Write document on multi value metadata extension of RP/Client metadata for OID fed

[Razumain]

Se discussion in the OID fed challenges document.

There is a problem for RP and Client entities to express their capabilities as some metadata parameters can only be used to express a single value. This may be unsuitable for a metadata record that is meant to be used against multiple services.

E.g. one OP may have an EC key, while another may use an RSA key. It will in this case be impossible to specify a suitable signature algorithm for items signed by the OP using a single value.

[Razumain]

There is a new development on this topic.

I raised this with Roland who also raised this with the OpenID federation team. It has been decided that this is an important issue to solve and the probable solution is to define new attributes for clients and RP that extend the single valued attribute with "_supported".

E.g. the metadata parameter id_token_signed_response_alg is used to express an overall preference (single valued) while id_token_signed_response_alg_supported can hold all the values that the RP can handle.

This does not change the OpenID federation document or profile as this will be handled like any other metadata parameter. The change does instead affect to general OpenID Connect profile.

While we are waiting for the standardisation process to make a final solution for this, we should consider adding this to the Swedish profile in the meanwhile. I think it is a useful extension in general as RP metadata today must be shaped individually for every OP. This extension makes it possible to create one RP metadata that can be used towards any OP.

[martin-lindstrom]

I am a bit hesitant to include this in Claims and Scopes Specification for the Swedish OpenID Connect Profile since it is something that, hopefully, in the future will be included in the standards.

Wouldn't it be better to define the (temporary) extensions in the OIDC Fed profile-documents?

[per-mutzell]

I agree this would be a generally useful add-on to the RP metadata. Since signing id tokens is a general thing between RP and OP, I think to logical place for now is as an extension to the Swedish OpenID Connect Profile (like the Authentication Request Parameter Extension).