From e2108743d0a2250ed4a7f8f9938e4febfac5177c Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Sun, 15 Sep 2024 19:35:20 -0700 Subject: [PATCH 1/4] Validate explicit registration audiences --- openid-federation-1_0.xml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 8977f1b..5f580bc 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -6389,6 +6389,8 @@ HTTP/1.1 302 Found REQUIRED. Its value MUST be the Entity Identifier of the OP. + This claim is used in Explicit Registration requests + but is not a general Entity Statement claim. @@ -6437,6 +6439,13 @@ HTTP/1.1 302 Found the content type to determine whether it contains an Entity Configuration or an entire Trust Chain. + + The OP MUST validate the RP's explicit registration request JWT. + All the normal Entity Statement validation rules apply. + In addition, if the aud (audience) + Claim value is not the Entity Identifier of the OP, + then the request MUST be rejected. + If the request contains an Entity Configuration the OP MUST use it to complete the Federation Entity Discovery by @@ -6610,10 +6619,10 @@ HTTP/1.1 302 Found REQUIRED. - Its value MUST be the Entity Identifier of the RP. See - for the full specification. This - claim is specific to Explicit Registration responses and is - not a general Entity Statement claim. + Its value MUST be the Entity Identifier of the RP. + See for the full specification. + This claim is used in Explicit Registration responses + but is not a general Entity Statement claim. @@ -6677,6 +6686,10 @@ HTTP/1.1 302 Found in a Trust Chain that the RP successfully resolved for the OP when it prepared the Explicit Registration request. + + The RP MUST verify that the aud (audience) + claim value is its Entity Identifier. + The RP MUST verify that the trust_anchor_id represents one @@ -9875,6 +9888,10 @@ Host: op.umu.se Fixed #58: Require authority_hints value to contain the Entity Identifiers of all Immediate Superiors. + + Fixed #88: Explicitly require audience validation for + explicit registration requests and responses. + From 7128f7855f4238e05558593e08967744dcd457f0 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Sat, 21 Sep 2024 13:43:45 -0700 Subject: [PATCH 2/4] Applied Guiseppe's suggestion Co-authored-by: Giuseppe De Marco --- openid-federation-1_0.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 5f580bc..509d882 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -6389,8 +6389,8 @@ HTTP/1.1 302 Found REQUIRED. Its value MUST be the Entity Identifier of the OP. - This claim is used in Explicit Registration requests - but is not a general Entity Statement claim. + This claim is only used in Explicit Registration requests, + since it is not a general Entity Statement claim. From 71a39607a2e4415e5553ef0618cad0f9e19d4a53 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Sat, 21 Sep 2024 13:44:02 -0700 Subject: [PATCH 3/4] Applied Guiseppe's suggestion Co-authored-by: Giuseppe De Marco --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 509d882..2cf313f 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -6443,7 +6443,7 @@ HTTP/1.1 302 Found The OP MUST validate the RP's explicit registration request JWT. All the normal Entity Statement validation rules apply. In addition, if the aud (audience) - Claim value is not the Entity Identifier of the OP, + claim value is not the Entity Identifier of the OP, then the request MUST be rejected. From ff9caa4b2a1073bcd8e57b6db4053e9b3900e772 Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Sat, 21 Sep 2024 13:55:51 -0700 Subject: [PATCH 4/4] Move history entry to -40 --- openid-federation-1_0.xml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index aee09b1..54a612d 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -9838,7 +9838,8 @@ Host: op.umu.se -40 - TBD + Fixed #88: Explicitly require audience validation for + explicit registration requests and responses. @@ -9897,10 +9898,6 @@ Host: op.umu.se Fixed #58: Require authority_hints value to contain the Entity Identifiers of all Immediate Superiors. - - Fixed #88: Explicitly require audience validation for - explicit registration requests and responses. -