Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate explicit registration audiences #91

Merged
merged 6 commits into from
Oct 2, 2024
Merged
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 19 additions & 5 deletions openid-federation-1_0.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6389,6 +6389,8 @@ HTTP/1.1 302 Found
<vspace/>
REQUIRED.
Its value MUST be the Entity Identifier of the OP.
This claim is only used in Explicit Registration requests,
since it is not a general Entity Statement claim.
</t>
<t hangText="authority_hints">
<vspace/>
Expand Down Expand Up @@ -6437,6 +6439,13 @@ HTTP/1.1 302 Found
the content type to determine whether it contains an Entity Configuration
or an entire Trust Chain.
</t>
<t>
The OP MUST validate the RP's explicit registration request JWT.
All the normal Entity Statement validation rules apply.
In addition, if the <spanx style="verb">aud</spanx> (audience)
claim value is not the Entity Identifier of the OP,
then the request MUST be rejected.
</t>
<t>
If the request contains an Entity Configuration the OP
MUST use it to complete the Federation Entity Discovery by
Expand Down Expand Up @@ -6610,10 +6619,10 @@ HTTP/1.1 302 Found
<t hangText="aud">
<vspace/>
REQUIRED.
Its value MUST be the Entity Identifier of the RP. See
<xref target="RFC7519"/> for the full specification. This
claim is specific to Explicit Registration responses and is
not a general Entity Statement claim.
Its value MUST be the Entity Identifier of the RP.
See <xref target="RFC7519"/> for the full specification.
This claim is used in Explicit Registration responses
but is not a general Entity Statement claim.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To keep in mind that this issue relates to the "aud" in Entity Statement claims in response to authenticated callers (with private_key_jwt):

#98

</t>
<t hangText="trust_anchor_id">
<vspace/>
Expand Down Expand Up @@ -6677,6 +6686,10 @@ HTTP/1.1 302 Found
in a Trust Chain that the RP successfully resolved for the
OP when it prepared the Explicit Registration request.
</t>
<t>
The RP MUST verify that the <spanx style="verb">aud</spanx> (audience)
claim value is its Entity Identifier.
</t>
<t>
The RP MUST verify that the
<spanx style="verb">trust_anchor_id</spanx> represents one
Expand Down Expand Up @@ -9825,7 +9838,8 @@ Host: op.umu.se
-40
<list style="symbols">
<t>
TBD
Fixed #88: Explicitly require audience validation for
explicit registration requests and responses.
</t>
</list>
</t>
Expand Down