Lesson 6 — Metadata & Policy | Learn OpenID Federation

What is Metadata?

Every entity in a federation describes its capabilities through metadata (§5) — structured key-value pairs organized by Entity Type Identifier. The metadata tells other entities what protocols are supported, which endpoints are available, and how to interact.

Metadata by Entity Type

· issuer

· authorization_endpoint

· token_endpoint

· userinfo_endpoint

· jwks_uri

· scopes_supported

· response_types_supported

· grant_types_supported

· subject_types_supported

· id_token_signing_alg_values_supported

Policy Operators

Superiors constrain their subordinates' metadata using policy operators (§6.1.3.1) in the metadata_policy claim of Subordinate Statements. There are 7 operators:

value

Forces a specific value, completely overriding the subordinate's.

token_endpoint_auth_method: { value: "private_key_jwt" }

one_of

The value MUST be one of the listed options (like a dropdown).

application_type: { one_of: ["web", "native"] }

subset_of

Array values are reduced to the intersection with allowed values.

scopes_supported: { subset_of: ["openid", "profile", "email"] }

superset_of

Array MUST contain at least these values.

scopes_supported: { superset_of: ["openid"] }

add

Adds values to an array. Existing values are kept.

contacts: { add: ["sec@fed.gov"] }

default

Fallback value used only if the subordinate didn't provide one.

application_type: { default: "web" }

essential

When true, the parameter MUST be present in the final metadata.

redirect_uris: { essential: true }

Policy Cascade — Watch It Work

Metadata policies are applied in order from the Trust Anchor down through each Intermediate to produce the final resolved metadata (§6.1.4).

Step 1 of 4

Step 1 — Leaf's Raw Metadata

The leaf entity declares its capabilities in its Entity Configuration:

leaf metadata

json

{
  "scopes_supported": ["openid", "profile", "email", "phone", "address"],
  "grant_types": ["authorization_code", "implicit", "client_credentials"],
  "token_endpoint_auth_method": "client_secret_post",
  "contacts": ["admin@uni.edu"]
}

From the spec

Once applied to a metadata parameter, a metadata policy cannot be repealed or made more permissive by Intermediate Entities that are subordinate in the Trust Chain.

§6.1.1

Note

Human-readable metadata fields (such as organization_name) MAY appear in multiple BCP 47 language and script variants by appending #lang-script to the field name — for example organization_name#ja-Kana-JP. The language-tagged variant is independent of the untagged one.

§14

Real-World Analogy

Think of job requirements: an employee lists their skills (metadata), the department head limits them to 3 relevant skills (intermediate policy), and the CEO adds a company-wide rule "nothing outside business hours" (TA policy). The resolved result is what the employee actually does — shaped by every level above.