You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Metadata will always fail this policy combination, hence that could never cause a security issue.
The fix: The combination of value + essential must be made conditional: value MAY be combined with essential, except when value is null and essential false.
The text was updated successfully, but these errors were encountered:
vdzhuvinov
added a commit
to vdzhuvinov/federation
that referenced
this issue
Jan 17, 2025
The current draft allows
value+essentialcombinations unconditionally.https://openid.github.io/federation/main.html#section-6.1.3.1.1
The special case when a
value=nullis combined with anessential=truecan never be satisfied, hence that's an inconsistent policy.Example:
TA policy to clear any logo URI from RP metadata:
{ "logo_uri": { "value": null } }Intermediate policy:
{ "logo_uri": { "essential": true } }Under the current rules the combination is allowed, resulting in:
{ "logo_uri": { "value": null, "essential": true } }Metadata will always fail this policy combination, hence that could never cause a security issue.
The fix: The combination of
value+essentialmust be made conditional:valueMAY be combined withessential, except whenvalueis null andessentialfalse.The text was updated successfully, but these errors were encountered: