Difference between revisions of "Provider Discovery"

From MgmtWiki
Jump to: navigation, search
(Created page with "==Full Title or Meme== Wherever a Relying Party or Verifier wants to get information about the provider of an Assertion they can user Provider Discovery. ==Con...")
 
(Full Title or Meme)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Full Title or Meme==
 
==Full Title or Meme==
Wherever a [[Relying Party]] or [[Verifier]] wants to get information about the provider of an [[Assertion]] they can user [[Provider Discovery]].
+
Wherever a [[Relying Party]] or [[Verification|Verifier]] wants to get information about the provider of an [[Assertion]] they can user [[Provider Discovery]].
 +
 
 
==Context==
 
==Context==
 +
In order that an Identity, Attribute or Identity provider can expose both is principles and its capabilities to the public a [[Federation Trust Repository]] must be maintained and [[Trust]]ed by any digital endpoint that is part of the [[Ecosystem]] or Trust Federation.
 +
===OpenID Discovery Spec===
 +
* [https://openid.net/specs/openid-connect-federation-1_0.html OpenID Connect Federation 1.0 - draft 10] <blockquote>The OpenID Connect standard specifies how a Relying Party (RP) can discover metadata about an OpenID Provider (OP), and then register to obtain RP credentials. The [[Provider Discovery]] and registration process does not involve any mechanisms of dynamically establishing trust in the exchanged information, but instead rely on out-of-band trust establishment. In an identity federation context, this is not sufficient. The participants of the federation must be able to trust information provided about other participants in the federation. OpenID Connect Federations specifies how trust can be dynamically obtained by resolving trust from a common trusted third party.</blockquote>
 +
<pre>
 +
{
 +
  "issuer":
 +
    "https://server.example.com",
 +
  "authorization_endpoint":
 +
    "https://server.example.com/connect/authorize",
 +
  "token_endpoint":
 +
    "https://server.example.com/connect/token",
 +
  "token_endpoint_auth_methods_supported":
 +
    ["client_secret_basic", "private_key_jwt"],
 +
  "token_endpoint_auth_signing_alg_values_supported":
 +
    ["RS256", "ES256"],
 +
  "userinfo_endpoint":
 +
    "https://server.example.com/connect/userinfo",
 +
  "check_session_iframe":
 +
    "https://server.example.com/connect/check_session",
 +
  "end_session_endpoint":
 +
    "https://server.example.com/connect/end_session",
 +
  "jwks_uri":
 +
    "https://server.example.com/jwks.json",
 +
  "registration_endpoint":
 +
    "https://server.example.com/connect/register",
 +
  "scopes_supported":
 +
    ["openid", "profile", "email", "address",
 +
      "phone", "offline_access"],
 +
  "response_types_supported":
 +
    ["code", "code id_token", "id_token", "token id_token"],
 +
  "acr_values_supported":
 +
    ["urn:mace:incommon:iap:silver",
 +
      "urn:mace:incommon:iap:bronze"],
 +
  "subject_types_supported":
 +
    ["public", "pairwise"],
 +
  "userinfo_signing_alg_values_supported":
 +
    ["RS256", "ES256", "HS256"],
 +
  "userinfo_encryption_alg_values_supported":
 +
    ["RSA1_5", "A128KW"],
 +
  "userinfo_encryption_enc_values_supported":
 +
    ["A128CBC-HS256", "A128GCM"],
 +
  "id_token_signing_alg_values_supported":
 +
    ["RS256", "ES256", "HS256"],
 +
  "id_token_encryption_alg_values_supported":
 +
    ["RSA1_5", "A128KW"],
 +
  "id_token_encryption_enc_values_supported":
 +
    ["A128CBC-HS256", "A128GCM"],
 +
  "request_object_signing_alg_values_supported":
 +
    ["none", "RS256", "ES256"],
 +
  "display_values_supported":
 +
    ["page", "popup"],
 +
  "claim_types_supported":
 +
    ["normal", "distributed"],
 +
  "claims_supported":
 +
    ["sub", "iss", "auth_time", "acr",
 +
      "name", "given_name", "family_name", "nickname",
 +
      "profile", "picture", "website",
 +
      "email", "email_verified", "locale", "zoneinfo",
 +
      "http://example.info/claims/groups"],
 +
  "claims_parameter_supported":
 +
    true,
 +
  "service_documentation":
 +
    "http://server.example.com/connect/service_documentation.html",
 +
  "ui_locales_supported":
 +
    ["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
 +
  }
 +
</pre>
  
 
==Problem==
 
==Problem==
  
 
==Solution==
 
==Solution==
In order that a [[Federation]] can expose both is principles and its membership to the public a [[Federation Trust Repository]] must be maintained and [[Trust]]ed by users of the [[Federation]].
+
 
* [https://openid.net/specs/openid-connect-federation-1_0.html OpenID Connect Federation 1.0 - draft 10] <blockquote>The OpenID Connect standard specifies how a Relying Party (RP) can discover metadata about an OpenID Provider (OP), and then register to obtain RP credentials. The [[Provider Discovery]] and registration process does not involve any mechanisms of dynamically establishing trust in the exchanged information, but instead rely on out-of-band trust establishment. In an identity federation context, this is not sufficient. The participants of the federation must be able to trust information provided about other participants in the federation. OpenID Connect Federations specifies how trust can be dynamically obtained by resolving trust from a common trusted third party.</blockquote>
 
  
 
==References==
 
==References==
 
<references />
 
<references />
 +
* A [[Federation]] will typically have a [[Trust Authority]] to provide signed certifications or credentials. It should also provide an endpoint for discovery.
 
* [https://www.nist.gov/publications/nist-cloud-federation-reference-architecture The NIST Cloud Federation Reference Architecture]  
 
* [https://www.nist.gov/publications/nist-cloud-federation-reference-architecture The NIST Cloud Federation Reference Architecture]  
 
   
 
   
 
[[Category:Glossary]]
 
[[Category:Glossary]]
 
[[Category:Trust]]
 
[[Category:Trust]]

Latest revision as of 15:15, 5 March 2021

Full Title or Meme

Wherever a Relying Party or Verifier wants to get information about the provider of an Assertion they can user Provider Discovery.

Context

In order that an Identity, Attribute or Identity provider can expose both is principles and its capabilities to the public a Federation Trust Repository must be maintained and Trusted by any digital endpoint that is part of the Ecosystem or Trust Federation.

OpenID Discovery Spec

  • OpenID Connect Federation 1.0 - draft 10
    The OpenID Connect standard specifies how a Relying Party (RP) can discover metadata about an OpenID Provider (OP), and then register to obtain RP credentials. The Provider Discovery and registration process does not involve any mechanisms of dynamically establishing trust in the exchanged information, but instead rely on out-of-band trust establishment. In an identity federation context, this is not sufficient. The participants of the federation must be able to trust information provided about other participants in the federation. OpenID Connect Federations specifies how trust can be dynamically obtained by resolving trust from a common trusted third party.
{
   "issuer":
     "https://server.example.com",
   "authorization_endpoint":
     "https://server.example.com/connect/authorize",
   "token_endpoint":
     "https://server.example.com/connect/token",
   "token_endpoint_auth_methods_supported":
     ["client_secret_basic", "private_key_jwt"],
   "token_endpoint_auth_signing_alg_values_supported":
     ["RS256", "ES256"],
   "userinfo_endpoint":
     "https://server.example.com/connect/userinfo",
   "check_session_iframe":
     "https://server.example.com/connect/check_session",
   "end_session_endpoint":
     "https://server.example.com/connect/end_session",
   "jwks_uri":
     "https://server.example.com/jwks.json",
   "registration_endpoint":
     "https://server.example.com/connect/register",
   "scopes_supported":
     ["openid", "profile", "email", "address",
      "phone", "offline_access"],
   "response_types_supported":
     ["code", "code id_token", "id_token", "token id_token"],
   "acr_values_supported":
     ["urn:mace:incommon:iap:silver",
      "urn:mace:incommon:iap:bronze"],
   "subject_types_supported":
     ["public", "pairwise"],
   "userinfo_signing_alg_values_supported":
     ["RS256", "ES256", "HS256"],
   "userinfo_encryption_alg_values_supported":
     ["RSA1_5", "A128KW"],
   "userinfo_encryption_enc_values_supported":
     ["A128CBC-HS256", "A128GCM"],
   "id_token_signing_alg_values_supported":
     ["RS256", "ES256", "HS256"],
   "id_token_encryption_alg_values_supported":
     ["RSA1_5", "A128KW"],
   "id_token_encryption_enc_values_supported":
     ["A128CBC-HS256", "A128GCM"],
   "request_object_signing_alg_values_supported":
     ["none", "RS256", "ES256"],
   "display_values_supported":
     ["page", "popup"],
   "claim_types_supported":
     ["normal", "distributed"],
   "claims_supported":
     ["sub", "iss", "auth_time", "acr",
      "name", "given_name", "family_name", "nickname",
      "profile", "picture", "website",
      "email", "email_verified", "locale", "zoneinfo",
      "http://example.info/claims/groups"],
   "claims_parameter_supported":
     true,
   "service_documentation":
     "http://server.example.com/connect/service_documentation.html",
   "ui_locales_supported":
     ["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
  }

Problem

Solution

References