Bump to OpenID Federation draft 43

.github/workflows/test.yaml

@@ -210,7 +210,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
-      VERSION: release-v4.1.45
+      VERSION: release-v5.1.35
     steps:
       - uses: actions/checkout@v4
         with:

CONFORMANCE_TEST.md

@@ -14,8 +14,7 @@ Clone the conformance test git repo, build the software and run it.
 ```bash
 git clone https://gitlab.com/openid/conformance-suite.git
 cd conformance-suite
-# Version 4.1.10 has a bug when building
-git checkout release-v4.1.45
+git checkout release-v5.1.35
 MAVEN_CACHE=./m2 docker-compose -f builder-compose.yml run builder
 docker-compose up
 ```

UPGRADE.md

@@ -52,10 +52,15 @@ and optionally a port (as in all previous module versions).
   - signer algorithm
   - entity statement duration
   - organization name
+  - display name
+  - description
+  - keywords
   - contacts
   - logo URI
   - policy URI
-  - homepage URI
+  - information URI
+  - homepage URI (renamed to organization_uri in draft-43)
+  - organization URI
 
 ## Major impact changes
 

config/module_oidc.php.dist

@@ -375,20 +375,20 @@ $config = [
 //        'eyJ...GHg',
     ],
 
-    // (optional) Federation Trust Marks for dynamic fetching. An array of key-value pairs, where key is Trust Mark ID
-    // and value is Trust Mark Issuer ID, each representing a Trust Mark issued to this entity. Each Trust Mark ID
-    // in this array will be dynamically fetched from noted Trust Mark Issuer as necessary. If federation caching
-    // is enabled (recommended), fetched Trust Marks will also be cached until their expiry.
+    // (optional) Federation Trust Marks for dynamic fetching. An array of key-value pairs, where key is Trust Mark Type
+    // and value is Trust Mark Issuer ID, each representing a Trust Mark issued to this entity. Each Trust Mark Type
+    // in this array will be dynamically fetched from the noted Trust Mark Issuer as necessary. If federation
+    // caching is enabled (recommended), fetched Trust Marks will also be cached until their expiry.
     ModuleConfig::OPTION_FEDERATION_DYNAMIC_TRUST_MARKS => [
-//        'trust-mark-id' => 'trust-mark-issuer-id',
+//        'trust-mark-type' => 'trust-mark-issuer-id',
     ],
 
     // (optional) Federation participation limit by Trust Marks. This is an array with the following format:
     // [
     //    'trust-anchor-id' => [
     //         'limit-id' => [
-    //              'trust-mark-id',
-    //              'trust-mark-id-2',
+    //              'trust-mark-type',
+    //              'trust-mark-type-2',
     //          ],
     //     ],
     // ],
@@ -399,13 +399,13 @@ $config = [
         'https://ta.example.org/' => [
             // Entities must have (at least) one Trust Mark from the list below.
             \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::OneOf->value => [
-                'trust-mark-id',
-                'trust-mark-id-2',
+                'trust-mark-type',
+                'trust-mark-type-2',
             ],
             // Entities must have all Trust Marks from the list below.
             \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::AllOf->value => [
-                'trust-mark-id-3',
-                'trust-mark-id-4',
+                'trust-mark-type-3',
+                'trust-mark-type-4',
             ],
         ],
     ],
@@ -471,10 +471,21 @@ $config = [
     // Common federation entity parameters:
     // https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters
     ModuleConfig::OPTION_ORGANIZATION_NAME => null,
+    ModuleConfig::OPTION_DISPLAY_NAME => null,
+    ModuleConfig::OPTION_DESCRIPTION => null,
+    ModuleConfig::OPTION_KEYWORDS => [
+        // 'some-keyword',
+    ],
     ModuleConfig::OPTION_CONTACTS => [
         // 'John Doe [email protected]',
     ],
     ModuleConfig::OPTION_LOGO_URI => null,
     ModuleConfig::OPTION_POLICY_URI => null,
+    ModuleConfig::OPTION_INFORMATION_URI => null,
+    ModuleConfig::OPTION_ORGANIZATION_URI => null,
+    /**
+     * @deprecated In Draft-43 of OIDFed specification, metadata claim 'homepage_uri' has been renamed to
+     * 'organization_uri'. Use 'organization_uri' instead.
+     */
     ModuleConfig::OPTION_HOMEPAGE_URI => null,
 ];

locales/en/LC_MESSAGES/oidc.po

@@ -491,7 +491,7 @@ msgstr ""
 msgid "Trust Anchors"
 msgstr ""
 
-msgid "Trust Mark ID"
+msgid "Trust Mark Type"
 msgstr ""
 
 msgid ""

locales/es/LC_MESSAGES/oidc.po

@@ -491,7 +491,7 @@ msgstr ""
 msgid "Trust Anchors"
 msgstr ""
 
-msgid "Trust Mark ID"
+msgid "Trust Mark Type"
 msgstr ""
 
 msgid ""

locales/fr/LC_MESSAGES/oidc.po

@@ -491,7 +491,7 @@ msgstr ""
 msgid "Trust Anchors"
 msgstr ""
 
-msgid "Trust Mark ID"
+msgid "Trust Mark Type"
 msgstr ""
 
 msgid ""

locales/hr/LC_MESSAGES/oidc.po

@@ -525,7 +525,7 @@ msgstr "IDevi sidra povjerenja"
 msgid "Trust Anchors"
 msgstr "Sidra povjerenja"
 
-msgid "Trust Mark ID"
+msgid "Trust Mark Type"
 msgstr "ID oznake povjerenja"
 
 msgid ""

locales/it/LC_MESSAGES/oidc.po

@@ -491,7 +491,7 @@ msgstr ""
 msgid "Trust Anchors"
 msgstr ""
 
-msgid "Trust Mark ID"
+msgid "Trust Mark Type"
 msgstr ""
 
 msgid ""

locales/nl/LC_MESSAGES/oidc.po

@@ -459,7 +459,7 @@ msgstr "Vertrouwde anker-ID's"
 msgid "Trust Anchors"
 msgstr "Vertrouw op ankers"
 
-msgid "Trust Mark ID"
+msgid "Trust Mark Type"
 msgstr "Vertrouwensmerk-ID"
 
 msgid "Trust Mark validation passed (there were no warnings or errors during validation)."

src/Controllers/Admin/ConfigController.php

@@ -80,15 +80,15 @@ function (string $token): Federation\TrustMark {
 
         if (is_array($dynamicTrustMarks = $this->moduleConfig->getFederationDynamicTrustMarks())) {
             /**
-             * @var non-empty-string $trustMarkId
+             * @var non-empty-string $trustMarkType
              * @var non-empty-string $trustMarkIssuerId
              */
-            foreach ($dynamicTrustMarks as $trustMarkId => $trustMarkIssuerId) {
+            foreach ($dynamicTrustMarks as $trustMarkType => $trustMarkIssuerId) {
                 $trustMarkIssuerConfigurationStatement = $this->federation->entityStatementFetcher()
                     ->fromCacheOrWellKnownEndpoint($trustMarkIssuerId);
 
                 $trustMarks[] = $this->federation->trustMarkFetcher()->fromCacheOrFederationTrustMarkEndpoint(
-                    $trustMarkId,
+                    $trustMarkType,
                     $this->moduleConfig->getIssuer(),
                     $trustMarkIssuerConfigurationStatement,
                 );

src/Controllers/Admin/TestController.php

@@ -32,7 +32,7 @@ public function __construct(
         $this->authorization->requireAdmin(true);
 
         $this->arrayLogger->setWeight(ArrayLogger::WEIGHT_WARNING);
-        // Let's create new Federation instance so we can inject our debug logger and go without cache.
+        // Let's create a new Federation instance so we can inject our debug logger and go without cache.
         $this->federationWithArrayLogger = new Federation(
             supportedAlgorithms: $this->federation->supportedAlgorithms(),
             cache: null,
@@ -114,31 +114,31 @@ public function trustChainResolution(Request $request): Response
 
     public function trustMarkValidation(Request $request): Response
     {
-        $trustMarkId = null;
+        $trustMarkType = null;
         $leafEntityId = null;
         $trustAnchorId = null;
         $isFormSubmitted = false;
 
         if ($request->isMethod(Request::METHOD_POST)) {
             $isFormSubmitted = true;
 
-            !empty($trustMarkId = $request->request->getString('trustMarkId')) ||
-            throw new OidcException('Empty Trust Mark ID.');
+            !empty($trustMarkType = $request->request->getString('trustMarkType')) ||
+            throw new OidcException('Empty Trust Mark Type.');
             !empty($leafEntityId = $request->request->getString('leafEntityId')) ||
             throw new OidcException('Empty leaf entity ID.');
             !empty($trustAnchorId = $request->request->getString('trustAnchorId')) ||
             throw new OidcException('Empty Trust Anchor ID.');
 
             try {
-                // We should not try to validate Trust Marks until we have resolved trust chain between leaf and TA.
+                // We should not try to validate Trust Marks until we have resolved a trust chain between leaf and TA.
                 $trustChain = $this->federation->trustChainResolver()->for(
                     $leafEntityId,
                     [$trustAnchorId],
                 )->getShortest();
 
                 try {
-                    $this->federationWithArrayLogger->trustMarkValidator()->doForTrustMarkId(
-                        $trustMarkId,
+                    $this->federationWithArrayLogger->trustMarkValidator()->doForTrustMarkType(
+                        $trustMarkType,
                         $trustChain->getResolvedLeaf(),
                         $trustChain->getResolvedTrustAnchor(),
                     );
@@ -160,7 +160,7 @@ public function trustMarkValidation(Request $request): Response
         return $this->templateFactory->build(
             'oidc:tests/trust-mark-validation.twig',
             compact(
-                'trustMarkId',
+                'trustMarkType',
                 'leafEntityId',
                 'trustAnchorId',
                 'logMessages',

src/Controllers/Federation/EntityStatementController.php

@@ -88,10 +88,14 @@ public function configuration(): Response
                         ...(array_filter(
                             [
                                 ClaimsEnum::OrganizationName->value => $this->moduleConfig->getOrganizationName(),
+                                ClaimsEnum::DisplayName->value => $this->moduleConfig->getDisplayName(),
+                                ClaimsEnum::Description->value => $this->moduleConfig->getDescription(),
+                                ClaimsEnum::Keywords->value => $this->moduleConfig->getKeywords(),
                                 ClaimsEnum::Contacts->value => $this->moduleConfig->getContacts(),
                                 ClaimsEnum::LogoUri->value => $this->moduleConfig->getLogoUri(),
                                 ClaimsEnum::PolicyUri->value => $this->moduleConfig->getPolicyUri(),
-                                ClaimsEnum::HomepageUri->value => $this->moduleConfig->getHomepageUri(),
+                                ClaimsEnum::InformationUri->value => $this->moduleConfig->getInformationUri(),
+                                ClaimsEnum::OrganizationUri->value => $this->moduleConfig->getOrganizationUri(),
                             ],
                         )),
                         ClaimsEnum::FederationFetchEndpoint->value => $this->routes->urlFederationFetch(),
@@ -138,12 +142,12 @@ public function configuration(): Response
                 if ($trustMarkEntity->getSubject() !== $this->moduleConfig->getIssuer()) {
                     throw OidcServerException::serverError(sprintf(
                         'Trust Mark %s is not intended for this entity.',
-                        $trustMarkEntity->getTrustMarkId(),
+                        $trustMarkEntity->getTrustMarkType(),
                     ));
                 }
 
                 return [
-                    ClaimsEnum::TrustMarkId->value => $trustMarkEntity->getTrustMarkId(),
+                    ClaimsEnum::TrustMarkType->value => $trustMarkEntity->getTrustMarkType(),
                     ClaimsEnum::TrustMark->value => $token,
                 ];
             }, $trustMarkTokens);
@@ -154,29 +158,29 @@ public function configuration(): Response
             (!empty($dynamicTrustMarks))
         ) {
             /**
-             * @var non-empty-string $trustMarkId
+             * @var non-empty-string $trustMarkType
              * @var non-empty-string $trustMarkIssuerId
              */
-            foreach ($dynamicTrustMarks as $trustMarkId => $trustMarkIssuerId) {
+            foreach ($dynamicTrustMarks as $trustMarkType => $trustMarkIssuerId) {
                 try {
                     $trustMarkIssuerConfigurationStatement = $this->federation->entityStatementFetcher()
                         ->fromCacheOrWellKnownEndpoint($trustMarkIssuerId);
 
                     $trustMarkEntity = $this->federation->trustMarkFetcher()->fromCacheOrFederationTrustMarkEndpoint(
-                        $trustMarkId,
+                        $trustMarkType,
                         $this->moduleConfig->getIssuer(),
                         $trustMarkIssuerConfigurationStatement,
                     );
 
                     $trustMarks[] = [
-                        ClaimsEnum::TrustMarkId->value => $trustMarkId,
+                        ClaimsEnum::TrustMarkType->value => $trustMarkType,
                         ClaimsEnum::TrustMark->value => $trustMarkEntity->getToken(),
                     ];
                 } catch (\Throwable $exception) {
                     $this->loggerService->error(
                         'Error fetching Trust Mark: ' . $exception->getMessage(),
                         [
-                            'trustMarkId' => $trustMarkId,
+                            'trustMarkType' => $trustMarkType,
                             'subjectId' => $this->moduleConfig->getIssuer(),
                             'trustMarkIssuerId' => $trustMarkIssuerId,
                         ],

src/Controllers/Federation/SubordinateListingsController.php

@@ -31,15 +31,16 @@ public function __construct(
 
     public function list(Request $request): Response
     {
-        // If unsupported query parameter is provided, we have to respond with an error: "If the responder does not
+        // If an unsupported query parameter is provided, we have to respond with an error: "If the responder does not
         // support this feature, it MUST use the HTTP status code 400 and the content type application/json, with
         // the error code unsupported_parameter."
 
-        // Currently, we don't support any of the mentioned params in the spec, so let's return error for any of them.
+        // Currently, we don't support any of the mentioned params in the spec, so let's return an error for
+        // any of them.
         $unsupportedParams = [
             ParamsEnum::EntityType->value,
             ParamsEnum::TrustMarked->value,
-            ParamsEnum::TrustMarkId->value,
+            ParamsEnum::TrustMarkType->value,
             ParamsEnum::Intermediate->value,
         ];