OpenID federation specifies the option to push a trust_chain in the authorization_request.
This leads to large payloads that require a lot of verification logic for the OP.
Would it not be easier for the RP to send a resolve request of where the OP can find the RP?
E.g.
?resolve_uri=https://dev.swedenconnect.se/oidf/resolver/resolve?sub=https://dev.swedenconnect.se/demo/rp&trust_anchor=https://dev.swedenconnect.se/oidf/ta
The OP could then resolve the RP easily. The OP must do some sanity checks but does not need to implement all validation logic.
- Only perform requests for resolvers it recognises.
- Only trust responses that are signed with a trusted key (signed by the resolver)
OpenID federation specifies the option to push a trust_chain in the authorization_request.
This leads to large payloads that require a lot of verification logic for the OP.
Would it not be easier for the RP to send a resolve request of where the OP can find the RP?
E.g.
?resolve_uri=https://dev.swedenconnect.se/oidf/resolver/resolve?sub=https://dev.swedenconnect.se/demo/rp&trust_anchor=https://dev.swedenconnect.se/oidf/taThe OP could then resolve the RP easily. The OP must do some sanity checks but does not need to implement all validation logic.