Razumain
commented
1 month ago There is a new development on this topic.
I raised this with Roland who also raised this with the OpenID federation team. It has been decided that this is an important issue to solve and the probable solution is to define new attributes for clients and RP that extend the single valued attribute with "_supported".
E.g. the metadata parameter id_token_signed_response_alg is used to express an overall preference (single valued) while id_token_signed_response_alg_supported can hold all the values that the RP can handle.
This does not change the OpenID federation document or profile as this will be handled like any other metadata parameter. The change does instead affect to general OpenID Connect profile.
While we are waiting for the standardisation process to make a final solution for this, we should consider adding this to the Swedish profile in the meanwhile. I think it is a useful extension in general as RP metadata today must be shaped individually for every OP. This extension makes it possible to create one RP metadata that can be used towards any OP.
martin-lindstrom
per-mutzell
Se discussion in the OID fed challenges document.
There is a problem for RP and Client entities to express their capabilities as some metadata parameters can only be used to express a single value. This may be unsuitable for a metadata record that is meant to be used against multiple services.
E.g. one OP may have an EC key, while another may use an RSA key. It will in this case be impossible to specify a suitable signature algorithm for items signed by the OP using a single value.