Closed SECtim closed 2 days ago
Linking this to #36 - I think it is fine to do it the OIDC way, but then it is not in line with RFC 8615 and the Federation spec should point this out (especially considering RFC 8615 is a normative reference).
We can add the requested clarification. As the spec used to say "Of course, in real multi-tenant deployments, in which the Entity Identifier might be of the form https://multi-tenant-service.example.com/my-tenant-identifier the tenant is very likely to not have control over the path https://multi-tenant-service.example.com/.well-known/openid-federation/my-tenant-identifier whereas it is very likely to have control over the path https://multi-tenant-service.example.com/my-tenant-identifier/.well-known/openid-federation." Developers were against the previous formulation, which required implementations to first try one location, which will usually fail, then try the other, which will then succeed. The old way entailed unnecessary spec and code complexity, a waste of network bandwidth, and was a needless cause of latency.
I certainly agree that the newer formulation is better, especially from a security standpoint: What if the first request (in the old formulation) does NOT fail, but gets an answer (that is not controlled by my-tenant
)?
Of course, one might argue that whoever controls /.well-known/openid-federation/my-tenant-id
can probably also control /my-tenant-id/.well-known/openid-federation
against my will if they want to, but that's a) not always the case, and b) might lead to issues even if the /.well-known/openid-federation/my-tenant-id
response is "honest" (e.g., some non-standard error).
Section 9 currently says: https://github.com/openid/federation/blob/48c673836f1eccfe99b74466093c41c1b708113c/openid-federation-1_0.xml#L5187-L5193
I read this as "take the Entity ID and append
/.well-known/openid-federation
to the (possibly, but not necessarily empty) path component of that Entity ID".However, this is in conflict with RFC 8615, e.g., Section 3:
Also Section 3 (bold text highlighted by me):
And Section 4.1:
Since ID 4 contained a different formulation, I assume that there has been/is some ongoing discussion about this in the WG.