Attribute Authority Metadata¶
An AA MUST publish in its EC a federation_entity Metadata and an oauth_resource Metadata, if the resources are protected it MUST also publish an oauth_authorization_server Metadata.
{
"metadata":{
"federation_entity":{
...
},
"oauth_authorization_server":{
...
},
"oauth_resource":{
...
}
}
}
The AA Metadata of type "federation_entity" MUST contain at least the following mandatory parameters:
Claim |
Description |
Supported by |
|---|---|---|
organization_name |
See OIDC-FED Section 4.8 |
|
homepage_uri |
See OIDC-FED Section 4.8 |
|
policy_uri |
See OIDC-FED Section 4.8 |
|
logo_uri |
URL of the entity's logo; it MUST be in SVG format. See OIDC-FED Section 4.8 |
|
contacts |
Institutional certified email address (PEC) of the entity. See OIDC-FED Section 4.8 |
|
federation_trust_mark_status_endpoint |
See Section Federation Endpoint and OIDC-FED Section 4.8. |
|
federation_resolve_endpoint |
See Section Federation Endpoint and OIDC-FED Section 4.8. |
|
The AA Metadata with "oauth_authorization_server" MUST contain at least the following mandatory parameters:
Claim |
Description |
Supported by |
|---|---|---|
issuer |
See RFC 8414#page-4. It MUST contain an HTTPS URL that uniquely identifies the AA. |
|
authorization_endpoint |
Only for Attribute Authority private flow. See LG-AA and RFC 8414#page-4. |
|
token_endpoint |
See RFC 8414#page-4. |
|
jwks |
See JWK. |
|
scopes_supported |
See RFC 8414#page-4. |
|
response_types_supported |
See RFC 8414#page-4, |
|
grant_types_supported |
See RFC 8414#page-4 and RFC 8623. |
|
token_endpoint_auth_methods_supported |
See RFC 8414#page-4. The supported value is private_key_jwt. |
|
token_endpoint_auth_signing_alg_values_supported |
See RFC 8414#page-4. See signature Cryptographic algorithms. |
|
op_policy_uri |
See RFC 8414#page-4. |
|
op_tos_uri |
See RFC 8414#page-6. |
|
dpop_signing_alg_values_supported |
See OAuth-DPoP. See signature Cryptographic algorithms. |
|
The AA Metadata of type "oauth_resource" MUST contain at least the following mandatory parameters:
Claim |
Description |
Supported by |
|---|---|---|
resource |
See OAuth-RS. One or more HTTPS URLs that identify the endpoints of the protected resources. |
|