Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minor inconsistancies and misalignments in SSF Spec document #228

Open
beyond-james-slocum opened this issue Jan 24, 2025 · 1 comment
Open

Minor inconsistancies and misalignments in SSF Spec document #228

beyond-james-slocum opened this issue Jan 24, 2025 · 1 comment
Labels
v1Final Issues that must be fixed before we propose a spec to become a v1 final spec.

Comments

@beyond-james-slocum
Copy link

I wanted to capture some conflicting examples in the SSF spec document, if these have already been addressed for the up coming V1-Final effort you can disregard.

  1. In the example of "conforming events" defined in The SSF Standard, Section 5 The txn field defined in the examples are json numeric values
"iat": 1520364019,
"txn": 8675309,
"aud": "636C69656E745F6964",

However the txn claim is defined here in the SET token standard, is defined as an Optional String

"txn" (Transaction Identifier) Claim
An OPTIONAL string value that represents a unique transaction
identifier. In cases in which multiple related JWTs are issued,
the transaction identifier claim can be used to correlate these
related JWTs. Note that this claim can be used in JWTs that are
SETs and also in JWTs using non-SET profiles.

So all of these examples should be updated to quote the txn value.

  1. The CAEP event defined in the events claims does not match the format as defined in the CAEP Standard
    the reason_admin and reason_user are defined as a JSON OBJECT that is a set of BCP47 (RFC5646) language tags, with their localized display string. So to correct the above example, it should be
{
    ...,

    "reason_admin" : {
        "en" : "Policy Violation: C076E82F"
    },
    "reason_user" : {
        "en" : "Landspeed violation."
    }
}

  1. In section [10.1.3] there is an example with a sub_id with format = phone. This is not a valid id according to this spec, it should be phone_number as defined in
    Subject Identifiers

  2. In section [10.1.3] there is another example, where the CAEP event uses the event URL:
    https://schemas.openid.net/secevent/caep/event-type/token-claims-changed with
    an "ed" on the end of change, but in the spec here
    you can see it's defined as: https://schemas.openid.net/secevent/caep/event-type/token-claims-change without the "ed".
@FragLegs
Copy link
Contributor

Thank you!

For whoever picks this up:

@FragLegs FragLegs added the v1Final Issues that must be fixed before we propose a spec to become a v1 final spec. label Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v1Final Issues that must be fixed before we propose a spec to become a v1 final spec.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FragLegs @beyond-james-slocum