From 1e0b447681ac42726a8b45dd001df29730f6ac8f Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 18 Jan 2023 09:19:45 +0100 Subject: [PATCH 01/11] chore: README intro --- AUTHORS.md | 12 ++++++------ README.md | 6 ++++-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/AUTHORS.md b/AUTHORS.md index 0168f193..d3fc9e44 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -2,12 +2,12 @@ We list here the main contributors to this specification: -* Stefano Pullini * Giuseppe De Marco -* Michele D'Amico <> -* Francesco Antonio Marino <> -* Antonio Colella <> -* Nunzio Napolitano <> -* Antonio Florio <> +* Michele D'Amico +* Francesco Antonio Marino +* Antonio Colella +* Nunzio Napolitano +* Antonio Florio +* Stefano Pullini We'd also like to thank the the #spid-openid participants of developers italia slack. diff --git a/README.md b/README.md index a19c6245..264f5967 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,10 @@ ## Intro -This repository hosts the sphinx project tree of SPID/CIE OpenID Connect technical specifications, published to [Docs Italia](https://docs.italia.it/docs/spid-cie-oidc-docs/) and [Github pages](https://italia.github.io/spid-cie-oidc-docs/). +This repository is mantained by the Department for Digital Transformation, +the Agency for Digital Italy (AgID), the State Mint and Printing Institute +(IPZS) and hosts the sphinx project tree of SPID/CIE OpenID Connect technical specifications, +published to [Docs Italia](https://docs.italia.it/docs/spid-cie-oidc-docs/) and [Github pages](https://italia.github.io/spid-cie-oidc-docs/). ## Documentation @@ -52,7 +55,6 @@ pandoc -o spid-cie-oidc-docs.odt index.html ## Versioning - This project participates in the versioning model [*Semantic Versioning*](https://semver.org/). From 7a376a2a7f8ae2eeeead2478758e5cc3628aacc5 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 18 Jan 2023 09:47:32 +0100 Subject: [PATCH 02/11] fix: metadata refs --- docs/it/metadata_oidc.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/it/metadata_oidc.rst b/docs/it/metadata_oidc.rst index a6d53d1c..d063b775 100644 --- a/docs/it/metadata_oidc.rst +++ b/docs/it/metadata_oidc.rst @@ -5,7 +5,7 @@ Metadata -------- -OIDC-FED utilizza ed estende i claim dei Metadata così come definiti all'interno delle specifiche di OpenID Connect Discovery 1.0 e OpenID Connect Dynamic Client Registration 1.0 `OpenID.Discovery`_, `OpenID.Registration`_ rispettivamente per OP e RP. +OIDC-FED utilizza ed estende i claim dei Metadata così come definiti all'interno delle specifiche di `OpenID.Discovery`_ e `OpenID.Registration`_ rispettivamente per OP e RP. In OIDC-FED il Metadata OIDC relativo a RP e OP viene definito all'interno del claim **metadata** e del suo sotto claim ****, all'interno dell'Entity Configuration, come oggetto JSON. From 7d37b0c886895825bac3238a101d00bbf4873bce Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 18 Jan 2023 09:48:06 +0100 Subject: [PATCH 03/11] chore: [IT] authz endpoint tables --- docs/it/authorization_endpoint.rst | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/it/authorization_endpoint.rst b/docs/it/authorization_endpoint.rst index 75ad8abb..4ec7145d 100644 --- a/docs/it/authorization_endpoint.rst +++ b/docs/it/authorization_endpoint.rst @@ -26,7 +26,7 @@ Mediante il metodo **GET** i parametri DEVONO essere trasmessi utilizzando la *Q Di seguito i parametri obbligatori nella richiesta di autenticazione *HTTP*. -.. _tabella_parametri_http_req: +.. _tabella_parametri_authz_req: Authorization request .. list-table:: :widths: 20 60 20 @@ -50,6 +50,8 @@ Di seguito i parametri obbligatori nella richiesta di autenticazione *HTTP*. Di seguito una tabella che riporta la composizione dell'header del **JWT**. +.. _tabella_jwt_header_authz_req: Authorization request JWT header + .. list-table:: :widths: 20 60 20 :header-rows: 1 @@ -70,6 +72,7 @@ Di seguito una tabella che riporta la composizione dell'header del **JWT**. Il payload del **JWT** contiene i seguenti parametri obbligatori. +.. _tabella_jwt_payload_authz_req: Authorization request .. list-table:: :widths: 20 60 20 @@ -207,7 +210,7 @@ autenticazione. L'OP reindirizzerà l'utente all'url contenuto nel parametro red Se l'autenticazione è avvenuta con successo, l'OpenID Provider (OP), reindirizza l'utente aggiungendo i seguenti parametri obbligatori come query parameters al *redirect_uri* (come definito in `OpenID.Core#AuthResponse`_): - +.. _tabella_authz_res: Authorization response .. list-table:: :widths: 20 60 20 @@ -241,6 +244,7 @@ Gestione degli errori In caso di errore, l'OP o il RP rappresentano i messaggi di anomalia relativi agli scambi OpenID Connect, come descritti nelle relative tabelle definite dalle `Linee Guida UX SPID`_. +.. _tabella_authz_errs_res: Authorization response errors .. list-table:: :widths: 20 60 20 @@ -266,6 +270,9 @@ Connect, come descritti nelle relative tabelle definite dalle `Linee Guida UX SP Codici di errore ^^^^^^^^^^^^^^^^ +.. _tabella_authz_errs: Authorization errors + + .. list-table:: :widths: 20 20 20 20 :header-rows: 1 From 2d682090c2fcdb10f305ab4ae8b3335435136223 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 18 Jan 2023 09:55:09 +0100 Subject: [PATCH 04/11] fix: small typos in EN version --- docs/en/la_federazione_delle_identita.rst | 6 +++--- docs/it/errors_federation.rst | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/en/la_federazione_delle_identita.rst b/docs/en/la_federazione_delle_identita.rst index 61f3ad38..7e12ebdc 100644 --- a/docs/en/la_federazione_delle_identita.rst +++ b/docs/en/la_federazione_delle_identita.rst @@ -8,8 +8,8 @@ participate in the same regulatory framework for building a mechanism of trust, stipulating conventions and getting accreditation by one or more authorities and technological by adopting standards of interoperability. -This configuration establishes the levels of assurance and security that are appropriate for an -individual in order to authenticate on a web service (Service Provider) using their own digital identity, released +This configuration establishes the levels of assurance and security that are appropriate for the +citizens in order to authenticate on a web service (Service Provider) using their own digital identity, released by another web service (Identity Provider). The participants (RP or OP) who are recognized inside the same Federation, obtain Metadata from each @@ -55,7 +55,7 @@ All the members MUST obtain the Federation configuration before the operational MUST keep it up-to-date on a daily basis. The Federation configuration contains the Trust Anchor public keys for the signature operations, the maximum number of Intermediaries allowed between a Leaf and the Trust Anchor (**max_path length**) and the authorities who are enabled to issue the Trust Marks (**trust_marks_issuers**). -Here a non-normative example of :ref:`Entity Configuration response Trust Anchor` here. +Here a non-normative example of :ref:`Entity Configuration response Trust Anchor`. For further details, please read the section about the :ref:`Entity Configuration`. diff --git a/docs/it/errors_federation.rst b/docs/it/errors_federation.rst index fce24dac..a87d2ef1 100644 --- a/docs/it/errors_federation.rst +++ b/docs/it/errors_federation.rst @@ -38,7 +38,7 @@ Codici di errore di Federation - **Supportato da** * - *temporarily_unavailable* - Uno degli endpoint di well-known o di Federation non è raggiungibile. - - *302 Found*/*400 Bad Request* + - *302 Found* or *400 Bad Request* - |spid-icon| |cieid-icon| * - *invalid_client* - Il Client non è autorizzato perchè la validazione della Trust Chain fallisce. From bc6e986444f36aeabfa029fffac22775cad9acd8 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 18 Jan 2023 10:01:40 +0100 Subject: [PATCH 05/11] fix: examples of POST HTTP methods --- docs/en/introspection_endpoint.rst | 8 ++++---- docs/en/revocation_endpoint.rst | 8 ++++---- docs/en/token_endpoint.rst | 16 ++++++++-------- docs/it/introspection_endpoint.rst | 11 +++++------ docs/it/revocation_endpoint.rst | 8 ++++---- docs/it/token_endpoint.rst | 17 ++++++++--------- 6 files changed, 33 insertions(+), 35 deletions(-) diff --git a/docs/en/introspection_endpoint.rst b/docs/en/introspection_endpoint.rst index 2f58704e..a069aabe 100644 --- a/docs/en/introspection_endpoint.rst +++ b/docs/en/introspection_endpoint.rst @@ -22,7 +22,10 @@ together with a Client Assertion that allows authenticating the RP that makes th .. code-block:: http - POST /introspection? + POST /introspection HTTP/1.1 + Host: https://op.spid.agid.gov.it + Content-Type: application/x-www-form-urlencoded + client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswLF88… & @@ -36,9 +39,6 @@ together with a Client Assertion that allows authenticating the RP that makes th RkYtyVTLWlff6S5gKciYf3b0bAdjoQEHd_IvssIPH3xuBJkmtkrTlfWR0Q0pdpeyVePkMSI28XZvDaGnxA4j7QI5loZYeyzGR9 h70xQLVzqwwl1P0-F_0JaDFMJFO1yl4IexfpoZZsB3HhF2vFdL6D_lLeHRyH2g2OzF59eMIsM_Ccs4G47862w… - Host: https://op.spid.agid.gov.it - HTTP/1.1 - .. list-table:: :widths: 20 60 20 diff --git a/docs/en/revocation_endpoint.rst b/docs/en/revocation_endpoint.rst index 9f17d704..f2a1c5dd 100644 --- a/docs/en/revocation_endpoint.rst +++ b/docs/en/revocation_endpoint.rst @@ -41,7 +41,10 @@ The request to the Revocation Endpoint consists of sending the token to be revok .. code-block:: http - POST /revoke? + POST /revoke HTTP/1.1 + Host: https://op.spid.agid.gov.it + Content-Type: application/x-www-form-urlencoded + client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswLF88& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwtbearer& @@ -54,9 +57,6 @@ The request to the Revocation Endpoint consists of sending the token to be revok RkYtyVTLWlff6S5gKciYf3b0bAdjoQEHd_IvssIPH3xuBJkmtkrTlfWR0Q0pdpeyVePkMSI28XZvDaGnxA4j7QI5loZYeyzGR9 h70xQLVzqwwl1P0-F_0JaDFMJFO1yl4IexfpoZZsB3HhF2vFdL6D_lLeHRyH2g2OzF59eMIsM_Ccs4G47862w - Host: https://op.spid.agid.gov.it - HTTP/1.1 - .. list-table:: :widths: 20 60 20 diff --git a/docs/en/token_endpoint.rst b/docs/en/token_endpoint.rst index 455bc6b2..e4ee1a09 100644 --- a/docs/en/token_endpoint.rst +++ b/docs/en/token_endpoint.rst @@ -33,7 +33,10 @@ The claims that MUST be included in the *Token Request* are given below. .. code-block:: http - POST /token? + POST /token HTTP/1.1 + Host: https://op.spid.agid.gov.it + Content-Type: application/x-www-form-urlencoded + client_id=https://rp.spid.agid.gov.it& client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswL…& @@ -42,9 +45,6 @@ The claims that MUST be included in the *Token Request* are given below. code_verifier=9g8S40MozM3NSqjHnhi7OnsE38jklFv2& grant_type=authorization_code - Host: https://op.spid.agid.gov.it - HTTP/1.1 - .. seealso:: @@ -54,7 +54,10 @@ The claims that MUST be included in the *Token Request* are given below. .. code-block:: http - POST /token? + POST /token HTTP/1.1 + Host: https://op.spid.agid.gov.it + Content-Type: application/x-www-form-urlencoded + client_id=https://rp.spid.agid.gov.it& client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswL…& @@ -62,9 +65,6 @@ The claims that MUST be included in the *Token Request* are given below. grant_type=refresh_token& refresh_token=8xLOxBtZp8 - Host: https://op.spid.agid.gov.it - HTTP/1.1 - .. list-table:: :widths: 20 60 20 diff --git a/docs/it/introspection_endpoint.rst b/docs/it/introspection_endpoint.rst index 977e160d..55541cf8 100644 --- a/docs/it/introspection_endpoint.rst +++ b/docs/it/introspection_endpoint.rst @@ -22,10 +22,12 @@ La richiesta all'Introspection Endpoint consiste nell'invio del token su cui si .. code-block:: http - POST /introspection? + POST /introspection HTTP/1.1 + Host: https://op.spid.agid.gov.it + Content-Type: application/x-www-form-urlencoded + client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw - ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswLF88… - & + ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswLF88 … & client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwtbearer& client_id=https%3A%2F%2Frp.spid.agid.gov.it& token=eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTg3MDI0MTQsImF1ZCI6WyJlNzFmYjcyYS05NzRmLT @@ -36,9 +38,6 @@ La richiesta all'Introspection Endpoint consiste nell'invio del token su cui si RkYtyVTLWlff6S5gKciYf3b0bAdjoQEHd_IvssIPH3xuBJkmtkrTlfWR0Q0pdpeyVePkMSI28XZvDaGnxA4j7QI5loZYeyzGR9 h70xQLVzqwwl1P0-F_0JaDFMJFO1yl4IexfpoZZsB3HhF2vFdL6D_lLeHRyH2g2OzF59eMIsM_Ccs4G47862w… - Host: https://op.spid.agid.gov.it - HTTP/1.1 - .. list-table:: :widths: 20 60 20 diff --git a/docs/it/revocation_endpoint.rst b/docs/it/revocation_endpoint.rst index abe01471..67b4a096 100644 --- a/docs/it/revocation_endpoint.rst +++ b/docs/it/revocation_endpoint.rst @@ -42,7 +42,10 @@ La richiesta al Revocation Endpoint consiste nell'invio del token che si vuole r .. code-block:: http - POST /revoke? + POST /revoke HTTP/1.1 + Host: https://op.spid.agid.gov.it + Content-Type: application/x-www-form-urlencoded + client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswLF88& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwtbearer& @@ -55,9 +58,6 @@ La richiesta al Revocation Endpoint consiste nell'invio del token che si vuole r RkYtyVTLWlff6S5gKciYf3b0bAdjoQEHd_IvssIPH3xuBJkmtkrTlfWR0Q0pdpeyVePkMSI28XZvDaGnxA4j7QI5loZYeyzGR9 h70xQLVzqwwl1P0-F_0JaDFMJFO1yl4IexfpoZZsB3HhF2vFdL6D_lLeHRyH2g2OzF59eMIsM_Ccs4G47862w - Host: https://op.spid.agid.gov.it - HTTP/1.1 - .. list-table:: :widths: 20 60 20 diff --git a/docs/it/token_endpoint.rst b/docs/it/token_endpoint.rst index 6833566f..13553037 100644 --- a/docs/it/token_endpoint.rst +++ b/docs/it/token_endpoint.rst @@ -33,7 +33,10 @@ Di seguito i claim che DEVONO essere inseriti nella *Token Request*. .. code-block:: json - POST /token? + POST /token HTTP/1.1 + Host: https://op.spid.agid.gov.it + Content-Type: application/x-www-form-urlencoded + client_id=https://rp.spid.agid.gov.it& client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswL…& @@ -42,10 +45,6 @@ Di seguito i claim che DEVONO essere inseriti nella *Token Request*. code_verifier=9g8S40MozM3NSqjHnhi7OnsE38jklFv2& grant_type=authorization_code - Host: https://op.spid.agid.gov.it - HTTP/1.1 - - .. seealso:: - https://openid.net/specs/openid-connect-core-1_0.html#RPAuthentication @@ -55,7 +54,10 @@ Di seguito i claim che DEVONO essere inseriti nella *Token Request*. .. code-block:: json - POST /token? + POST /token HTTP/1.1 + Host: https://op.spid.agid.gov.it + Content-Type: application/x-www-form-urlencoded + client_id=https://rp.spid.agid.gov.it& client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiw ibmFtZSI6IlNQSUQiLCJhZG1pbiI6dHJ1ZX0.LVyRDPVJm0S9q7oiXcYVIIqGWY0wWQlqxvFGYswL…& @@ -63,10 +65,7 @@ Di seguito i claim che DEVONO essere inseriti nella *Token Request*. grant_type=refresh_token& refresh_token=8xLOxBtZp8 - Host: https://op.spid.agid.gov.it - HTT/P1.1 - .. list-table:: :widths: 20 60 20 :header-rows: 1 From dc91a46e724d838383f85e708463337b4e077bcc Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 18 Jan 2023 10:05:44 +0100 Subject: [PATCH 06/11] fix: national normative moved from the standards table to a specilized one --- docs/common/standards.rst | 6 ------ docs/en/standards.rst | 16 ++++++++++++++++ docs/it/standards.rst | 16 ++++++++++++++++ 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/docs/common/standards.rst b/docs/common/standards.rst index 858e75c2..13183db6 100644 --- a/docs/common/standards.rst +++ b/docs/common/standards.rst @@ -65,12 +65,6 @@ Standards - Lodderstedt, T., Bradley, J., Labunets, A., Fett, D., “OAuth 2.0 Security Best Current Practice”, Draft-19, December 2021. * - `EN319-412-1`_ - Electronic Signatures and Infrastructures (ESI); Certificate Profiles; - * - `CAD`_ - - DL 7 March 2005 n.82: "Codice dell'amministrazione digitale." (GU Serie Generale n.112 16-05-2005 - Suppl. Ordinario n. 93) - * - `DL-SEMPLIFICAZIONI`_ - - DL 16 July 2020 n.76: "Misure urgenti per la semplificazione e l'innovazione digitale." (20A04921) (GU Serie Generale n.228 14-09-2020 - Suppl. Ordinario n. 33) and its conversion into Law, with amendments, Law 11 September 2020 n. 120. - * - `EIDAS`_ - - Regulation (Eu) No 910/2014 of the European Parliament and of the Council 23 July 2014 "on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC." * - `E164`_ - International Telecommunication Union, "E.164: The international public telecommunication numbering plan," 2010. * - `ISO8601-2004`_ diff --git a/docs/en/standards.rst b/docs/en/standards.rst index e24b898c..7f9624bd 100644 --- a/docs/en/standards.rst +++ b/docs/en/standards.rst @@ -3,6 +3,22 @@ References .. include:: ../common/standards.rst + +National and community legislation +---------------------------------- + +.. list-table:: + :widths: 25 75 + :header-rows: 0 + + * - `CAD`_ + - DL 7 March 2005 n.82: "Codice dell'amministrazione digitale." (GU Serie Generale n.112 16-05-2005 - Suppl. Ordinario n. 93) + * - `DL-SEMPLIFICAZIONI`_ + - DL 16 July 2020 n.76: "Misure urgenti per la semplificazione e l'innovazione digitale." (20A04921) (GU Serie Generale n.228 14-09-2020 - Suppl. Ordinario n. 33) and its conversion into Law, with amendments, Law 11 September 2020 n. 120. + * - `EIDAS`_ + - Regulation (Eu) No 910/2014 of the European Parliament and of the Council 23 July 2014 "on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC." + + .. include:: ../en/avvisi_spid.rst diff --git a/docs/it/standards.rst b/docs/it/standards.rst index cf2aae0d..5fa2bb81 100644 --- a/docs/it/standards.rst +++ b/docs/it/standards.rst @@ -3,6 +3,22 @@ Riferimenti .. include:: ../common/standards.rst + +Normativa Nazionale e comunitaria +--------------------------------- + +.. list-table:: + :widths: 25 75 + :header-rows: 0 + + * - `CAD`_ + - DL 7 March 2005 n.82: "Codice dell'amministrazione digitale." (GU Serie Generale n.112 16-05-2005 - Suppl. Ordinario n. 93) + * - `DL-SEMPLIFICAZIONI`_ + - DL 16 July 2020 n.76: "Misure urgenti per la semplificazione e l'innovazione digitale." (20A04921) (GU Serie Generale n.228 14-09-2020 - Suppl. Ordinario n. 33) and its conversion into Law, with amendments, Law 11 September 2020 n. 120. + * - `EIDAS`_ + - Regulation (Eu) No 910/2014 of the European Parliament and of the Council 23 July 2014 "on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC." + + .. include:: ../it/avvisi_spid.rst From 546ce19e39c65189546a4b989a0643aca1df6d7d Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 18 Jan 2023 10:11:35 +0100 Subject: [PATCH 07/11] fix: Metadata refs --- docs/en/metadata_oidc.rst | 2 +- docs/it/metadata_oidc.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/en/metadata_oidc.rst b/docs/en/metadata_oidc.rst index cfee8c4e..50e5eaca 100644 --- a/docs/en/metadata_oidc.rst +++ b/docs/en/metadata_oidc.rst @@ -5,7 +5,7 @@ Metadata -------- -OIDC-FED uses and extends the Metadata claims as defined in the specifications OpenID Connect Discovery 1.0 and OpenID Connect Dynamic Client Registration 1.0 `OpenID.Discovery`_, `OpenID.Registration`_ respectively for OP and RP. +OIDC-FED uses and extends the Metadata claims as defined in the specifications OpenID Connect Discovery 1.0 (`OpenID.Discovery`_) and OpenID Connect Dynamic Client Registration 1.0 (`OpenID.Registration`_), respectively for OP and RP. In OIDC-FED the OIDC Metadata regarding an RP or OP is defined inside the claim **metadata** and its sub-claim ****, inside the Entity Configuration, as a JSON Object. diff --git a/docs/it/metadata_oidc.rst b/docs/it/metadata_oidc.rst index d063b775..1f33c07a 100644 --- a/docs/it/metadata_oidc.rst +++ b/docs/it/metadata_oidc.rst @@ -5,7 +5,7 @@ Metadata -------- -OIDC-FED utilizza ed estende i claim dei Metadata così come definiti all'interno delle specifiche di `OpenID.Discovery`_ e `OpenID.Registration`_ rispettivamente per OP e RP. +OIDC-FED utilizza ed estende i claim dei Metadata così come definiti all'interno delle specifiche di OpenID Connect Discovery 1.0 (`OpenID.Discovery`_) e OpenID Connect Dynamic Client Registration 1.0 (`OpenID.Registration`_) rispettivamente per OP e RP. In OIDC-FED il Metadata OIDC relativo a RP e OP viene definito all'interno del claim **metadata** e del suo sotto claim ****, all'interno dell'Entity Configuration, come oggetto JSON. From 6d58593cd38dec4fa606742e06f8a98ddf11635f Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 25 Jan 2023 14:18:09 +0100 Subject: [PATCH 08/11] added fbk in the contributors list --- AUTHORS.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/AUTHORS.md b/AUTHORS.md index d3fc9e44..f1510f1f 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -9,5 +9,8 @@ We list here the main contributors to this specification: * Nunzio Napolitano * Antonio Florio * Stefano Pullini +* Giada Sciarretta giada.sciarretta@fbk.eu +* Amir Sharif asharif@fbk.eu + We'd also like to thank the the #spid-openid participants of developers italia slack. From fde14743bc0dff8b72dd8150be82698be47332b4 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Tue, 31 Jan 2023 15:13:27 +0100 Subject: [PATCH 09/11] fix: small typos --- AUTHORS.md | 4 ++-- docs/en/standards.rst | 2 +- docs/it/standards.rst | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/AUTHORS.md b/AUTHORS.md index f1510f1f..a286cfcd 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -9,8 +9,8 @@ We list here the main contributors to this specification: * Nunzio Napolitano * Antonio Florio * Stefano Pullini -* Giada Sciarretta giada.sciarretta@fbk.eu -* Amir Sharif asharif@fbk.eu +* Giada Sciarretta +* Amir Sharif We'd also like to thank the the #spid-openid participants of developers italia slack. diff --git a/docs/en/standards.rst b/docs/en/standards.rst index 7f9624bd..9a0bcf10 100644 --- a/docs/en/standards.rst +++ b/docs/en/standards.rst @@ -4,7 +4,7 @@ References .. include:: ../common/standards.rst -National and community legislation +National and European legislation ---------------------------------- .. list-table:: diff --git a/docs/it/standards.rst b/docs/it/standards.rst index 5fa2bb81..42464024 100644 --- a/docs/it/standards.rst +++ b/docs/it/standards.rst @@ -4,7 +4,7 @@ Riferimenti .. include:: ../common/standards.rst -Normativa Nazionale e comunitaria +Normativa Nazionale ed Europea --------------------------------- .. list-table:: From 6b1a35a7f44f8081b5051701f9d78ec241fe5096 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Tue, 31 Jan 2023 15:31:42 +0100 Subject: [PATCH 10/11] fix: metadata policy non normative examples --- docs/common/common_examples.rst | 68 ++++++++++++++++---------------- docs/en/entity_configuration.rst | 1 - docs/it/entity_configuration.rst | 1 - 3 files changed, 34 insertions(+), 36 deletions(-) diff --git a/docs/common/common_examples.rst b/docs/common/common_examples.rst index 86f8c7fe..48058f56 100644 --- a/docs/common/common_examples.rst +++ b/docs/common/common_examples.rst @@ -784,31 +784,31 @@ The following example shows a Metadata policy in the Entity Statement provided b "kid": "5NNNoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs" }] }] - } + }, "grant_types": { "subset_of": ["authorization_code", "refresh_token"] - } + }, "id_token_signed_response_alg": { - "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] - } + "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] + }, "id_token_encrypted_response_alg": { - "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] - } + "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] + }, "id_token_encrypted_response_enc": { - "subset_of": ["A128CBC-HS256", "A256CBC-HS512"] - } + "one_of": ["A128CBC-HS256", "A256CBC-HS512"] + }, "userinfo_signed_response_alg": { - "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] - } + "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] + }, "userinfo_encrypted_response_alg": { - "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] - } + "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] + }, "userinfo_encrypted_response_enc": { - "subset_of": ["A128CBC-HS256", "A256CBC-HS512"] - } + "one_of": ["A128CBC-HS256", "A256CBC-HS512"] + }, "token_endpoint_auth_method": { "one_of": ["private_key_jwt"] - } + }, "client_registration_types": { "one_of": ["automatic"] } @@ -825,23 +825,23 @@ The following example shows a Metadata policy in the Entity Statement provided b "subset_of": ["authorization_code", "refresh_token"] } "id_token_signed_response_alg": { - "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] - } + "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] + }, "id_token_encrypted_response_alg": { - "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] - } + "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] + }, "id_token_encrypted_response_enc": { - "subset_of": ["A128CBC-HS256", "A256CBC-HS512"] - } + "one_of": ["A128CBC-HS256", "A256CBC-HS512"] + }, "userinfo_signed_response_alg": { - "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] - } + "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] + }, "userinfo_encrypted_response_alg": { - "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] - } + "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] + }, "userinfo_encrypted_response_enc": { - "subset_of": ["A128CBC-HS256", "A256CBC-HS512"] - } + "one_of": ["A128CBC-HS256", "A256CBC-HS512"] + }, "token_endpoint_auth_method": { "one_of": ["private_key_jwt"] } @@ -912,28 +912,28 @@ The following example shows a Metadata policy in the Entity Statement provided b "one_of": ["pairwise"] } "id_token_signing_alg_values_supported": { - "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] + "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] } "id_token_encryption_alg_values_supported": { - "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] + "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] } "id_token_encryption_enc_values_supported": { - "subset_of": ["A128CBC-HS256", "A256CBC-HS512"] + "one_of": ["A128CBC-HS256", "A256CBC-HS512"] } "userinfo_signing_alg_values_supported": { - "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] + "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] } "userinfo_encryption_alg_values_supported": { - "subset_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] + "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] } "userinfo_encryption_enc_values_supported": { - "subset_of": ["A128CBC-HS256", "A256CBC-HS512"] + "one_of": ["A128CBC-HS256", "A256CBC-HS512"] } "token_endpoint_auth_methods_supported": { "one_of": ["private_key_jwt"] } "token_endpoint_auth_signing_alg_values_supported": { - "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] + "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] } "claims_parameter_supported": { "one_of": ["true"] diff --git a/docs/en/entity_configuration.rst b/docs/en/entity_configuration.rst index 0cd85a6a..b3eb0ece 100644 --- a/docs/en/entity_configuration.rst +++ b/docs/en/entity_configuration.rst @@ -61,7 +61,6 @@ Entity Configuration - common claims - federation_entity - oauth_authorization_server - oauth_resource - - trust_mark_issuer - |spid-icon| |cieid-icon| .. warning:: diff --git a/docs/it/entity_configuration.rst b/docs/it/entity_configuration.rst index bda490ae..5c3848f0 100644 --- a/docs/it/entity_configuration.rst +++ b/docs/it/entity_configuration.rst @@ -60,7 +60,6 @@ Entity Configuration - claim comuni - federation_entity - oauth_authorization_server - oauth_resource - - trust_mark_issuer - |spid-icon| |cieid-icon| .. warning:: From cfe6c67d3e73117096fdaed11cc84cb17bdc56bf Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Tue, 31 Jan 2023 15:32:55 +0100 Subject: [PATCH 11/11] fix: metadata policy non normative examples - 2 --- docs/common/common_examples.rst | 48 ++++++++++++++++----------------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/docs/common/common_examples.rst b/docs/common/common_examples.rst index 48058f56..6d25ae05 100644 --- a/docs/common/common_examples.rst +++ b/docs/common/common_examples.rst @@ -844,7 +844,7 @@ The following example shows a Metadata policy in the Entity Statement provided b }, "token_endpoint_auth_method": { "one_of": ["private_key_jwt"] - } + }, "client_registration_types": { "one_of": ["automatic"] } @@ -884,72 +884,70 @@ The following example shows a Metadata policy in the Entity Statement provided b "e": "AQAB", "kid": "5NNNoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs" }] - } + }, "revocation_endpoint_auth_methods_supported": { "one_of": ["private_key_jwt"] - } + }, "code_challenge_methods_supported": { "subset_of": ["authorization_code", "refresh_token"] - } + }, "scopes_supported": { "subset_of": ["openid", "offline_access", "profile", "email"] - } + }, "response_types_supported": { "one_of": ["code"] - } + }, "response_modes_supported": { "subset_of": ["form_post", "query"] - } + }, "grant_types_supported": { "subset_of": ["authorization_code", "refresh_token"] - } - } + }, "acr_values_supported": { "subset_of": ["https://www.spid.gov.it/SpidL1", "https://www.spid.gov.it/SpidL2", "https://www.spid.gov.it/SpidL3"] - } - } + }, "subject_types_supported": { "one_of": ["pairwise"] - } + }, "id_token_signing_alg_values_supported": { "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] - } + }, "id_token_encryption_alg_values_supported": { "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] - } + }, "id_token_encryption_enc_values_supported": { "one_of": ["A128CBC-HS256", "A256CBC-HS512"] - } + }, "userinfo_signing_alg_values_supported": { "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] - } + }, "userinfo_encryption_alg_values_supported": { "one_of": ["RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A256KW"] - } + }, "userinfo_encryption_enc_values_supported": { "one_of": ["A128CBC-HS256", "A256CBC-HS512"] - } + }, "token_endpoint_auth_methods_supported": { "one_of": ["private_key_jwt"] - } + }, "token_endpoint_auth_signing_alg_values_supported": { "one_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] - } + }, "claims_parameter_supported": { "one_of": ["true"] - } + }, "request_parameter_supported": { "one_of": ["true"] - } + }, "authorization_response_iss_parameter_supported": { "one_of": ["true"] - } + }, "client_registration_types_supported": { "one_of": ["automatic"] - } + }, "request_authentication_methods_supported": { "one_of": ["request_object"] - } + }, "request_authentication_signing_alg_values_supported": { "subset_of": ["RS256", "RS512", "ES256", "ES512", "PS256", "PS512"] }