Today the OpenID Connect Working Group started a two-week Working Group Last Call (WGLC) for the OpenID Federation 1.0 specification. During the two weeks ending on December 4, 2025, working group members will identify any issues that they believe should be addressed before it becomes final. Of course, responses of the form “It’s ready to go as it is” are welcome too!
Draft 45 of the OpenID Federation specification, which was published today, is the target of the WGLC review. It adds two features motivated by the security analysis of the last Implementer’s Draft. They are:
peer_trust_chainheader parameter: This enables an RP to provide a Trust Chain from the OP it is establishing trust with to the Trust Anchor that it selected at registration time. This works with both Automatic Registration and Explicit Registration and can be used in other trust establishment regimes. When a Trust Chain is also provided from the RP to the same Trust Anchor, together these enable a property called Federation Integrity, which is described in How to link an application protocol to an OpenID Federation 1.0 trust layer.trust_anchor_hintsclaim: This enables Entities to publish the Trust Anchors that they are configured to trust. This can facilitate determining what Trust Anchors are shared between parties.
It also contains several important editorial improvements, including organizing the Entity Statement claims by where they may and may not appear. The changes made in -45 are detailed in the Document History section.
Thanks to all who helped us reach this point! Nearly done…
1 Pingback