Fix typos

docs/en/authorization_endpoint.rst

@@ -234,7 +234,7 @@ If the authentication is successful the OpenID Provider (OP) redirects the user
 
 Authorization Response example:
 
-  .. code-block:: http
+  .. code-block:: 
 
     http://rp-test.it/oidc/rp/callback/?code=a032faf23d986353019ff8eda96cadce2ea1c368f04bf4c5e1759d559dda1c08056c7c4d4e8058cb002a0c8fa9a920272350aa102548523a8aff4ccdb44cb3fa&state=2Ujz3tbBHWQEL4XPFSJ5ANSjkhd7IlfC&iss=http%3A%2F%2Fop-test%2Foidc%2Fop%2F
 

docs/en/federation_endpoint.rst

@@ -29,3 +29,14 @@ In addition to the Federation endpoints reported before, the Entities of type **
    (For more details, see `OIDC-FED`_ Section 7.3).
 
 An Entity of type **AA**, in addition to the common Federation endpoints like all the Entities, MUST also include the **trust mark status endpoint** for allowing the dynamic validation of the TMs, released by the AA.
+
+.. admonition:: |cieid-icon|
+
+  Federation endpoint webpaths MUST be defined as follows:
+
+  - \*/.well-known/openid-federation
+  - \*/fetch 
+  - \*/resolve
+  - \*/trust_mark_status
+  - \*/list
+

docs/en/introspection_endpoint.rst

@@ -1,5 +1,7 @@
 .. include:: ../common/common_definitions.rst
 
+.. _introspection_endpoint:
+
 Introspection Endpoint
 ----------------------
 

docs/en/metadata_aa.rst

@@ -7,7 +7,7 @@ Attribute Authority Metadata
 An AA MUST publish in its EC a *federation_entity* Metadata and an *oauth_resource* Metadata, if the resources are protected it MUST also publish an *oauth_authorization_server* Metadata.
 
 
-.. code-block:: json
+.. code-block:: 
 
  {
     "metadata":{

docs/en/metadata_oidc_op.rst

@@ -8,7 +8,7 @@ OpenID Connect Provider Metadata (OP)
 An OP MUST publish in its EC a Metadata of type *federation_entity* and a Metadata of type *openid_provider*, as 
 reported in the following example:
 
-.. code-block:: json
+.. code-block:: 
 
  {
     "metadata":{
@@ -128,12 +128,6 @@ The EC of an OP MUST configure a metadata of type **"openid_provider"**, that MU
   * - **request_object_signing_alg_values_supported**
     - See `OpenID.Discovery#OP_Metadata`_. See signature :ref:`supported_algs`.
     - |spid-icon| |cieid-icon|
-..    * - **request_object_encryption_alg_values_supported**
-..      - Until otherwise indicated by AgID, this MUST NOT be included.
-..      - |spid-icon|
-..    * - **request_object_encryption_enc_values_supported**
-..      - Until otherwise indicated by AgID, this MUST NOT be included.
-..      - |spid-icon|
   * - **token_endpoint_auth_methods_supported**
     - See `OpenID.Discovery#OP_Metadata`_. The supported value is **private_key_jwt**
     - |spid-icon| |cieid-icon|
@@ -165,6 +159,16 @@ The EC of an OP MUST configure a metadata of type **"openid_provider"**, that MU
     - See `OIDC-FED`_ Section 4.2. See signature :ref:`supported_algs`.
     - |spid-icon| |cieid-icon|
 
+.. admonition:: |spid-icon|
+
+  Until otherwise indicated by AgID, the parameters **request_object_encryption_alg_values_supported** e **request_object_encryption_enc_values_supported**, MUST NOT be included in the SPID OP Metadata.
+
+..    * - **request_object_encryption_alg_values_supported**
+..      - Until otherwise indicated by AgID, this MUST NOT be included.
+..      - |spid-icon|
+..    * - **request_object_encryption_enc_values_supported**
+..      - Until otherwise indicated by AgID, this MUST NOT be included.
+..      - |spid-icon|
 
 .. warning::
   The OP Metadata of type **"openid_provider"** exposes the claim **jwks** as regulated by OID-FED instead of

docs/en/metadata_oidc_rp.rst

@@ -7,7 +7,7 @@ OpenID Connect Relying Party Metadata (RP)
 
 An RP MUST publish in its EC a Metadata of type *federation_entity* and a Metadata of type *openid_relying_party*, as reported in the following example:
 
-.. code-block:: json
+.. code-block:: 
 
  {
     "metadata":{
@@ -68,11 +68,14 @@ The RP Metadata of type **"openid_relying_party"** MUST contain at least the fol
   * - **jwks**
     - See `OpenID.Registration#ClientMetadata`_ and `JWK`_.
     - |spid-icon| |cieid-icon| 
+  * - **signed_jwks_uri**
+    - See `OIDC-FED`_.
+    - |spid-icon|
   * - **id_token_signed_response_alg**
     - See `OpenID.Registration#ClientMetadata`_. See signature :ref:`supported_algs`.
     - |spid-icon| |cieid-icon| 
   * - **id_token_encrypted_response_alg**
-    - See `OpenID.Registration#ClientMetadata`_. See key encryption :ref:`supported_algs`.
+    - OPTIONAL. If it is contained in the RP Metadata, the ID Token MUST be a nested signed and encrypted JWT. See `OpenID.Registration#ClientMetadata`_. See key encryption :ref:`supported_algs`.
     - |cieid-icon| 
   * - **id_token_encrypted_response_enc**
     - See `OpenID.Registration#ClientMetadata`_. This content encryption is required only if the *id_token_encrypted_response_alg* is given. See key encryption :ref:`supported_algs`.
@@ -103,3 +106,11 @@ The RP Metadata of type **"openid_relying_party"** MUST contain at least the fol
   The URIs contained in the claim **redirect_uris** MAY also use custom schemas (e.g. myapp://) 
   in order to support mobile applications.
 
+.. admonition:: |cieid-icon|
+
+  The RP Metadata **"openid_relying_party"** MUST use the **jwks** parameter.
+
+.. admonition:: |spid-icon|
+
+  The RP Metadata **"openid_relying_party"** MUST use the **jwks** or **signed_jwks_uri**.
+

docs/en/metadata_oidc_ta_sa.rst

@@ -7,7 +7,7 @@ Trust Anchor (TA) and Intermediate (SA) Metadata
 
 A TA and a SA MUST publish in the EC a Metadata of type *federation_entity*, as reported in the following example:
 
-.. code-block:: json
+.. code-block:: 
 
  {
     "metadata":{

docs/en/token_endpoint.rst

@@ -93,7 +93,7 @@ The claims that MUST be included in the *Token Request* are given below.
      - |spid-icon| |cieid-icon|
    * - **client_assertion_type**
      - It must get the following value: |br|
-       **urn:ietf:params:oauth:client-assertion-type:jwtbearer**.
+       **urn:ietf:params:oauth:client-assertion-type:jwt-bearer**.
      - |spid-icon| |cieid-icon|
    * - **code**
      - Authorization code returned in the Authentication Response. Required only if **grant_type** is **authorization_code**.
@@ -174,7 +174,7 @@ UserInfo endpoint to get user attributes.
 
 **Access Token header and payload example:**
 
-.. code-block:: json
+.. code-block:: 
 
   {
     "alg": "RS256",
@@ -183,11 +183,9 @@ UserInfo endpoint to get user attributes.
   }
   .
   {
-    "iss":"https://op.spid.agid.gov.it/",
+    "iss":"https://op.spid.agid.gov.it",
     "sub": "9sd798asd98asui23hiuds89y798sfyg",
-    "aud": [
-    "https://rp.spid.example.it"
-    ],
+    "aud": "https://op.spid.agid.gov.it/userinfo",
     "client_id": "https://rp.spid.example.it",
     "scope": "openid",
     "jti": "9ea42af0-594c-4486-9602-8a1f8dde42d3",
@@ -213,7 +211,7 @@ UserInfo endpoint to get user attributes.
      - It MUST contain a HTTPS URL that uniquely identifies the RP. 
      - |spid-icon| |cieid-icon|
    * - **aud** 
-     - It MUST match the value *client_id*. The RP MUST verify that this value matches its client ID.
+     - It MUST contain a list of Resource Servers referring to token consuming party. It MUST contain at least the *UserInfo Endpoint*. 
      - |spid-icon| |cieid-icon|
    * - **scope** 
      - The OP SHOULD add the *scope* parameter as defined in :rfc:`9068` Section 2.2.3. It MUST match the value in the authentication request.
@@ -248,7 +246,7 @@ The claims available in the *ID Token* are given below.
 
 **Example of header and payload of an ID Token:**
 
-.. code-block:: json
+.. code-block:: 
 
 
   {
@@ -335,9 +333,12 @@ The *Refresh Token* MUST be a signed JWT containing at least the following param
   * - **iss** 
     - It MUST be an HTTPS URL that uniquely identifies the OP. The RP MUST verify that this value matches the called OP.
     - |spid-icon| |cieid-icon|
-  * - **aud** 
+  * - **client_id** 
     - It MUST match the value client_id. The RP MUST verify that this value matches its client ID.
     - |spid-icon| |cieid-icon|
+  * - **aud** 
+    - It MUST contain the OP *Token Endpoint*.
+    - |spid-icon| |cieid-icon|
   * - **iat** 
     - UNIX Timestamp with the time of JWT issuance, coded as NumericDate as indicated in :rfc:`7519`.
     - |spid-icon| |cieid-icon|

docs/en/userinfo_endpoint.rst

@@ -18,7 +18,7 @@ Request
   The UserInfo Endpoint MUST support the method HTTP GET and HTTP POST :rfc:`2616` and MUST accept and validate the Access Token sent in the Authorization field of the Header, whose type is Bearer :rfc:`6750`.
 
 
-.. code-block:: http
+.. code-block:: 
 
  GET https://op.spid.agid.gov.it/userinfo
   Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImRCNjdnTDdja ...

docs/it/authorization_endpoint.rst

@@ -26,7 +26,7 @@ Mediante il metodo **GET** i parametri DEVONO essere trasmessi utilizzando la *Q
 
 Di seguito i parametri obbligatori nella richiesta di autenticazione *HTTP*.
 
-.. _tabella_parametri_authz_req: Authorization request
+.. _tabella_parametri_authz_req:
 
 .. list-table:: 
   :widths: 20 60 20
@@ -85,10 +85,10 @@ Il payload del **JWT** contiene i seguenti parametri obbligatori.
      - Vedi `OpenID.Registration`_. DEVE essere valorizzato con un HTTPS URL che identifica univocamente il RP.
      - |spid-icon| |cieid-icon|
    * - **code_challenge**
-     - Come definito nella  :ref:`Tabella dei parametri HTTP <tabella_parametri_http_req>`.
+     - Come definito nella  :ref:`Tabella dei parametri HTTP <tabella_parametri_authz_req>`.
      - |spid-icon| |cieid-icon|
    * - **code_challenge_method**
-     - Come definito nella  :ref:`Tabella dei parametri HTTP <tabella_parametri_http_req>`.
+     - Come definito nella  :ref:`Tabella dei parametri HTTP <tabella_parametri_authz_req>`.
      - |spid-icon| |cieid-icon|
    * - **nonce**
      - Vedi `OpenID.Core#AuthRequest`_. DEVE essere una stringa casuale di almeno 32 caratteri alfanumerici. Questo valore sarà restituito nell'ID Token fornito dal Token Endpoint, in modo da consentire al client di verificare che sia uguale a quello inviato nella richiesta di autenticazione.
@@ -111,7 +111,7 @@ Il payload del **JWT** contiene i seguenti parametri obbligatori.
      - Vedi `OpenID.Core#AuthRequest`_. Come definito dal parametro **response_types_supported** nel :ref:`Metadata OP <MetadataOP>`.
      - |spid-icon| |cieid-icon|
    * - **scope**
-     - Come definito nella  :ref:`Tabella dei parametri HTTP <tabella_parametri_http_req>`.
+     - Come definito nella  :ref:`Tabella dei parametri HTTP <tabella_parametri_authz_req>`.
      - |spid-icon| |cieid-icon|
    * - **acr_values**
      - Vedi `OpenID.Core#AuthRequest`_. Come definito dal parametro **acr_values_supported** nel :ref:`Metadata OP <MetadataOP>`.
@@ -233,7 +233,7 @@ reindirizza l'utente aggiungendo i seguenti parametri obbligatori come query par
 
 Esempio di Authorization Response dell'OP:
 
-  .. code-block:: http
+  .. code-block:: 
 
     http://rp-test.it/oidc/rp/callback/?code=a032faf23d986353019ff8eda96cadce2ea1c368f04bf4c5e1759d559dda1c08056c7c4d4e8058cb002a0c8fa9a920272350aa102548523a8aff4ccdb44cb3fa&state=2Ujz3tbBHWQEL4XPFSJ5ANSjkhd7IlfC&iss=http%3A%2F%2Fop-test%2Foidc%2Fop%2F
 

docs/it/entity_configuration.rst

@@ -110,7 +110,7 @@ Gli EC di un TA, in aggiunta ai claim comuni a tutti i partecipanti, contengono
      - JSON Object che descrive un insieme di vincoli della Trust Chain e che DEVE contenere l'attributo **max_path_length**. Rappresenta il numero massimo di SA tra una Foglia e il TA.
        PUÒ anche contenere il claim **allowed_leaf_entity_types**, che restringe i tipi di Entità riconoscobili come suoi discendenti.
      - |spid-icon| |cieid-icon|
-   * - **trust_marks_issuers**
+   * - **trust_mark_issuers**
      - JSON Array che indica quali autorità sono considerate attendibili nella Federazione per l'emissione di specifici TM, questi assegnati mediante il proprio identificativo univoco.
      - |spid-icon| |cieid-icon|