Skip to content

make trust_anchor parameter required #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zachmann wants to merge 4 commits into
base: main
Choose a base branch
from
Open

make trust_anchor parameter required #52

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
00bd511
make trust_anchor parameter required
zachmann Apr 28, 2026
bbd4cca
Merge branch 'main' into gz/require-ta-parameter
zachmann Apr 28, 2026
0200050
add history entry
zachmann Apr 28, 2026
4501864
Merge branch 'main' into gz-require-ta-parameter
zachmann May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions openid-federation-entity-collection-1_0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,14 +158,14 @@ If this parameter is present, the number of results in the returned list MUST NO
If this parameter is not present the server MUST fall back on the upper limit, as described in [Response Limits](#response-limits).
If the responder does not support this feature, it MUST return an error response with the error code `unsupported_parameter` as defined in [Error Response Format](#error-response-format).

- **trust_anchor**: (REQUIRED) The Trust Anchor that the collection endpoint MUST use when collecting Entities. The value is an Entity Identifier.

- **entity_type**: (OPTIONAL) The value of this parameter is an Entity Type Identifier. The result MUST be filtered to include only those entities that include the specified Entity Type. When multiple `entity_type` parameters are present, for example `entity_type=openid_provider&entity_type=openid_relying_party`, the result MUST be filtered to include all Entities that include any of the specified Entity Types.
If the responder does not support this feature, it MUST return an error response with the error code `unsupported_parameter` as defined in [Error Response Format](#error-response-format).

- **trust_mark_type**: (OPTIONAL) The value of this parameter is a Trust Mark Type Identifier. The result MUST be filtered to include only Entities that publish a Trust Mark of this Trust Mark Type in their Entity Configuration and that Trust Mark MUST be verified by the responder. The responder SHOULD verify the Trust Mark using the same Trust Anchor that is used to collect the Entities. When multiple `trust_mark_type` parameters are present, the result MUST be filtered to include only Entities that have a Trust Mark for all the specified Trust Mark Types.
If the responder does not support this feature, it MUST return an error response with the error code `unsupported_parameter` as defined in [Error Response Format](#error-response-format).

- **trust_anchor**: (RECOMMENDED) The Trust Anchor that the collection endpoint MUST use when collecting Entities. The value is an Entity Identifier. If omitted, the responder sets this parameter to its own Entity Identifier. If the responder does not have a defined Entity Identifier, it MUST return an error response with the error code `invalid_request` as defined in [Error Response Format](#error-response-format). If the requested Trust Anchor is not supported by the responder, it MUST return an error response with the error code `invalid_trust_anchor` as defined in [Error Response Format](#error-response-format).

- **query**: (OPTIONAL) The value of this parameter is used by the responder to
filter down the list of returned Entities to only entities that match this
parameter value. It is entirely up to the responder to define when an Entity
Expand Down Expand Up @@ -305,7 +305,6 @@ If the request was malformed or an error occurred during the processing of the r

- **error**: (REQUIRED) Error codes in the IANA "OAuth Extensions Error Registry" [@!IANA.OAuth.Parameters] MAY be used. In particular, these existing error codes are used by this specification:
- **unsupported_parameter**: The server does not support a requested parameter. The HTTP response status code SHOULD be 400 (Bad Request).
- **invalid_request**: The request is incomplete or does not comply with current specifications. The HTTP response status code SHOULD be 400 (Bad Request).
<br/>
In addition the following error codes defined by this specification MAY be used:
- **page_not_found**: The pagination pointer provided in the `from` parameter is not or no longer known to the responder. The HTTP response status code SHOULD be 404 (Not Found).
Expand Down Expand Up @@ -628,6 +627,7 @@ and the Geant Trust & Identity Incubator of Geant5-2.
-01

* Clarified the description of the `last_updated` response field to specify that it refers to when the responder last traversed or refreshed its federation entity collection.
* Make the `trust_anchor` parameter REQUIRED.
* Added references to Entity Info and Entity Type UI Info sections in `entity_claims` and `ui_claims` parameter descriptions.
* Added `unsupported_claim` error code for unsupported claims in `entity_claims` and `ui_claims` parameters.
* Added examples demonstrating `entity_claims` and `ui_claims` parameter usage.
Expand Down
Loading