Skip to main content

OpenID Federation Policies

In OpenID Federation, policies–specifically called metadata policies–are rules that govern the acceptable values or constraints for metadata parameters of entities (such as OpenID Providers or Relying Parties) within a federation. These policies ensure interoperability, security, and compliance across the federation.

Federation Policy Definition

Policies are defined by federation authorities, such as trust anchors (the root authority of a federation), or by intermediate authorities (entities delegated by the trust anchor to manage subsets of the federation).

Policies are included in the federation's entity statements–specifically in the metadata_policy claims of these statements. They are expressed as JSON objects, mapping entity types (like openid_relying_party or openid_provider) to parameter-level rules.

Example snippet:

{
  "metadata_policy": {
    "openid_provider": {
      "id_token_signing_alg_values_supported": {
        "subset_of": ["RS256", "ES256", "ES384"]
      },
      "subject_types_supported": {
        "value": ["pairwise"]
      },
      "op_policy_uri": {
        "regexp": "^https:\\/\\/[\\w-]+\\.example\\.com\\/[\\w-]+\\.html"
      }
    },
    "openid_relying_party": {
      "grant_types": {
        "subset_of": ["authorization_code", "client_credentials"]
      },
      "token_endpoint_auth_method": {
        "one_of": ["private_key_jwt", "self_signed_tls_client_auth"]
      },
      "subject_type": {
        "value": "pairwise"
      },
      "sector_identifier_uri": {
        "value": "https://org.example.com/sector-ids.json"
      }
    }
  }
}

Each policy targets a specific metadata parameter and uses operators (such as value, one_of, default, etc.) to define constraints. There are seven standard operators, but federations can define custom ones if needed.

Federation Policy Enforcement

Policies are enforced during the trust chain resolution process. This process occurs whenever an entity (e.g., a Relying Party) needs to validate the trustworthiness and configuration of another entity (e.g., an OpenID Provider) before interaction.

The trust chain is built by collecting entity statements from the trust anchor down to the target entity. The resolution process applies all relevant policies in hierarchical order, starting from the most superior (trust anchor) down to intermediaries, and finally to the entity itself. Each policy is validated for compliance. If any entity’s metadata does not conform to the effective (resolved) policy, or if there are conflicting policies, the trust chain is considered invalid and trust is not established.

Open Book IconTABLE OF CONTENT