Skip to content

Registration policy constraint now handles entity types#3

Open
martin-lindstrom wants to merge 2 commits intomainfrom
update-constraints
Open

Registration policy constraint now handles entity types#3
martin-lindstrom wants to merge 2 commits intomainfrom
update-constraints

Conversation

@martin-lindstrom
Copy link
Contributor

@martin-lindstrom martin-lindstrom commented Feb 18, 2026
edited
Loading

Re-worked how registration policies can be constrained, by re-defining the registration_policy constraint.

See: https://www.oidc.se/openid-federation-registration-policy/update-constraints.html

Closes #2

Razumain
Razumain requested changes Feb 23, 2026
View reviewed changes
Copy link

@Razumain Razumain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great. But I suggest some clarifications and possibly simplifications.

openid-federation-registration-policy-1_0.md

```json=
- If the subject Entity is the issuer, but not the subject, of the next Entity Statement in the chain, which is therefore a Subordinate Statement, the type is `federation_entity`.

Copy link

@Razumain Razumain Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could apply some easier language here like:

A Entities in the chain that issue Subordinate Statements of the chain match, and only match, the federation_entity Entity Type in relation to registration policies.

the Leaf Entity of a chain that is represented by an Entity Configuration match the metadata types declared in that Entity Configuration

openid-federation-registration-policy-1_0.md
- If the subject Entity is both the issuer and the subject of the next Entity Statement in the chain, that statement is an Entity Configuration, and the type, or types, of the subject Entity are the metadata types declared in that Entity Configuration.

The constraint evaluation process is as follows:

Copy link

@Razumain Razumain Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also here I think we could simplify and mention the chaining aspect. That is, that each constraining rule applies to all entity below the subject. Proposal:

"Constraints expressed in a Subordinate Statement applies to all Entities of a chain that are subordinate to the subject of that Subordinate Statement all the way down to the leaf Entity of the chain.

a constraint rule applies to all relevant subordinate Entities where the Entity Type of the constraint rule match the Entity Type of the subordinate Entity."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Razumain Razumain Razumain requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Proposed structure for registration policy constraints

2 participants

@martin-lindstrom @Razumain