Skip to content

Specify how a federation context is selected in authorization request. #9

Description

@felix-hellman

OpenID federation specifies the option to push a trust_chain in the authorization_request.

This leads to large payloads that require a lot of verification logic for the OP.

Would it not be easier for the RP to send a resolve request of where the OP can find the RP?

E.g.
?resolve_uri=https://dev.swedenconnect.se/oidf/resolver/resolve?sub=https://dev.swedenconnect.se/demo/rp&trust_anchor=https://dev.swedenconnect.se/oidf/ta

The OP could then resolve the RP easily. The OP must do some sanity checks but does not need to implement all validation logic.

  1. Only perform requests for resolvers it recognises.
  2. Only trust responses that are signed with a trusted key (signed by the resolver)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions