
5.1.7. Extending the Policy Language . . . . . . . . . . . . 24
5.1.8. Policy Example . . . . . . . . . . . . . . . . . . . 25
5.2. Applying Constraints . . . . . . . . . . . . . . . . . . 27
5.2.1. Max Path Length . . . . . . . . . . . . . . . . . . . 27
5.2.2. Naming Constraints . . . . . . . . . . . . . . . . . 28
5.3. Trust Marks . . . . . . . . . . . . . . . . . . . . . . . 29
5.3.1. Trust Mark Claims . . . . . . . . . . . . . . . . . . 29
5.3.2. Validating a Trust Mark . . . . . . . . . . . . . . . 30
5.3.3. Trust Mark Example . . . . . . . . . . . . . . . . . 30
6. Obtaining Federation Entity Configuration Information . . . . 31
6.1. Federation Entity Configuration Request . . . . . . . . . 31
6.2. Federation Entity Configuration Response . . . . . . . . 31
7. Federation API . . . . . . . . . . . . . . . . . . . . . . . 33
7.1. Fetching Entity Statements (REQUIRED) . . . . . . . . . . 33
7.1.1. Fetch Entity Statements Request . . . . . . . . . . . 33
7.1.2. Fetch Entity Statements Response . . . . . . . . . . 34
7.2. Trust Negotiation (OPTIONAL) . . . . . . . . . . . . . . 36
7.2.1. Trust Negotiation Request . . . . . . . . . . . . . . 36
7.2.2. Trust Negotiation Response . . . . . . . . . . . . . 37
7.3. Entity Listings (OPTIONAL) . . . . . . . . . . . . . . . 38
7.3.1. Entity Listings Request . . . . . . . . . . . . . . . 38
7.3.2. Entity Listing Response . . . . . . . . . . . . . . . 38
7.4. Generic Error Response . . . . . . . . . . . . . . . . . 39
8. Resolving Trust Chain and Metadata . . . . . . . . . . . . . 40
8.1. Fetching Entity Statements to Establish a Trust Chain . . 40
8.2. Validating a Trust Chain . . . . . . . . . . . . . . . . 40
8.3. Choosing One of the Valid Trust Chains . . . . . . . . . 41
8.4. Calculating the Expiration Time of a Trust Chain . . . . 41
9. Updating Metadata, Key Rollover, and Revocation . . . . . . . 42
9.1. Protocol Key Rollover . . . . . . . . . . . . . . . . . . 42
9.2. Key Rollover for a Trust Anchor . . . . . . . . . . . . . 42
9.3. Revocation . . . . . . . . . . . . . . . . . . . . . . . 42
10. OpenID Connect Communication . . . . . . . . . . . . . . . . 43
10.1. Automatic Registration . . . . . . . . . . . . . . . . . 43
10.1.1. Authentication Request . . . . . . . . . . . . . . . 44
10.1.1.1. Using a Request Object . . . . . . . . . . . . . 44
Hedberg, et al. Expires March 13, 2022 [Page 2]
OpenID Connect Federation September 2021
10.1.1.1.1. Processing the Authentication Request . . . 45
10.1.1.2. Using Pushed Authorization . . . . . . . . . . . 46
10.1.1.2.1. Processing the Authentication Request . . . 47
10.1.2. Authentication Error Response . . . . . . . . . . . 48
10.2. Explicit Registration . . . . . . . . . . . . . . . . . 49
10.2.1. Client Registration . . . . . . . . . . . . . . . . 49
10.2.1.1. Client Registration Request . . . . . . . . . . 49
10.2.1.2. Client Registration Response . . . . . . . . . . 49
10.2.1.2.1. OP Constructing the Response . . . . . . . . 49
10.2.1.2.2. RP Parsing the Response . . . . . . . . . . 50
10.2.2. After Client Registration . . . . . . . . . . . . . 51
10.2.2.1. What the RP MUST Do . . . . . . . . . . . . . . 51
10.2.2.2. What the OP MUST Do . . . . . . . . . . . . . . 51
10.2.3. Expiration Times . . . . . . . . . . . . . . . . . . 52
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 52
12. Security Considerations . . . . . . . . . . . . . . . . . . . 52
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 52
13.1. Normative References . . . . . . . . . . . . . . . . . . 52
13.2. Informative References . . . . . . . . . . . . . . . . . 54
Appendix A. Provider Information Discovery and Client
Registration in a Federation . . . . . . . . . . . . 54
A.1. Setting Up a Federation . . . . . . . . . . . . . . . . . 55
A.2. The LIGO Wiki Discovers the OP's Metadata . . . . . . . . 55
A.2.1. Configuration Information for op.umu.se . . . . . . . 56
A.2.2. Configuration Information for 'https://umu.se' . . . 58
A.2.3. Entity Statement Published by 'https://umu.se' about
'https://op.umu.se' . . . . . . . . . . . . . . . . . 59
A.2.4. Configuration Information for 'https://swamid.se' . . 61
A.2.5. Entity Statement Published by 'https://swamid.se'
about 'https://umu.se' . . . . . . . . . . . . . . . 62
A.2.6. Configuration Information for
'https://edugain.geant.org' . . . . . . . . . . . . . 64
A.2.7. Entity Statement Published by
'https://edugain.geant.org' about 'https://swamid.se' 65
A.2.8. Verified Metadata for op.umu.se . . . . . . . . . . . 66
A.3. The Two Ways of Doing Client Registration . . . . . . . . 68
A.3.1. RP Sends Authentication Request (Automatic
Registration) . . . . . . . . . . . . . . . . . . . . 68
A.3.1.1. OP Fetches Entity Statements . . . . . . . . . . 69
A.3.1.2. OP Evaluates the RP Metadata . . . . . . . . . . 70
A.3.2. Client Starts with Registration (Explicit Client
Registration) . . . . . . . . . . . . . . . . . . . . 72
Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . 75
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 76
Appendix D. Open Issues . . . . . . . . . . . . . . . . . . . . 76
Appendix E. Document History . . . . . . . . . . . . . . . . . . 77
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80
Hedberg, et al. Expires March 13, 2022 [Page 3]
OpenID Connect Federation September 2021
1. Introduction
This specification describes how two entities that would like to
interact can dynamically fetch and resolve trust and metadata for a
given protocol through the use of third-party trust anchor. A trust
anchor is an entity whose main purpose is to issue statements about
entities, such as OpenID Connect Relying Parties, OpenID Providers,
and participating organizations. An identity federation can be
realized using this specification using one or more levels of trust
issuers. This specification does not mandate a specific way or
restrict how a federation may be built. Instead, the specification
provides the basic technical trust infrastructure building blocks
needed to build a dynamic and distributed trust network such as a
federation.
Note that this specification only concerns itself with how entities
in a federation get to know about each other. Furthermore, note that
a company, as with any real-world organization, MAY be represented by
more than one entity in a federation. It is also true that an entity
can be part of more than one federation.
OpenID Connect Federation trust chains rely on cryptographically
signed JSON Web Token (JWT) [RFC7519] documents, and the trust chain
does not at all rely on TLS [RFC8446] to establish trust.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
1.2. Terminology
This specification uses the terms "Claim Name", "Claim Value", "JSON
Web Token (JWT)", defined by JSON Web Token (JWT) [RFC7519] and the
terms "OpenID Provider (OP)" and "Relying Party (RP)" defined by
OpenID Connect Core 1.0 [OpenID.Core].
This specification also defines the following terms:
Entity
Something that has a separate and distinct existence and that can
be identified in a context. All entities in an OpenID Connect
federation MUST have a globally unique identifier.
Entity identifier
An URI that is globally unique and that is bound to one Entity.
Hedberg, et al. Expires March 13, 2022 [Page 4]
OpenID Connect Federation September 2021
Entity statement
An entity statement is issued by an entity, which pertains to a
subject entity and leaf entities. An entity statement is always a
signed JWT.
Intermediate entity
An entity that issues an entity statement that appears somewhere
in between those issued by the trust anchor and the leaf entity in
a trust chain.
Leaf Entity
An entity defined by a certain protocol, e.g., OpenID Connect
Relying Party or Provider.
Trust Anchor
An entity that represents a trusted third party.
Trust Chain
A sequence of entity statements that represents a chain starting
at a leaf entity and ending in a trust anchor.
2. Overall Architecture
The basic component is the entity statement, which is a
cryptographically signed JSON Web Token (JWT) [RFC7519]. A set of
entity statements can form a path from a leaf entity to a trust
anchor. This is done by having authority hints in an entity
statement pointing to its nearest superiors. Starting with an entity
statement, you can then find the next level of entity statements by
following the authority hints. And then repeat this until you hit a
trust anchor.
Once you have followed a path, you have collected a set of entity
statements that forms a chain. You can verify that this chain has
not been tampered with by verifying the signature of each statement.
How this is done is described in Section 3.2.
With a verified trust chain in hand, you can now apply federation
policy to the published metadata. How this is done is described in
Section 5.
Note that this specification is only dealing with trust in that the
other party is part of the same federation as you and that you can
trust that the metadata you get that describes the other party is
what was sent. The specification does not touch protocol operations
outside those of metadata exchange. In OpenID Connect terms, these
are protocol operations other than discovery and registration.
Hedberg, et al. Expires March 13, 2022 [Page 5]
OpenID Connect Federation September 2021
The fact that we use OpenID Connect in all the examples in this
specification does not mean that the specification can only be used
together with OpenID Connect. On the contrary, it can equally well
be used to build an OAuth 2.0 federations or for that matter, other
protocols that depend on dynamic exchange of entity metadata.
3. Components
3.1. Entity Statement
An entity statement is issued by an entity and concerns a subject
entity and leaf entities in a federation. An entity statement is
always a signed JWT. All entities in a federation SHOULD be prepared
to publish an entity statement about themselves. If they are not
able to do so themselves someone else MUST do it for them.
An entity statement is composed of the following claims:
iss
REQUIRED. The entity identifier of the issuer of the statement.
If the "iss" and the "sub" are identical, the issuer is making a
statement about itself.
sub
REQUIRED. The entity identifier of the subject
iat
REQUIRED. The time the statement was issued. Its value is a JSON
number representing the number of seconds from 1970-01-01T0:0:0Z
as measured in UTC until the date/time. See RFC 3339 [RFC3339]
for details regarding date/times in general and UTC in particular.
exp
REQUIRED. Expiration time on or after which the statement MUST
NOT be accepted for processing. Its value is a JSON number
representing the number of seconds from 1970-01-01T0:0:0Z as
measured in UTC until the date/time.
jwks
OPTIONAL. A JSON Web Key Set (JWKS) [RFC7517] representing the
public part of the subject entity's signing keys. The
corresponding private key is used by leaf entities to sign entity
statements about themselves, and intermediate entities to sign
statements about other entities. The keys that can be found here
are primarily intended to sign entity statements and SHOULD NOT be
used in other protocols. This claim is only OPTIONAL for the
entity statement returned from an OP when the client is doing
Hedberg, et al. Expires March 13, 2022 [Page 6]
OpenID Connect Federation September 2021
explicit registration. In all other cases it is REQUIRED. Every
JWK in the JWK Set MUST have a Key ID (kid).
aud
OPTIONAL. The entity statement MAY be specifically created for an
entity. The entity identifier for that entity MUST appear in this
claim.
authority_hints
OPTIONAL. Array of strings representing the entity identifiers of
intermediate entities or trust anchors that MAY issue an entity
statement about the issuer entity. For all entities except for
trust anchors that do not have any superiors this is REQUIRED and
MUST NOT be the empty list []. This claim MUST be absent from an
entity statement issued by a trust anchor with no superiors.
metadata
OPTIONAL. JSON object including protocol specific metadata claims
that represent the entity's metadata. Each key of the JSON object
represents a metadata type identifier, and each value MUST be a
JSON object representing the metadata according to the metadata
schema of that metadata type. An entity statement MAY contain
multiple metadata statements, but only one for each metadata type.
If the "iss" of an entity statement points to the same entity as
the "sub", then the entity statement MUST contain a "metadata"
claim. If "iss" and "sub" are not the same, then the entity
statement MUST NOT contain a "metadata" claim.
metadata_policy
OPTIONAL. JSON object that describes a metadata policy. Each key
of the JSON object represents a metadata type identifier, and each
value MUST be a JSON object representing the metadata policy
according to the metadata schema of that metadata type. An entity
statement MAY contain multiple metadata policy statements, but
only one for each metadata type. Only non-leaf entities MAY
contain a "metadata_policy" claim. Leaf entities MUST NOT contain
a "metadata_policy" claim.
constraints
OPTIONAL. JSON object that describes a set of trust chain
constraints. There is more about this in Section 5.2.
crit
OPTIONAL. The "crit" (critical) entity statement claim indicates
that extensions to entity statement claims defined by this
specification are being used that MUST be understood and
processed. It is used in the same way that "crit" is used for
extension JWS [RFC7515] header parameters that MUST be understood
Hedberg, et al. Expires March 13, 2022 [Page 7]
OpenID Connect Federation September 2021
and processed. Its value is an array listing the entity statement
claims present in the entity statement that use those extensions.
If any of the listed extension entity statement claims are not
understood and supported by the recipient, then the entity
statement is invalid. Producers MUST NOT include entity statement
claim names defined by this specification or names that do not
occur as entity statement claim names in the entity statement in
the "crit" list. Producers MUST NOT use the empty list "[]" as
the "crit" value.
policy_language_crit
OPTIONAL. The "policy_language_crit" (critical) entity statement
claim indicates that extensions to the policy language defined by
this specification are being used that MUST be understood and
processed. It is used in the same way that "crit" is used for
extension JSON Web Signature (JWS) [RFC7515] header parameters
that MUST be understood and processed. Its value is an array
listing the policy language extensions present in the policy
language statements that use those extensions. If any of the
listed extension policy language extensions are not understood and
supported by the recipient, then the entity statement is invalid.
Producers MUST NOT include policy language names defined by this
specification or names that do not occur in policy language
statements in the entity statement in the "policy_language_crit"
list. Producers MUST NOT use the empty list "[]" as the
"policy_language_crit" value.
trust_marks
OPTIONAL. A JSON array of signed JSON Web Tokens, each
representing a certification mark. There is more about
certification marks in Section 5.3.
trust_marks_issuers
OPTIONAL. A trust anchor MAY use this claim to tell which trust
mark identifiers and their issuers are trusted by the federation.
This claim MUST be ignored if present in an entity statement of
other entities than trust anchor. It is a JSON array with keys
representing trust mark identifiers and values being an array of
trusted entities representing the accreditation authority. A
special value of "*" allows for self-signed trust marks. There is
more about certification marks in Section 5.3.
Hedberg, et al. Expires March 13, 2022 [Page 8]
OpenID Connect Federation September 2021
The following is a non-normative example of a "trust_marks_issuers"
claim value:
{
"https://openid.net/certification/op": ["*"],
"https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf":
["https://swamid.sunet.se"]
}
trust_anchor_id
OPTIONAL. An OP MUST use this claim to tell the RP which trust
anchor it chose to use when responding to an explicit client
registration. The value of "trust_anchor_id" is the entity
identifier of a trust anchor.
The entity statement is signed using the private key of the issuer
entity, in the form of a JSON Web Signature (JWS) [RFC7515].
Entities MUST support signing Entity Statements with the RSA SHA-256
algorithm (an "alg" value of "RS256"). Consequently entities MUST
support signature verification where the statement was signed using
RS256.
The following is a non-normative example of an entity statement
before serialization and adding a signature. The example contains a
critical extension "jti" (JWT ID) to the entity statement and one
critical extension to the policy language "regexp" (Regular
expression).
Hedberg, et al. Expires March 13, 2022 [Page 9]
OpenID Connect Federation September 2021
{
"iss": "https://feide.no",
"sub": "https://ntnu.no",
"iat": 1516239022,
"exp": 1516298022,
"crit": ["jti"],
"jti": "7l2lncFdY6SlhNia",
"policy_language_crit": ["regexp"],
"metadata_policy": {
"openid_provider": {
"issuer": {"value": "https://ntnu.no"},
"organization_name": {"value": "NTNU"},
"id_token_signing_alg_values_supported":
{"subset_of": ["RS256", "RS384", "RS512"]},
"op_policy_uri": {
"regexp":
"^https:\/\/[\\w-]+\\.example\\.com\/[\\w-]+\\.html"}
},
"openid_relying_party": {
"organization_name": {"value": "NTNU"},
"grant_types_supported": {
"subset_of": ["authorization_code", "implicit"]},
"scopes": {
"subset_of": ["openid", "profile", "email", "phone"]}
}
},
"constraints": {
"max_path_length": 2
},
"jwks": {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"key_ops": ["verify"],
"kid": "key1",
"kty": "RSA",
"n": "pnXBOusEANuug6ewezb9J_...",
"use": "sig"
}
]
},
"authority_hints": [
"https://edugain.org/federation"
]
}
Hedberg, et al. Expires March 13, 2022 [Page 10]
OpenID Connect Federation September 2021
3.2. Trust Chain
In an OpenID Connect Identity Federation, entities that together
build a trust chain can be categorized as:
Trust anchor
An entity that represents a trusted third party.
Leaf
In an OpenID Connect Identity Federation, an RP or an OP.
Intermediate
Neither a leaf nor a trust anchor.
A trust chain begins with a leaf entity's self-signed entity
statement, has zero or more entity statements issued by intermediates
about subordinates, and ends with an entity statement issued by the
trust anchor about the top-most intermediate (if there are
intermediates) or the leaf entity (if there are no intermediates).
A simple example: If we have an RP that belongs to organization A
that is a member of federation F, the trust chain for such a setup
will contain the following entity statements:
1. a self-signed entity statement about the RP published by the RP,
2. an entity statement about the RP published by Organization A, and
3. an entity statement about Organization A published by Federation.
F
A trust chain MUST always be possible to order such that: If we name
the entity statements ES[0] (the leaf entity's self-signed entity
statement) to ES[i] (an entity statement issued by the trust anchor),
i>0 then:
o The "iss" entity in one entity statement is always the "sub"
entity in the next. ES[j]['iss'] == ES[j+1]['sub'], j=0,...,i-1 .
o There MUST always be a signing key carried in the "jwks" claim in
ES[j] that can be used to verify the signature of ES[j-1],
j=i,...,1 .
o It MUST be possible to verify the signature of ES[0] with one of
the keys in ES[0]['jwks'].
Hedberg, et al. Expires March 13, 2022 [Page 11]
OpenID Connect Federation September 2021
The signing key that MUST be used to verify ES[i] is distributed from
the trust anchors to any entity that needs to verify a trust chain in
some secure out-of-band way not described in this document.
4. Metadata
This specification does allow new metadata types to be defined, to
support use cases outside OpenID Connect federations. The metadata
type identifier will uniquely identify which metadata specification
to utilize.
The metadata document MUST be a JSON object. Beyond that there is no
restriction.
Metadata used in federations typically reuses existing metadata
standards. If needed, the metadata schema is extended with
additional properties relevant in a federated context. For instance,
for OpenID Connect Federations, this specification uses metadata
values from OpenID Connect Discovery 1.0 [OpenID.Discovery] and
OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration]
and adds additional values used for federations.
4.1. RP Metadata
The metadata type identifier is "openid_relying_party".
All parameters defined in Section 2 of OpenID Connect Dynamic Client
Registration 1.0 [OpenID.Registration] are allowed in a metadata
statement.
To that list is added:
client_registration_types
REQUIRED. Array of strings specifying the client registration
types the RP wants to use. Values defined by this specification
are "automatic" and "explicit".
organization_name
OPTIONAL. A human-readable name representing the organization
owning the RP.
signed_jwks_uri
OPTIONAL. A URI pointing to a signed JWT having the entity's JWK
Set as payload. The JWT is signed with a key that was included in
the JWK that the entity published in its self-signed entity
statement. A signed JWT can contain the following claims, all
except "keys" defined in [RFC7519]:
Hedberg, et al. Expires March 13, 2022 [Page 12]
OpenID Connect Federation September 2021
keys
REQUIRED. List of JWKs.
iss
REQUIRED. The "iss" (issuer) claim identifies the principal
that issued the JWT.
sub
REQUIRED. This claim identifies the owner of the keys. It
SHOULD be the same as the issuer.
iat
OPTIONAL. This claim identifies the time at which the JWT was
issued.
exp
OPTIONAL. This claim identifies the time at which the JWT is
no longer valid.
There are more claims defined in [RFC7519]; of these, "aud" SHOULD
NOT be used, since the issuer cannot know who the audience is.
"nbf" and "jti" are deemed to not be very useful in this context
and are therefore to be omitted.
Hedberg, et al. Expires March 13, 2022 [Page 13]
OpenID Connect Federation September 2021
The following is a non-normative example of a signed JWKS before
serialization and adding a signature.
{
"keys": [
{
"kty": "RSA",
"kid": "SUdtUndEWVY2cUFDeDV5NVlBWDhvOXJodVl2am1mNGNtR0pmd",
"n": "y_Zc8rByfeRIC9fFZrDZ2MGH2ZnxLrc0ZNNwkNet5rwCPYeRF3Sv
5nihZA9NHkDTEX97dN8hG6ACfeSo6JB2P7heJtmzM8oOBZbmQ90n
EA_JCHszkejHaOtDDfxPH6bQLrMlItF4JSUKua301uLB7C8nzTxm
tF3eAhGCKn8LotEseccxsmzApKRNWhfKDLpKPe9i9PZQhhJaurwD
kMwbWTAeZbqCScU1o09piuK1JDf2PaDFevioHncZcQO74Obe4nN3
oNPNAxrMClkZ9s9GMEd5vMqOD4huXlRpHwm9V3oJ3LRutOTxqQLV
yPucu7eHA7her4FOFAiUk-5SieXL9Q",
"e": "AQAB"
},
{
"kty": "EC",
"kid": "MFYycG1raTI4SkZvVDBIMF9CNGw3VEZYUmxQLVN2T21nSWlkd3",
"crv": "P-256",
"x": "qAOdPQROkHfZY1daGofOmSNQWpYK8c9G2m2Rbkpbd4c",
"y": "G_7fF-T8n2vONKM15Mzj4KR_shvHBxKGjMosF6FdoPY"
}
],
"iss": "https://example.org/op",
"iat": 1618410883
}
4.2. OP Metadata
The metadata type identifier is "openid_provider".
All parameters defined in Section 3 of OpenID Connect Discovery 1.0
[OpenID.Discovery] are applicable.
In addition, the following parameters are defined by this
specification:
client_registration_types_supported
REQUIRED. Array specifying the federation types supported.
Federation type values defined by this specification are
"automatic" and "explicit".
organization_name
OPTIONAL. A human-readable name representing the organization
owning the OP. It is intended to be used in the user interface,
Hedberg, et al. Expires March 13, 2022 [Page 14]
OpenID Connect Federation September 2021
being recognized by the end users that would be using the OP to
authenticate.
federation_registration_endpoint
OPTIONAL. URL of the OP's Federation specific Dynamic Client
Registration Endpoint. If the OP supports explicit client
registration as described in Section 10.2, then this claim is
REQUIRED.
request_authentication_methods_supported
OPTIONAL. In OpenID Connect Core, no client authentication is
performed at the authentication endpoint. Instead, you can say
that a request authentication is performed. What it amounts to is
that the OP maps the information in the request to the information
it has on the client, through static or dynamic registration. If
the map is successful, then the request is permitted to proceed.
Something similar happens when automatic registration is used.
Since there has been no explicit registration, the OP will gather
information about the RP using the process outlined in Section 6.
Once it has the RP metadata, the OP can verify the information the
RP provides in the request. We make this a bit more secure by
demanding the use of the request parameter or pushed
authorization.
The claim value is a JSON object with members representing
processes/endpoints and as values lists of request authentication
methods that are supported by the authorization endpoint. In this
specification we use the processes/endpoints: Authorization
Request (AR) as described in Section 3 of OpenID Connect Core 1.0
[OpenID.Core] and Pushed Authorization Request (PAR), as described
in [PAR]. The request authentication methods are:
request_object
This uses a Request Object as described in OpenID Connect Core
1.0 [OpenID.Core]. There is more about this in Section 10.1.
private_key_jwt
The authentication process is described in Section 9 of OpenID
Connect Core 1.0 [OpenID.Core]. Note that if "private_key_jwt"
is used, the audience of the signed JWT MUST be either the URL
of the Authorization Server's Authorization Endpoint or the
Authorization Server's entity identifier.
tls_client_auth
Section 2.1 of [RFC8705].
self_signed_tls_client_auth
Section 2.2 of [RFC8705].
Hedberg, et al. Expires March 13, 2022 [Page 15]
OpenID Connect Federation September 2021
The only request authentication method that can be used if doing
authentication as described in OpenID Connect Core 1.0
[OpenID.Core] is "request_object". If pushed authorization is
used then one of "private_key_jwt", "tls_client_auth" and
"self_signed_tls_client_auth" can be used.
signed_jwks_uri
OPTIONAL. A URI pointing to a signed JWT having the entity's JWK
Set as payload. The JWT is signed with a key that was included in
the JWK that the entity published in its self-signed entity
statement.
The following is a non-normative example of OP metadata:'
{
"issuer": "https://server.example.com",
"authorization_endpoint":
"https://server.example.com/authorization",
"token_endpoint": "https://server.example.com/token",
"signed_jwks_uri": "https://server.example.com/jws.json",
"response_types_supported": ["code", "id_token", "id_token token"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256", "ES256"],
"token_endpoint_auth_methods_supported": ["private_key_jwt"],
"pushed_authorization_request_endpoint":
"https://server.example.com/par",
"client_registration_types_supported": ["automatic", "explicit"],
"federation_registration_endpoint":
"https://server.example.com/fedreg",
"request_authentication_methods_supported": {
"ar": ["request_object"],
"par": ["private_key_jwt", "self_signed_tls_client_auth"]
}
}
4.3. OAuth Authorization Server
The metadata type identifier is "oauth_authorization_server".
All parameters defined in Section 2 of RFC 8414 [RFC8414] are
applicable.
4.4. OAuth Client
The metadata type identifier is "oauth_client".
All parameters defined in Section 2 of RFC 7591 [RFC7591] are
applicable.
Hedberg, et al. Expires March 13, 2022 [Page 16]
OpenID Connect Federation September 2021
4.5. OAuth Protected Resource
The metadata type identifier is "oauth_resource". There is no
standard that specifies what parameters can occur in the metadata for
this kind of entity. So for the time being, this can be regarded as
a placeholder.
4.6. Federation Entity
The metadata type identifier is "federation_entity".
All entities participating in a federation are of this type.
The following properties are allowed:
federation_api_endpoint
OPTIONAL. The endpoint for the Federation API described in
Section 7. Intermediate entities and trust anchors MUST publish a
"federation_api_endpoint". Leaf entities MUST NOT.
name
OPTIONAL. String. The human-readable name describing the subject
entity. This MAY be, for example, the name of an organization.
contacts
OPTIONAL. JSON array with one or more strings representing
contact persons at the entity. These MAY contain names, e-mail
addresses, descriptions, phone numbers, etc.
policy_uri
OPTIONAL. URL to documentation of conditions and policies
relevant to this entity.
homepage_uri
OPTIONAL. URL to a generic home page representing this entity.
trust_marks
OPTIONAL. A JSON array of signed JSON Web Token each representing
a certification mark. There is more about certification marks in
Section 5.3.
Example
Hedberg, et al. Expires March 13, 2022 [Page 17]
OpenID Connect Federation September 2021
"federation_entity": {
"federation_api_endpoint":
"https://example.com/federation_api_endpoint",
"name": "The example cooperation",
"homepage_uri": "https://www.example.com"
}
5. Federation Policy
5.1. Metadata Policy
An entity can publish metadata policies pertaining to entities of a
specific type. Entity type identifiers specified in this document
can be found in Section 4.
Each such metadata policy has the following structure:
o It consists of one or more policy entries.
o Each policy entry applies to one metadata parameter, such as
"id_token_signing_alg".
o Each policy entry consists of one or more operators, which can be
value modifiers or value checks.
o An operator can only appear once in a policy entry.
It SHOULD be noted that claim names without language tags are
different from the same claim but with language tags.
An example of a policy entry:
"id_token_signing_alg": {
"default": "ES256",
"one_of" : ["ES256", "ES384", "ES512"]
}
Which fits into a metadata policy like this:
"metadata_policy" : {
"openid_relying_party": {
"id_token_signing_alg": {
"default": "ES256",
"one_of" : ["ES256", "ES384", "ES512"]