Resolve endpoint returns incomplete trust_chain #309

tobiaspc · 2024-02-28T17:38:14Z

Expected Behavior

Resolve endpoint responds with a complete trust chain that conforms to the specification.

Current Behavior

Resolve endpoint responds with a trust chain that only contains entity configurations. Entity statements are missing.

Possible Solution

We resolved the issue in our test setup by removing a single continue statement, see here.

Steps to Reproduce

Set up the testbed using our fork with slightly adapted configuration.
Note that the resolve endpoint is publicly accessible because we removed the StaffToken check, see here.
Use the resolve endpoint of the OP to request a trust chain from the OP itself to the trust anchor:
curl "http://op.a-wayf.local:8002/oidc/op/resolve?sub=http://op.a-wayf.local:8002/oidc/op&anchor=http://ta.a-wayf.local:8000"
Invalid response: will add if needed
Valid response, with our solution applied, so the whole chain with three JWTs is returned:

Resolve response

{
  "iss": "http://op.a-wayf.local:8002/oidc/op",
  "sub": "http://op.a-wayf.local:8002/oidc/op",
  "iat": 1709036716,
  "exp": 1709133083,
  "trust_marks": [],
  "metadata": {
    "federation_entity": {
      "federation_resolve_endpoint": "http://op.a-wayf.local:8002/oidc/op/resolve",
      "organization_name": "CIE OIDC identity provider",
      "homepage_uri": "http://op.a-wayf.local:8002",
      "policy_uri": "http://op.a-wayf.local:8002/oidc/op/en/website/legal-information",
      "logo_uri": "http://op.a-wayf.local:8002/static/svg/logo-cie.svg",
      "contacts": [
        "[email protected]"
      ]
    },
    "openid_provider": {
      "authorization_endpoint": "http://op.a-wayf.local:8002/oidc/op/authorization",
      "revocation_endpoint": "http://op.a-wayf.local:8002/oidc/op/revocation",
      "id_token_encryption_alg_values_supported": [
        "RSA-OAEP"
      ],
      "id_token_encryption_enc_values_supported": [
        "A128CBC-HS256"
      ],
      "token_endpoint": "http://op.a-wayf.local:8002/oidc/op/token",
      "userinfo_endpoint": "http://op.a-wayf.local:8002/oidc/op/userinfo",
      "introspection_endpoint": "http://op.a-wayf.local:8002/oidc/op/introspection",
      "claims_parameter_supported": true,
      "contacts": [
        "ops@https://idp.it"
      ],
      "code_challenge_methods_supported": [
        "S256"
      ],
      "client_registration_types_supported": [
        "automatic"
      ],
      "request_authentication_methods_supported": {
        "ar": [
          "request_object"
        ]
      },
      "acr_values_supported": [
        "https://www.spid.gov.it/SpidL1",
        "https://www.spid.gov.it/SpidL2",
        "https://www.spid.gov.it/SpidL3"
      ],
      "claims_supported": [
        "given_name",
        "family_name",
        "birthdate",
        "gender",
        "phone_number",
        "https://attributes.eid.gov.it/fiscal_number",
        "phone_number_verified",
        "email",
        "address",
        "document_details",
        "https://attributes.eid.gov.it/physical_phone_number"
      ],
      "grant_types_supported": [
        "authorization_code",
        "refresh_token"
      ],
      "id_token_signing_alg_values_supported": [
        "RS256",
        "ES256"
      ],
      "issuer": "http://op.a-wayf.local:8002/oidc/op",
      "jwks_uri": "http://op.a-wayf.local:8002/oidc/op/openid_provider/jwks.json",
      "signed_jwks_uri": "http://op.a-wayf.local:8002/oidc/op/openid_provider/jwks.jose",
      "jwks": {
        "keys": [
          {
            "kty": "RSA",
            "use": "sig",
            "e": "AQAB",
            "n": "rJoSYv1stwlbM11tR9SYGIJuzqlJe2bv2N35oPRbwV_epjNWvGG2ZqEj53YFMC8AMZNFhuLa_LNwr1kLVE-jXQe8xjiLhe7DgMf1OnSzq9yAEXVo19BPBwkgJe2jp9HIgM_nfbIsUbSSkFAM2CKvGb0Bk2GvvqXZ12P-fpbVyA9hIQr6rNTqnCGx2-v4oViGG4u_3iTw7D1ZvLWmrmZOaKnDAqG3MJSdQ-2ggQ-Aiahg48si9C9D_JgnBV9tJ2eCS58ZC6kVG5sftElQVdH6e26mz464TZj5QgCwZCTsAQfIvBoXSdCKxpnvsFfrajz4q9BiXAryxIOl5fLmCFVNhw",
            "kid": "Pd2N9-TZz_AWS3GFCkoYdRaXXls8YPhx_d_Ez7JwjQI"
          }
        ]
      },
      "scopes_supported": [
        "openid",
        "offline_access"
      ],
      "logo_uri": "http://op.a-wayf.local:8002/static/images/logo-cie.png",
      "organization_name": "SPID OIDC identity provider",
      "op_policy_uri": "http://op.a-wayf.local:8002/oidc/op/en/website/legal-information",
      "request_parameter_supported": true,
      "request_uri_parameter_supported": true,
      "require_request_uri_registration": true,
      "response_types_supported": [
        "code"
      ],
      "response_modes_supported": [
        "query",
        "form_post"
      ],
      "subject_types_supported": [
        "pairwise",
        "public"
      ],
      "token_endpoint_auth_methods_supported": [
        "private_key_jwt"
      ],
      "token_endpoint_auth_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512"
      ],
      "userinfo_encryption_alg_values_supported": [
        "RSA-OAEP",
        "RSA-OAEP-256"
      ],
      "userinfo_encryption_enc_values_supported": [
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512",
        "A128GCM",
        "A192GCM",
        "A256GCM"
      ],
      "userinfo_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512"
      ],
      "request_object_encryption_alg_values_supported": [
        "RSA-OAEP",
        "RSA-OAEP-256"
      ],
      "request_object_encryption_enc_values_supported": [
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512",
        "A128GCM",
        "A192GCM",
        "A256GCM"
      ],
      "request_object_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512"
      ]
    }
  },
  "trust_chain": [
    "eyJ0eXAiOiJlbnRpdHktc3RhdGVtZW50K2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiWmhTb2FPZWRWT3NCdzZtMnZjbHdTV2lxcW5HZU9TdFQtZ1VjbG90XzY3dyJ9.eyJleHAiOjE3MDkzMDM5MDMsImlhdCI6MTcwOTEzMTEwMywiaXNzIjoiaHR0cDovL29wLmEtd2F5Zi5sb2NhbDo4MDAyL29pZGMvb3AiLCJzdWIiOiJodHRwOi8vb3AuYS13YXlmLmxvY2FsOjgwMDIvb2lkYy9vcCIsImp3a3MiOnsia2V5cyI6W3sia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJuIjoidGczYUU5ZmQ2bHRYek5yaW1fNENHS1lXZkMzbnFjX3R2NFhqYXc0NzNDY3JmaXFEemVUS0hmUmZidmJxYjFEd21JNGZ2Q09pNTFFVmNtS0xuVGh6WHluQVVweVV2c3d2TDhfdXpnRFdPMVJTbUJHMUwwUkUtQ2tLaWg0a2VYaDFrdTloTnMxX1YtODJkSzVvTE9SLVZKTG5oWkNxVGhSNEhINlRxTGpqV3JyWGZzSFZSdmF1SmlsWDZGeEdiNUpGb2MyN1Z4eGRIMmM2UDJTSEM5d3VCOHRuZkc3T1NyU0QxZzJoN2xUWGJJZm03OGEwb3A2N2RfanVwemtvS29DVG16a1IyenZ3VFZWRGQ5OXZrRExZMldYbWI4aEl3RzZkUVpYWWxraHFBWUt6VHVUWjB0alZoME9ycWZEeFl0TEgzd1F6emFKT1Jld1pZcUx5QjA5UDh3Iiwia2lkIjoiWmhTb2FPZWRWT3NCdzZtMnZjbHdTV2lxcW5HZU9TdFQtZ1VjbG90XzY3dyJ9XX0sIm1ldGFkYXRhIjp7ImZlZGVyYXRpb25fZW50aXR5Ijp7ImZlZGVyYXRpb25fcmVzb2x2ZV9lbmRwb2ludCI6Imh0dHA6Ly9vcC5hLXdheWYubG9jYWw6ODAwMi9vaWRjL29wL3Jlc29sdmUiLCJvcmdhbml6YXRpb25fbmFtZSI6IkNJRSBPSURDIGlkZW50aXR5IHByb3ZpZGVyIiwiaG9tZXBhZ2VfdXJpIjoiaHR0cDovL29wLmEtd2F5Zi5sb2NhbDo4MDAyIiwicG9saWN5X3VyaSI6Imh0dHA6Ly9vcC5hLXdheWYubG9jYWw6ODAwMi9vaWRjL29wL2VuL3dlYnNpdGUvbGVnYWwtaW5mb3JtYXRpb24iLCJsb2dvX3VyaSI6Imh0dHA6Ly9vcC5hLXdheWYubG9jYWw6ODAwMi9zdGF0aWMvc3ZnL2xvZ28tY2llLnN2ZyIsImNvbnRhY3RzIjpbInRlY2hAZXhhbXBsZS5pdCJdfSwib3BlbmlkX3Byb3ZpZGVyIjp7ImF1dGhvcml6YXRpb25fZW5kcG9pbnQiOiJodHRwOi8vb3AuYS13YXlmLmxvY2FsOjgwMDIvb2lkYy9vcC9hdXRob3JpemF0aW9uIiwicmV2b2NhdGlvbl9lbmRwb2ludCI6Imh0dHA6Ly9vcC5hLXdheWYubG9jYWw6ODAwMi9vaWRjL29wL3Jldm9jYXRpb24iLCJpZF90b2tlbl9lbmNyeXB0aW9uX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIlJTQS1PQUVQIl0sImlkX3Rva2VuX2VuY3J5cHRpb25fZW5jX3ZhbHVlc19zdXBwb3J0ZWQiOlsiQTEyOENCQy1IUzI1NiJdLCJ0b2tlbl9lbmRwb2ludCI6Imh0dHA6Ly9vcC5hLXdheWYubG9jYWw6ODAwMi9vaWRjL29wL3Rva2VuIiwidXNlcmluZm9fZW5kcG9pbnQiOiJodHRwOi8vb3AuYS13YXlmLmxvY2FsOjgwMDIvb2lkYy9vcC91c2VyaW5mbyIsImludHJvc3BlY3Rpb25fZW5kcG9pbnQiOiJodHRwOi8vb3AuYS13YXlmLmxvY2FsOjgwMDIvb2lkYy9vcC9pbnRyb3NwZWN0aW9uIiwiY2xhaW1zX3BhcmFtZXRlcl9zdXBwb3J0ZWQiOnRydWUsImNvbnRhY3RzIjpbIm9wc0BodHRwczovL2lkcC5pdCJdLCJjb2RlX2NoYWxsZW5nZV9tZXRob2RzX3N1cHBvcnRlZCI6WyJTMjU2Il0sImNsaWVudF9yZWdpc3RyYXRpb25fdHlwZXNfc3VwcG9ydGVkIjpbImF1dG9tYXRpYyJdLCJyZXF1ZXN0X2F1dGhlbnRpY2F0aW9uX21ldGhvZHNfc3VwcG9ydGVkIjp7ImFyIjpbInJlcXVlc3Rfb2JqZWN0Il19LCJhY3JfdmFsdWVzX3N1cHBvcnRlZCI6WyJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9TcGlkTDEiLCJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9TcGlkTDIiLCJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9TcGlkTDMiXSwiY2xhaW1zX3N1cHBvcnRlZCI6WyJnaXZlbl9uYW1lIiwiZmFtaWx5X25hbWUiLCJiaXJ0aGRhdGUiLCJnZW5kZXIiLCJwaG9uZV9udW1iZXIiLCJodHRwczovL2F0dHJpYnV0ZXMuZWlkLmdvdi5pdC9maXNjYWxfbnVtYmVyIiwicGhvbmVfbnVtYmVyX3ZlcmlmaWVkIiwiZW1haWwiLCJhZGRyZXNzIiwiZG9jdW1lbnRfZGV0YWlscyIsImh0dHBzOi8vYXR0cmlidXRlcy5laWQuZ292Lml0L3BoeXNpY2FsX3Bob25lX251bWJlciJdLCJncmFudF90eXBlc19zdXBwb3J0ZWQiOlsiYXV0aG9yaXphdGlvbl9jb2RlIiwicmVmcmVzaF90b2tlbiJdLCJpZF90b2tlbl9zaWduaW5nX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIlJTMjU2IiwiRVMyNTYiXSwiaXNzdWVyIjoiaHR0cDovL29wLmEtd2F5Zi5sb2NhbDo4MDAyL29pZGMvb3AiLCJqd2tzX3VyaSI6Imh0dHA6Ly9vcC5hLXdheWYubG9jYWw6ODAwMi9vaWRjL29wL29wZW5pZF9wcm92aWRlci9qd2tzLmpzb24iLCJzaWduZWRfandrc191cmkiOiJodHRwOi8vb3AuYS13YXlmLmxvY2FsOjgwMDIvb2lkYy9vcC9vcGVuaWRfcHJvdmlkZXIvandrcy5qb3NlIiwiandrcyI6eyJrZXlzIjpbeyJrdHkiOiJSU0EiLCJ1c2UiOiJzaWciLCJlIjoiQVFBQiIsIm4iOiJySm9TWXYxc3R3bGJNMTF0UjlTWUdJSnV6cWxKZTJidjJOMzVvUFJid1ZfZXBqTld2R0cyWnFFajUzWUZNQzhBTVpORmh1TGFfTE53cjFrTFZFLWpYUWU4eGppTGhlN0RnTWYxT25TenE5eUFFWFZvMTlCUEJ3a2dKZTJqcDlISWdNX25mYklzVWJTU2tGQU0yQ0t2R2IwQmsyR3Z2cVhaMTJQLWZwYlZ5QTloSVFyNnJOVHFuQ0d4Mi12NG9WaUdHNHVfM2lUdzdEMVp2TFdtcm1aT2FLbkRBcUczTUpTZFEtMmdnUS1BaWFoZzQ4c2k5QzlEX0pnbkJWOXRKMmVDUzU4WkM2a1ZHNXNmdEVsUVZkSDZlMjZtejQ2NFRaajVRZ0N3WkNUc0FRZkl2Qm9YU2RDS3hwbnZzRmZyYWp6NHE5QmlYQXJ5eElPbDVmTG1DRlZOaHciLCJraWQiOiJQZDJOOS1UWnpfQVdTM0dGQ2tvWWRSYVhYbHM4WVBoeF9kX0V6N0p3alFJIn1dfSwic2NvcGVzX3N1cHBvcnRlZCI6WyJvcGVuaWQiLCJvZmZsaW5lX2FjY2VzcyJdLCJsb2dvX3VyaSI6Imh0dHA6Ly9vcC5hLXdheWYubG9jYWw6ODAwMi9zdGF0aWMvaW1hZ2VzL2xvZ28tY2llLnBuZyIsIm9yZ2FuaXphdGlvbl9uYW1lIjoiU1BJRCBPSURDIGlkZW50aXR5IHByb3ZpZGVyIiwib3BfcG9saWN5X3VyaSI6Imh0dHA6Ly9vcC5hLXdheWYubG9jYWw6ODAwMi9vaWRjL29wL2VuL3dlYnNpdGUvbGVnYWwtaW5mb3JtYXRpb24iLCJyZXF1ZXN0X3BhcmFtZXRlcl9zdXBwb3J0ZWQiOnRydWUsInJlcXVlc3RfdXJpX3BhcmFtZXRlcl9zdXBwb3J0ZWQiOnRydWUsInJlcXVpcmVfcmVxdWVzdF91cmlfcmVnaXN0cmF0aW9uIjp0cnVlLCJyZXNwb25zZV90eXBlc19zdXBwb3J0ZWQiOlsiY29kZSJdLCJyZXNwb25zZV9tb2Rlc19zdXBwb3J0ZWQiOlsicXVlcnkiLCJmb3JtX3Bvc3QiXSwic3ViamVjdF90eXBlc19zdXBwb3J0ZWQiOlsicGFpcndpc2UiLCJwdWJsaWMiXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2RzX3N1cHBvcnRlZCI6WyJwcml2YXRlX2tleV9qd3QiXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9zaWduaW5nX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIlJTMjU2IiwiUlMzODQiLCJSUzUxMiIsIkVTMjU2IiwiRVMzODQiLCJFUzUxMiJdLCJ1c2VyaW5mb19lbmNyeXB0aW9uX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIlJTQS1PQUVQIiwiUlNBLU9BRVAtMjU2Il0sInVzZXJpbmZvX2VuY3J5cHRpb25fZW5jX3ZhbHVlc19zdXBwb3J0ZWQiOlsiQTEyOENCQy1IUzI1NiIsIkExOTJDQkMtSFMzODQiLCJBMjU2Q0JDLUhTNTEyIiwiQTEyOEdDTSIsIkExOTJHQ00iLCJBMjU2R0NNIl0sInVzZXJpbmZvX3NpZ25pbmdfYWxnX3ZhbHVlc19zdXBwb3J0ZWQiOlsiUlMyNTYiLCJSUzM4NCIsIlJTNTEyIiwiRVMyNTYiLCJFUzM4NCIsIkVTNTEyIl0sInJlcXVlc3Rfb2JqZWN0X2VuY3J5cHRpb25fYWxnX3ZhbHVlc19zdXBwb3J0ZWQiOlsiUlNBLU9BRVAiLCJSU0EtT0FFUC0yNTYiXSwicmVxdWVzdF9vYmplY3RfZW5jcnlwdGlvbl9lbmNfdmFsdWVzX3N1cHBvcnRlZCI6WyJBMTI4Q0JDLUhTMjU2IiwiQTE5MkNCQy1IUzM4NCIsIkEyNTZDQkMtSFM1MTIiLCJBMTI4R0NNIiwiQTE5MkdDTSIsIkEyNTZHQ00iXSwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGdfdmFsdWVzX3N1cHBvcnRlZCI6WyJSUzI1NiIsIlJTMzg0IiwiUlM1MTIiLCJFUzI1NiIsIkVTMzg0IiwiRVM1MTIiXX19LCJhdXRob3JpdHlfaGludHMiOlsiaHR0cDovL3RhLmEtd2F5Zi5sb2NhbDo4MDAwIl19.Zuh9FJUvJ3fR6wxloFicGSiC1nyN071xV3TpUhbMjYbxwrCmHsKNxA7Ys0Djyfx9k1um8IAnEy1G759DTlhx-3xW1LN9x1-kb7DEG4A8BJ2oMuB28xZ-kZFzARtyyWBVzaxkDzmEaHVZHXj248dFId6fNkqS--fosPBAYSMceDeT-pAT7K0KfjLY5Idk8-JNkIMOYC68iw8dHpYGCWGkuFBqeIkMDM3lULHd6HaiVR0uehQAji-Pax0ZS3HBk25mjHwjOVSIUfpS3KM-GZp-bI2bcfodw7Tffp4JVDF9jaIhAckppurO2zDsfvDKUF17ScMoY4dJp3P6e2RlWDI0wQ",
    "eyJ0eXAiOiJlbnRpdHktc3RhdGVtZW50K2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiQlh2ZnJsbmhBTXVIUjA3YWpVbUFjQlJRY1N6bXcwY19SQWdKbnBTLTlXUSJ9.eyJleHAiOjE3MDkzMDM5MDMsImlhdCI6MTcwOTEzMTEwMywiaXNzIjoiaHR0cDovL3RhLmEtd2F5Zi5sb2NhbDo4MDAwIiwic3ViIjoiaHR0cDovL29wLmEtd2F5Zi5sb2NhbDo4MDAyL29pZGMvb3AiLCJqd2tzIjp7ImtleXMiOlt7Imt0eSI6IlJTQSIsIm4iOiJ0ZzNhRTlmZDZsdFh6TnJpbV80Q0dLWVdmQzNucWNfdHY0WGphdzQ3M0NjcmZpcUR6ZVRLSGZSZmJ2YnFiMUR3bUk0ZnZDT2k1MUVWY21LTG5UaHpYeW5BVXB5VXZzd3ZMOF91emdEV08xUlNtQkcxTDBSRS1Da0tpaDRrZVhoMWt1OWhOczFfVi04MmRLNW9MT1ItVkpMbmhaQ3FUaFI0SEg2VHFMampXcnJYZnNIVlJ2YXVKaWxYNkZ4R2I1SkZvYzI3Vnh4ZEgyYzZQMlNIQzl3dUI4dG5mRzdPU3JTRDFnMmg3bFRYYklmbTc4YTBvcDY3ZF9qdXB6a29Lb0NUbXprUjJ6dndUVlZEZDk5dmtETFkyV1htYjhoSXdHNmRRWlhZbGtocUFZS3pUdVRaMHRqVmgwT3JxZkR4WXRMSDN3UXp6YUpPUmV3WllxTHlCMDlQOHciLCJlIjoiQVFBQiIsImtpZCI6IlpoU29hT2VkVk9zQnc2bTJ2Y2x3U1dpcXFuR2VPU3RULWdVY2xvdF82N3cifV19LCJtZXRhZGF0YV9wb2xpY3kiOnsib3BlbmlkX3Byb3ZpZGVyIjp7fX0sInNvdXJjZV9lbmRwb2ludCI6Imh0dHA6Ly90YS5hLXdheWYubG9jYWw6ODAwMC9mZXRjaCIsInRydXN0X21hcmtzIjpbeyJpZCI6Imh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L29wZW5pZC1mZWRlcmF0aW9uL2FncmVlbWVudC9vcC1wdWJsaWMiLCJ0cnVzdF9tYXJrIjoiZXlKMGVYQWlPaUowY25WemRDMXRZWEpySzJwM2RDSXNJbUZzWnlJNklsSlRNalUySWl3aWEybGtJam9pUWxoMlpuSnNibWhCVFhWSVVqQTNZV3BWYlVGalFsSlJZMU42Ylhjd1kxOVNRV2RLYm5CVExUbFhVU0o5LmV5SnBjM01pT2lKb2RIUndPaTh2ZEdFdVlTMTNZWGxtTG14dlkyRnNPamd3TURBaUxDSnpkV0lpT2lKb2RIUndPaTh2YjNBdVlTMTNZWGxtTG14dlkyRnNPamd3TURJdmIybGtZeTl2Y0NJc0ltbGhkQ0k2TVRjd09URXpNVEV3TXl3aWFXUWlPaUpvZEhSd2N6b3ZMM2QzZHk1emNHbGtMbWR2ZGk1cGRDOWpaWEowYVdacFkyRjBhVzl1TDI5d0lpd2liV0Z5YXlJNkltaDBkSEJ6T2k4dmQzZDNMbUZuYVdRdVoyOTJMbWwwTDNSb1pXMWxjeTlqZFhOMGIyMHZZV2RwWkM5c2IyZHZMbk4yWnlJc0luSmxaaUk2SW1oMGRIQnpPaTh2Wkc5amN5NXBkR0ZzYVdFdWFYUXZhWFJoYkdsaEwzTndhV1F2YzNCcFpDMXlaV2R2YkdVdGRHVmpibWxqYUdVdGIybGtZeTlwZEM5emRHRmlhV3hsTDJsdVpHVjRMbWgwYld3aWZRLmZfNUNURGZpVm1DSUpJbGpUVjUxVlRyS2RWaGI2cXRXczJLb1F1cHVkaGhOLUdVOU1uWkVSMktQRG40TV94TDZVNjlZWHkyU2JFV1kwMldFVU84a1RyNXN0Q2p0d1ExZy1NNENXZmp6ZGxuMHY3aFlQS241dEh4eVA3MDhyclNONjI5STRseUEteW5JVVFTejRSbGM5NXc4dUl4bjdab1k1M3NsN2NzYzlXVzg0VXJMbDFESHdjUVR5YTk0dENIdDlKWkd3QWhQT1Z6T2M1LVkwOUY1c2lLdmVWSzJBNnRjOHpBY3NveVFrdDRQa250MFd3UDhzaUNUekpObTFJQ0RhSlFNR1J1QktYLTlPX2g3RXZlbDczNnlac09pSlhfU3p2a0VoRVhkUzBTSWF4NVNLTGxxOU1lZ2U0WkVRSE1TcXdiMktxMm9USWQtVkVEQmdRakRJUSJ9XX0.gWxa074ERmnn5qLnJs5adDyUxowCF5wGCIx23gON5PD-kgyMnPl2IYvvISubpvdVwuLMI7iKhNJEjSPYzUPD5svmEwyByL76k_wn17siMA8WFMZYCglazD6KyokJ4WBEv8VSBnpSeO6BWHyzny8LAqGIeCugh-gM5xCQR_pRZ6kINN23cfwcF0L-QOAiH9KXXpQXPxZKyDtmW0OxQGhNGKdMCY8YPzgHM1dBmAkoNlXDetISAvhP2Jp9ztDU04Tva7UNRYBe5WhG4XQYdTexslJ3gODfoNXaU_a-_NfjovOEqo5Pc3uwu7gnCy5QbWjO7Hvf1A_OtAuTjdEUoaQrGA",
    "eyJ0eXAiOiJlbnRpdHktc3RhdGVtZW50K2p3dCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiQlh2ZnJsbmhBTXVIUjA3YWpVbUFjQlJRY1N6bXcwY19SQWdKbnBTLTlXUSJ9.eyJleHAiOjE3MDkxMzMwODMsImlhdCI6MTcwOTEzMTEwMywiaXNzIjoiaHR0cDovL3RhLmEtd2F5Zi5sb2NhbDo4MDAwIiwic3ViIjoiaHR0cDovL3RhLmEtd2F5Zi5sb2NhbDo4MDAwIiwiandrcyI6eyJrZXlzIjpbeyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsIm4iOiJvOElvbFJqWmxremN0LTQ4cmhyVmxUbllVMXBrTWJWSkQtRFUwNW9NUzlSVkdyc0Z5cGc5OG0tS3c0SDRxTlB5UVZ4Mk9RT1JpLXhTaGdrN0hVLWdLXzJwVmd1WWt2MDZGYWpMX2VkRUFxcXNxdF83NFFmMldMUkM1cGZKR196OU9Qelk4Skd5ay16M1NiZUhOX0JYS0k4R1k1RTRXVTJTc3RtUTlmeUw0Q3h0UmZqVWlhOGxpbVRDXzNNT3BUM3ppNW5yMDNqZmJqcG5qZ2E1MXFYdXJ4bmx6YzNhX3hqazVSQUFwS3hVdk53aEoyNzVNMENtQjk5RGpQd0Y2Qkx2VWdKcWd5Q3BVT24zNkxPaEk0RnF1VnFocWhpd0tsTW1pTWUzeXkweU5RN0ZYQld4anpoZXhicHljM1Z1N3pGSUhQQWNDNFV5SVFoYzN3YUVqMnZpWHciLCJraWQiOiJCWHZmcmxuaEFNdUhSMDdhalVtQWNCUlFjU3ptdzBjX1JBZ0pucFMtOVdRIn1dfSwibWV0YWRhdGEiOnsiZmVkZXJhdGlvbl9lbnRpdHkiOnsiY29udGFjdHMiOlsib3BzQGxvY2FsaG9zdCJdLCJmZWRlcmF0aW9uX2ZldGNoX2VuZHBvaW50IjoiaHR0cDovL3RhLmEtd2F5Zi5sb2NhbDo4MDAwL2ZldGNoIiwiZmVkZXJhdGlvbl9yZXNvbHZlX2VuZHBvaW50IjoiaHR0cDovL3RhLmEtd2F5Zi5sb2NhbDo4MDAwL3Jlc29sdmUiLCJmZWRlcmF0aW9uX3RydXN0X21hcmtfc3RhdHVzX2VuZHBvaW50IjoiaHR0cDovL3RhLmEtd2F5Zi5sb2NhbDo4MDAwL3RydXN0X21hcmtfc3RhdHVzIiwiaG9tZXBhZ2VfdXJpIjoiaHR0cDovL3RhLmEtd2F5Zi5sb2NhbDo4MDAwIiwib3JnYW5pemF0aW9uX25hbWUiOiJleGFtcGxlIFRBIiwicG9saWN5X3VyaSI6Imh0dHA6Ly90YS5hLXdheWYubG9jYWw6ODAwMC9lbi93ZWJzaXRlL2xlZ2FsLWluZm9ybWF0aW9uIiwibG9nb191cmkiOiJodHRwOi8vdGEuYS13YXlmLmxvY2FsOjgwMDAvc3RhdGljL3N2Zy9zcGlkLWxvZ28tYy1sYi5zdmciLCJmZWRlcmF0aW9uX2xpc3RfZW5kcG9pbnQiOiJodHRwOi8vdGEuYS13YXlmLmxvY2FsOjgwMDAvbGlzdCJ9fSwidHJ1c3RfbWFya19pc3N1ZXJzIjp7Imh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAvcHVibGljIjpbImh0dHBzOi8vcmVnaXN0cnkuc3BpZC5hZ2lkLmdvdi5pdCIsImh0dHBzOi8vcHVibGljLmludGVybWVkaWFyeS5zcGlkLml0Il0sImh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAvcHJpdmF0ZSI6WyJodHRwczovL3JlZ2lzdHJ5LnNwaWQuYWdpZC5nb3YuaXQiLCJodHRwczovL3ByaXZhdGUub3RoZXIuaW50ZXJtZWRpYXJ5Lml0Il0sImh0dHBzOi8vc2dkLmFhLml0L29uYm9hcmRpbmciOlsiaHR0cHM6Ly9zZ2QuYWEuaXQiXX0sImNvbnN0cmFpbnRzIjp7Im1heF9wYXRoX2xlbmd0aCI6MX19.gsj0XqvQgf1HDrTJvEERuQ7GdftMePZIVr_07rtlV6gtImtKjI5V4ca-hjaNFNmRXfUl-nOyA2-fi8LBIhI-2fPrRq9AEqQ8dp6knhwW1P5PWid8SjO_LvIiEx8XNzom-ViwqYpEYOems5jEImZc89i6vYpCQRirg3SEsXVwqPAKcDiwqWzncxPD6L5mg27Xvf50jcX3QutU5j1_diHe9t_dzbCKv8p_T_ty6fyt6k1k5e7L62iI8zyb4nrg2O3FT1zqPXdq47rt-PLbbMD1GbMfW7Ke92Nu1fKMkP3oZRJa9avox5UVbIiRf1JT_Yq8OZC5zWPDhHvME8bzrE8LWA"
  ]
}

Trust chain is a list with two entries, both are entity configurations.
Trust chain does not contain a subordinate statement issued by the TA with the OP as subject.
Trust chain is therefore not valid according to the specification:

A Trust Chain begins with a Leaf Entity Configuration, and has zero or more Subordinate Statements issued by Intermediates about Subordinates, and includes the Subordinate Statement issued by the Trust Anchor about the top-most Intermediate (if there are Intermediates) or the Leaf Entity (if there are no Intermediates). The Trust Chain logically always ends with the Entity Configuration of the Trust Anchor, even though it MAY be omitted from the JSON array representating the Trust Chain in some cases.

The text was updated successfully, but these errors were encountered:

peppelinux · 2024-02-29T15:31:32Z

ciao @tobiaspc, do you use https://github.com/italia/spid-cie-oidc-django/releases/tag/v1.3.2?

tobiaspc · 2024-03-01T09:26:24Z

Yes, our fork is based on v1.3.2 with two changes: We always resolve and return fresh trust chains, and modify the serialization to include subordinate statements as well.

Before v1.3.2, subordinate statements were part of the chain, but the chain was nested, as reported in #307.
In v1.3.2, the nesting issue reported in #307 was fixed, but two additional continue statements were also included in the serialization function.

We don't know if the continue statements were added on purpose, but we believe they are the source of the issue, resulting in trust chains containing only entity configurations, without any entity statements.

peppelinux · 2024-03-01T10:04:13Z

thank you for the analsys @tobiaspc

the release 1.3.2 added an unit test to be sure that hte trust chain is consistent
8746747#diff-0883c6743fcae978d35256008daee4b830b82c88781f280104dcc34a13a020f5R135

if you still find the issue, could you please provide the PR with your fork that aims to resolve this issue?

peppelinux mentioned this issue Mar 20, 2024

fix: Trust Chain serialization due to a regression in v1.3.2 #313

Merged

peppelinux closed this as completed in #313 Mar 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resolve endpoint returns incomplete trust_chain #309

Resolve endpoint returns incomplete trust_chain #309

tobiaspc commented Feb 28, 2024

peppelinux commented Feb 29, 2024 •

edited

Loading

tobiaspc commented Mar 1, 2024

peppelinux commented Mar 1, 2024

Resolve endpoint returns incomplete trust_chain #309

Resolve endpoint returns incomplete trust_chain #309

Comments

tobiaspc commented Feb 28, 2024

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce

peppelinux commented Feb 29, 2024 • edited Loading

tobiaspc commented Mar 1, 2024

peppelinux commented Mar 1, 2024

peppelinux commented Feb 29, 2024 •

edited

Loading