constraints in metadata_policy

[lucamontano98]

Good Afternoon, I see that metadata statement of trust anchor contains "constraints" claim inside "metadata_policy" for an entity: a Relying Party in my case. On guidelines I read that "constraints" claim must not be inside "metadata_policy", but outside. Is it possible to have "constraints" claim outside the "metadata_policy" dictionary? Thanks.

Best regards.

Luca

[peppelinux]

The dumps of the example projects are in the dumps folder of each example project, here: https://github.com/italia/spid-cie-oidc-django/tree/main/examples

Using the example project I don't see this issue http://localhost:8000/fetch?sub=http://127.0.0.1:8000/oidc/rp&format=json

can you please provide me the url of the http request to get the subordinate entity statement where this issue is visible?

[lucamontano98]

I use http://trust-anchor.org:8000/fetch?sub=http://provaoidc.org:8280/OIDCGenerator/rest/rp/&format=json to get the entity statement, where the value of sub is the identifier of the Relying Party I have locally. I tried to print strings on container standard output console and I found that the method "entity_statement_as_dict" defined in authority/models.py manage a dictionary named "policies" which contains {'openid_relying_party': {'grant_types': {'subset_of': ['authorization_code', 'refresh_token']}, 'constraints': {'max_path_length': 1}}}, where 'constraints' occurs exactly in the same position inside the metadata_policy of the Relying Party. Can you tell me how can I solve this problem, please? Thanks a lot.

Luca

[peppelinux]

this is what I take from the example projects, using http://localhost:8000/fetch?sub=http://127.0.0.1:8000/oidc/rp&format=json

{
  "exp": 1704560575,
  "iat": 1704387775,
  "iss": "http://127.0.0.1:8000",
  "sub": "http://127.0.0.1:8000/oidc/rp",
  "jwks": {
    "keys": [
      {
        "kty": "RSA",
        "e": "AQAB",
        "n": "pn_IchC66SFQMhbTHLtbD58jKiYYvYo7S4wjPjzECMu27c6FJVFNXtlubtb7sC6-WTQ1Hv4rSQdPhafJbIxa32R51sRQpkTr3JFMYP7x22DRQD_ixtQJRaiHw-npnZ8qgVHJ_t4gRTc4HJkehBLGv4-rHVAKzFiQNU1u2AFw1fWMnMH4ob_pyisXVgcku3dy14l7sYSANlpXufY_qnkQFTv0wMH-C6Izl-akENS2UHpvTLhfCBVKPrFXJxul4XDbUwUbvNZUxTernEx8lV5gxCSgKSBEgoH9MgpD1YWFPbAnwi7p7e7MNGz5lH7eDFKkPQhXLWABU8UvEIIWyA95SQ",
        "kid": "k54HQtDibyGcs9ZWVMfviHf-2qLcFUtpwY2rgxBk88M"
      }
    ]
  },
  "metadata_policy": {
    "openid_relying_party": {
      "scope": {
        "superset_of": [
          "openid"
        ],
        "subset_of": [
          "openid",
          "offline_access",
          "profile",
          "email"
        ]
      },
      "contacts": {
        "add": [
          "ciao@email.it"
        ]
      }
    }
  },
  "source_endpoint": "http://127.0.0.1:8000/fetch",
  "trust_marks": [
    {
      "id": "https://www.spid.gov.it/openid-federation/agreement/sp-public",
      "trust_mark": "eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiQlh2ZnJsbmhBTXVIUjA3YWpVbUFjQlJRY1N6bXcwY19SQWdKbnBTLTlXUSJ9.eyJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgwMDAiLCJzdWIiOiJodHRwOi8vMTI3LjAuMC4xOjgwMDAvb2lkYy9ycCIsImlhdCI6MTcwNDM4Nzc3NSwiaWQiOiJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9jZXJ0aWZpY2F0aW9uL3JwIiwibWFyayI6Imh0dHBzOi8vd3d3LmFnaWQuZ292Lml0L3RoZW1lcy9jdXN0b20vYWdpZC9sb2dvLnN2ZyIsInJlZiI6Imh0dHBzOi8vZG9jcy5pdGFsaWEuaXQvaXRhbGlhL3NwaWQvc3BpZC1yZWdvbGUtdGVjbmljaGUtb2lkYy9pdC9zdGFiaWxlL2luZGV4Lmh0bWwifQ.e5oSwvZJ7DVYaXvCpz45uzzwos6GW0zGlgDmR0u_L8_oUePHV7nkfF56nimsY-zQkhw1UUo0PHGbZfYsFyPSTuPJjZAmbtf_M2mqRE32I4FGGzsmRbVxYJxgxuQB6cV5Q-B3BDbVRSVcs-sxIWO4kgBl3ILB4tozkcwZXW76XBW_CrUN1KDWKwUiY03ecUzkRJCRyMHDBwSwTDCSRh2IiCsHAT7wZZMOdaJgQ00plc_MrZ_NuLIYGPzDZ-uL4-eS5ZWLfzZO0AHRS6kSoOb2GLowqdMW4SwSUzn0jWlOwdzC3rfsCgHCt68QD2kENthtsalzzpXE0UaVIElwzy5o7w"
    },
    {
      "id": "https://www.spid.gov.it/openid-federation/agreement/sp-private",
      "trust_mark": "eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiQlh2ZnJsbmhBTXVIUjA3YWpVbUFjQlJRY1N6bXcwY19SQWdKbnBTLTlXUSJ9.eyJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgwMDAiLCJzdWIiOiJodHRwOi8vMTI3LjAuMC4xOjgwMDAvb2lkYy9ycCIsImlhdCI6MTcwNDM4Nzc3NSwiaWQiOiJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9jZXJ0aWZpY2F0aW9uL3JwL3ByaXZhdGUiLCJsb2dvX3VyaSI6Imh0dHBzOi8vd3d3LmFnaWQuZ292Lml0L3RoZW1lcy9jdXN0b20vYWdpZC9sb2dvLnN2ZyIsInJlZiI6Imh0dHBzOi8vZG9jcy5pdGFsaWEuaXQvaXRhbGlhL3NwaWQvc3BpZC1yZWdvbGUtdGVjbmljaGUtb2lkYy9pdC9zdGFiaWxlL2luZGV4Lmh0bWwifQ.R3m-0kGLOosInhy-eT74AjczD5k3W_7_Bl5BQaZ5K1GjcVvXY3VwnSNZUhxEwbxQmLcBsTRYhV1U_Fuca4SfOAVEibohmTluw5z3YCHIr-vnH5ghuIsABDvSwv1PG-isJudmx7_DwKScbK9UWIBkPADKbF0bdVMG6vK4EIPK8SJP3fgUpiEtyvqFx8qsHG55FEhvHADEAFZUe1cbdrEdaSpg_pyavAuSecge1T5jOIGrVPyNPcGnN0TaQ17oEpXcKMl9omaR7PTGqfE5PQPOs2T5w7Zc7viVB3BcvPJ01pWFiZrPIO1KsPkZ4b8ahC80ptPJrUHbaj8JeAdjKgLVug"
    }
  ]
}

this is the code that you have kindly mentioned, and in the code I don't see any load of the constraints within the metadata_policies: https://github.com/italia/spid-cie-oidc-django/blob/main/spid_cie_oidc/authority/models.py#L175

I don't see any constraint withing the default policyes (that should be overridden in the project settings) https://github.com/italia/spid-cie-oidc-django/blob/main/spid_cie_oidc/authority/settings.py#L22

I would investigate more in your policies configuration if possible

[lucamontano98]

Hello, I used the same call you typed and I got the same result. The following is the entity statement I obtain when I invoke the fetch endpoint of the trust anchor mentioned above using the subject I defined: { "exp": 1704630594, "iat": 1704457794, "iss": "http://trust-anchor.org:8000", "sub": "http://provaoidc.org:8280/OIDCGenerator/rest/rp/", "jwks": { "keys": [ { "kty": "RSA", "e": "AQAB", "kid": "nzYmug8MfEfaRloh7NFozdZUWR-9AJUPwzGFnlhQprw", "n": "t2tc-bhQxrrXFN96IU0niHvf9zaYJKA5iFJGIyi-e86KNN_OewqUJsd9rOHDGi8i0GiCkWTj-Lp-qvFtcuCNI3561mxFYyWVb8RO6-6KMRkzLDkUsyH_Jd2oekcmTuj1Ed_d50dfwo5nXzMDds4NBoDwVJWBI3bM99Boduuh5jaOcs3emgDs8oSQ4FyeGT2GM7Dv4OfJ2oArdX9kwvo4xtqdxqgwK2_UoSle8tq8fwusGkmhyTP1aT8xR3rM5CRM-ZLT13x_Omg22-uif6vkvG5p516nhj3B-n7ZPZixA-131aVPW1Mky5dsUFbsJQEPrBoRCDAcq9xrYmE0BrRDTQ" } ] }, "metadata_policy": { "openid_relying_party": { "grant_types": { "subset_of": [ "authorization_code", "refresh_token" ] }, "constraints": { "max_path_length": 1 } } }, "source_endpoint": "http://trust-anchor.org:8000/fetch", "trust_marks": [ { "id": "https://www.spid.gov.it/openid-federation/agreement/sp-private", "trust_mark": "eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiQlh2ZnJsbmhBTXVIUjA3YWpVbUFjQlJRY1N6bXcwY19SQWdKbnBTLTlXUSJ9.eyJpc3MiOiJodHRwOi8vdHJ1c3QtYW5jaG9yLm9yZzo4MDAwIiwic3ViIjoiaHR0cDovL3Byb3Zhb2lkYy5vcmc6ODI4MC9PSURDR2VuZXJhdG9yL3Jlc3QvcnAvIiwiaWF0IjoxNzA0NDU3Nzk0LCJpZCI6Imh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAvcHJpdmF0ZSIsImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cuYWdpZC5nb3YuaXQvdGhlbWVzL2N1c3RvbS9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0cHM6Ly9kb2NzLml0YWxpYS5pdC9pdGFsaWEvc3BpZC9zcGlkLXJlZ29sZS10ZWNuaWNoZS1vaWRjL2l0L3N0YWJpbGUvaW5kZXguaHRtbCJ9.Gs-pMawwh8iXWoDT6gnINE7S8NZwakYYonAppyGxs1R_IUnxk1czJLrf_xvtEvJ4GAlQRJKyEjKLPl5Xmcg0xyI_C9bQja8bmUs8XqFJd-qE7jAC_bKxe_xOEVyLcEKbWmXSz2CSkIXFiDbIISjNWLHgnRchl3Bl2-jhkKu_plOBAEZ736hPfA-w4qGXijqCmo8wpzKQENBkO7kJF4HAA1GVkPNGuwkAdNNNfzqthVtw3mGxpjxJgifu7cat_IkGczILupZeRIt3k8Eq9ZRPPauwrNrY9VT0KyaKIgv-Fv5nwbgBpwxPI7HPWobKtYRIUz7BRxRd6BdFjmPjf0c7qA" } ] }. Should I provide you other kind of information? Thanks.

Luca

[peppelinux]

I believe that you have put a constrain in the json of the metadata_policy, in the instance of FederationDescendant (SQL table)

if you confirm this it would be a configuration error.

we can add a json schema validator on that to prevent this kind of humar error during the configurations.

while the default metadata, configured in your project's settings, could have the same configuration error. So, please, check these two places and give feedback when possible

[lucamontano98]

I think I resolved my problem. Thanks a lot!

Luca