Merge pull request #155 from italia/v1.1.1

- minor editorials and typos in text and metadata policy non normative examples
italia · Jan 31, 2023 · 7850265 · 7850265
2 parents a09ea7c + cfe6c67
commit 7850265
Show file tree

Hide file tree

Showing 19 changed files with 150 additions and 118 deletions.
diff --git a/AUTHORS.md b/AUTHORS.md
@@ -2,12 +2,15 @@
 
 We list here the main contributors to this specification:
 
-* Stefano Pullini <[email protected]>
 * Giuseppe De Marco <[email protected]>
-* Michele D'Amico <>
-* Francesco Antonio Marino <>
-* Antonio Colella <>
-* Nunzio Napolitano <>
-* Antonio Florio <>
+* Michele D'Amico <[email protected]>
+* Francesco Antonio Marino <[email protected]>
+* Antonio Colella <[email protected]>
+* Nunzio Napolitano <[email protected]>
+* Antonio Florio <[email protected]>
+* Stefano Pullini <[email protected]>
+* Giada Sciarretta <[email protected]>
+* Amir Sharif <[email protected]>
+
 
 We'd also like to thank the the #spid-openid participants of developers italia slack.
diff --git a/README.md b/README.md
@@ -19,7 +19,10 @@
 
 ## Intro
 
-This repository hosts the sphinx project tree of SPID/CIE OpenID Connect technical specifications, published to [Docs Italia](https://docs.italia.it/docs/spid-cie-oidc-docs/) and [Github pages](https://italia.github.io/spid-cie-oidc-docs/).
+This repository is mantained by the Department for Digital Transformation, 
+the Agency for Digital Italy (AgID), the State Mint and Printing Institute 
+(IPZS) and hosts the sphinx project tree of SPID/CIE OpenID Connect technical specifications, 
+published to [Docs Italia](https://docs.italia.it/docs/spid-cie-oidc-docs/) and [Github pages](https://italia.github.io/spid-cie-oidc-docs/).
 
 ## Documentation
 
@@ -52,7 +55,6 @@ pandoc -o spid-cie-oidc-docs.odt index.html
 
 ## Versioning
 
-
 This project participates in the versioning model  [*Semantic
 Versioning*](https://semver.org/).
 

diff --git a/docs/common/common_examples.rst b/docs/common/common_examples.rst
@@ -784,31 +784,31 @@ The following example shows a Metadata policy in the Entity Statement provided b
                     "kid": "5NNNoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs"
                 }]
               }]
-            }
+            },
             "grant_types": {
                 "subset_of": ["authorization_code", "refresh_token"]
-            }
+            },
             "id_token_signed_response_alg": {
-                "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
-            }
+                "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
+            },
             "id_token_encrypted_response_alg": {
-                "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
-            }
+                "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
+            },
             "id_token_encrypted_response_enc": {
-                "subset_of": ["A128CBC-HS256", "A256CBC-HS512"]
-            }
+                "one_of": ["A128CBC-HS256", "A256CBC-HS512"]
+            },
             "userinfo_signed_response_alg": {
-                "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
-            }
+                "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
+            },
             "userinfo_encrypted_response_alg": {
-                "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
-            }
+                "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
+            },
             "userinfo_encrypted_response_enc": {
-                "subset_of": ["A128CBC-HS256", "A256CBC-HS512"]
-            }
+                "one_of": ["A128CBC-HS256", "A256CBC-HS512"]
+            },
             "token_endpoint_auth_method": {
                 "one_of": ["private_key_jwt"]
-            }
+            },
             "client_registration_types": {
                 "one_of": ["automatic"]
             }
@@ -825,26 +825,26 @@ The following example shows a Metadata policy in the Entity Statement provided b
                 "subset_of": ["authorization_code", "refresh_token"]
             }
             "id_token_signed_response_alg": {
-                "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
-            }
+                "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
+            },
             "id_token_encrypted_response_alg": {
-                "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
-            }
+                "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
+            },
             "id_token_encrypted_response_enc": {
-                "subset_of": ["A128CBC-HS256", "A256CBC-HS512"]
-            }
+                "one_of": ["A128CBC-HS256", "A256CBC-HS512"]
+            },
             "userinfo_signed_response_alg": {
-                "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
-            }
+                "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
+            },
             "userinfo_encrypted_response_alg": {
-                "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
-            }
+                "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
+            },
             "userinfo_encrypted_response_enc": {
-                "subset_of": ["A128CBC-HS256", "A256CBC-HS512"]
-            }
+                "one_of": ["A128CBC-HS256", "A256CBC-HS512"]
+            },
             "token_endpoint_auth_method": {
                 "one_of": ["private_key_jwt"]
-            }
+            },
             "client_registration_types": {
                 "one_of": ["automatic"]
             }
@@ -884,72 +884,70 @@ The following example shows a Metadata policy in the Entity Statement provided b
                     "e": "AQAB",
                     "kid": "5NNNoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs"
                 }]
-            }
+            },
             "revocation_endpoint_auth_methods_supported": {
                 "one_of": ["private_key_jwt"]
-            }
+            },
             "code_challenge_methods_supported": {
                 "subset_of": ["authorization_code", "refresh_token"]
-            }
+            },
             "scopes_supported": {
                 "subset_of": ["openid", "offline_access", "profile", "email"]
-            }
+            },
             "response_types_supported": {
                 "one_of": ["code"]
-            }
+            },
             "response_modes_supported": {
                 "subset_of": ["form_post", "query"]
-            }
+            },
             "grant_types_supported": {
                 "subset_of": ["authorization_code", "refresh_token"]
-            }
-            }
+            },
             "acr_values_supported": {
                 "subset_of": ["https://www.spid.gov.it/SpidL1", "https://www.spid.gov.it/SpidL2", "https://www.spid.gov.it/SpidL3"]
-            }
-            }
+            },
             "subject_types_supported": {
                 "one_of": ["pairwise"]
-            }
+            },
             "id_token_signing_alg_values_supported": {
-                "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
-            }
+                "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
+            },
             "id_token_encryption_alg_values_supported": {
-                "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
-            }
+                "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
+            },
             "id_token_encryption_enc_values_supported": {
-                "subset_of": ["A128CBC-HS256", "A256CBC-HS512"]
-            }
+                "one_of": ["A128CBC-HS256", "A256CBC-HS512"]
+            },
             "userinfo_signing_alg_values_supported": {
-                "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
-            }
+                "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
+            },
             "userinfo_encryption_alg_values_supported": {
-                "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
-            }
+                "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"]
+            },
             "userinfo_encryption_enc_values_supported": {
-                "subset_of": ["A128CBC-HS256", "A256CBC-HS512"]
-            }
+                "one_of": ["A128CBC-HS256", "A256CBC-HS512"]
+            },
             "token_endpoint_auth_methods_supported": {
                 "one_of": ["private_key_jwt"]
-            }
+            },
             "token_endpoint_auth_signing_alg_values_supported": {
-                "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
-            }
+                "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
+            },
             "claims_parameter_supported": {
                 "one_of": ["true"]
-            }
+            },
             "request_parameter_supported": {
                 "one_of": ["true"]
-            }
+            },
             "authorization_response_iss_parameter_supported": {
                 "one_of": ["true"]
-            }
+            },
             "client_registration_types_supported": {
                 "one_of": ["automatic"]
-            }
+            },
             "request_authentication_methods_supported": {
                 "one_of": ["request_object"]
-            }
+            },
             "request_authentication_signing_alg_values_supported": {
                 "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"]
             }

diff --git a/docs/common/standards.rst b/docs/common/standards.rst
@@ -65,12 +65,6 @@ Standards
       - Lodderstedt, T., Bradley, J., Labunets, A., Fett, D., “OAuth 2.0 Security Best Current Practice”, Draft-19, December 2021.
     * - `EN319-412-1`_
       - Electronic Signatures and Infrastructures (ESI); Certificate Profiles;
-    * - `CAD`_
-      - DL 7 March 2005 n.82: "Codice dell'amministrazione digitale." (GU Serie Generale n.112 16-05-2005 - Suppl. Ordinario n. 93)
-    * - `DL-SEMPLIFICAZIONI`_
-      - DL 16 July 2020 n.76: "Misure urgenti per la semplificazione e l'innovazione digitale." (20A04921) (GU Serie Generale n.228 14-09-2020 - Suppl. Ordinario n. 33) and its conversion into Law, with amendments, Law 11 September 2020 n. 120.
-    * - `EIDAS`_
-      - Regulation (Eu) No 910/2014 of the European Parliament and of the Council 23 July 2014 "on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC."
     * - `E164`_
       - International Telecommunication Union, "E.164: The international public telecommunication numbering plan," 2010.
     * - `ISO8601-2004`_

diff --git a/docs/en/entity_configuration.rst b/docs/en/entity_configuration.rst
@@ -61,7 +61,6 @@ Entity Configuration - common claims
        - federation_entity
        - oauth_authorization_server
        - oauth_resource
-       - trust_mark_issuer
      - |spid-icon| |cieid-icon|
 
 .. warning::

diff --git a/docs/en/introspection_endpoint.rst b/docs/en/introspection_endpoint.rst
@@ -22,7 +22,10 @@ together with a Client Assertion that allows authenticating the RP that makes th
 
 .. code-block:: http
 
- POST /introspection?
+ POST /introspection HTTP/1.1
+ Host: https://op.spid.agid.gov.it
+ Content-Type: application/x-www-form-urlencoded
+
  client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw
  ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswLF88…
  &
@@ -36,9 +39,6 @@ together with a Client Assertion that allows authenticating the RP that makes th
  RkYtyVTLWlff6S5gKciYf3b0bAdjoQEHd_IvssIPH3xuBJkmtkrTlfWR0Q0pdpeyVePkMSI28XZvDaGnxA4j7QI5loZYeyzGR9
  h70xQLVzqwwl1P0-F_0JaDFMJFO1yl4IexfpoZZsB3HhF2vFdL6D_lLeHRyH2g2OzF59eMIsM_Ccs4G47862w…
 
- Host: https://op.spid.agid.gov.it
- HTTP/1.1
- 
 
 .. list-table:: 
    :widths: 20 60 20

diff --git a/docs/en/la_federazione_delle_identita.rst b/docs/en/la_federazione_delle_identita.rst
@@ -8,8 +8,8 @@ participate in the same regulatory framework for building a mechanism of trust,
 stipulating conventions and getting accreditation by one or more authorities and technological by 
 adopting standards of interoperability.
 
-This configuration establishes the levels of assurance and security that are appropriate for an 
-individual in order to authenticate on a web service (Service Provider) using their own digital identity, released 
+This configuration establishes the levels of assurance and security that are appropriate for the
+citizens in order to authenticate on a web service (Service Provider) using their own digital identity, released 
 by another web service (Identity Provider).
 
 The participants (RP or OP) who are recognized inside the same Federation, obtain Metadata from each
@@ -55,7 +55,7 @@ All the members MUST obtain the Federation configuration before the operational
 MUST keep it up-to-date on a daily basis. The Federation configuration contains the Trust Anchor
 public keys for the signature operations, the maximum number of Intermediaries allowed between a Leaf and the Trust Anchor (**max_path length**) and the authorities who are enabled to issue the Trust Marks (**trust_marks_issuers**).
 
-Here a non-normative example of :ref:`Entity Configuration response Trust Anchor<Esempio_EN1.4>` here.
+Here a non-normative example of :ref:`Entity Configuration response Trust Anchor<Esempio_EN1.4>`.
 
 For further details, please read the section about the :ref:`Entity Configuration<Entity_Configuration>`.
 

diff --git a/docs/en/metadata_oidc.rst b/docs/en/metadata_oidc.rst
@@ -5,7 +5,7 @@
 Metadata
 --------
 
-OIDC-FED uses and extends the Metadata claims as defined in the specifications OpenID Connect Discovery 1.0 and OpenID Connect Dynamic Client Registration 1.0 `OpenID.Discovery`_, `OpenID.Registration`_ respectively for OP and RP. 
+OIDC-FED uses and extends the Metadata claims as defined in the specifications OpenID Connect Discovery 1.0 (`OpenID.Discovery`_) and OpenID Connect Dynamic Client Registration 1.0 (`OpenID.Registration`_),  respectively for OP and RP. 
 
 In OIDC-FED the OIDC Metadata regarding an RP or OP is defined inside the claim **metadata** and its sub-claim
 **<entity-type>**, inside the Entity Configuration, as a JSON Object.

diff --git a/docs/en/revocation_endpoint.rst b/docs/en/revocation_endpoint.rst
@@ -41,7 +41,10 @@ The request to the Revocation Endpoint consists of sending the token to be revok
 
 .. code-block:: http
 
- POST /revoke?
+ POST /revoke HTTP/1.1
+ Host: https://op.spid.agid.gov.it
+ Content-Type: application/x-www-form-urlencoded
+ 
  client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw
  ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswLF88&
  client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwtbearer&
@@ -54,9 +57,6 @@ The request to the Revocation Endpoint consists of sending the token to be revok
  RkYtyVTLWlff6S5gKciYf3b0bAdjoQEHd_IvssIPH3xuBJkmtkrTlfWR0Q0pdpeyVePkMSI28XZvDaGnxA4j7QI5loZYeyzGR9
  h70xQLVzqwwl1P0-F_0JaDFMJFO1yl4IexfpoZZsB3HhF2vFdL6D_lLeHRyH2g2OzF59eMIsM_Ccs4G47862w
 
- Host: https://op.spid.agid.gov.it
- HTTP/1.1
-
 
 .. list-table:: 
    :widths: 20 60 20

diff --git a/docs/en/standards.rst b/docs/en/standards.rst
@@ -3,6 +3,22 @@ References
 
 .. include:: ../common/standards.rst
 
+
+National and European legislation
+----------------------------------
+
+.. list-table::
+    :widths: 25 75
+    :header-rows: 0
+
+    * - `CAD`_
+      - DL 7 March 2005 n.82: "Codice dell'amministrazione digitale." (GU Serie Generale n.112 16-05-2005 - Suppl. Ordinario n. 93)
+    * - `DL-SEMPLIFICAZIONI`_
+      - DL 16 July 2020 n.76: "Misure urgenti per la semplificazione e l'innovazione digitale." (20A04921) (GU Serie Generale n.228 14-09-2020 - Suppl. Ordinario n. 33) and its conversion into Law, with amendments, Law 11 September 2020 n. 120.
+    * - `EIDAS`_
+      - Regulation (Eu) No 910/2014 of the European Parliament and of the Council 23 July 2014 "on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC."
+
+
 .. include:: ../en/avvisi_spid.rst
 
 

diff --git a/docs/en/token_endpoint.rst b/docs/en/token_endpoint.rst
@@ -33,7 +33,10 @@ The claims that MUST be included in the *Token Request* are given below.
 
   .. code-block:: http
 
-    POST /token?
+    POST /token HTTP/1.1
+    Host: https://op.spid.agid.gov.it
+    Content-Type: application/x-www-form-urlencoded
+
     client_id=https://rp.spid.agid.gov.it&
     client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw
     ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswL…&
@@ -42,9 +45,6 @@ The claims that MUST be included in the *Token Request* are given below.
     code_verifier=9g8S40MozM3NSqjHnhi7OnsE38jklFv2&
     grant_type=authorization_code
 
-    Host: https://op.spid.agid.gov.it
-    HTTP/1.1
-
 
 .. seealso::
 
@@ -54,17 +54,17 @@ The claims that MUST be included in the *Token Request* are given below.
 
   .. code-block:: http
 
-    POST /token?
+    POST /token HTTP/1.1
+    Host: https://op.spid.agid.gov.it
+    Content-Type: application/x-www-form-urlencoded
+
     client_id=https://rp.spid.agid.gov.it&
     client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw
     ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswL…&
     client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwtbearer&
     grant_type=refresh_token&
     refresh_token=8xLOxBtZp8
 
-    Host: https://op.spid.agid.gov.it
-    HTTP/1.1
-
  
 .. list-table:: 
    :widths: 20 60 20