WIP

Author: cicnavi

docs/1-openid.md

@@ -2,5 +2,6 @@
 
 1. [Installation](2-installation.md)
 2. [OpenID Federation Tools](3-federation.md)
+2.1 [Federation Discovery](3.1-federation-discovery.md)
 3. [OpenID for Verifiable Credential Issuance (OpenID4VCI) Tools](4-vci.md)
 4. [Federation Discovery and Entity Collection](5-federation-discovery.md)

docs/5-federation-discovery.md docs/3.1-federation-discovery.mddocs/5-federation-discovery.md renamed to docs/3.1-federation-discovery.md

@@ -1,19 +1,26 @@
 # Federation Discovery and Entity Collection
 
-This library provides a high-performance, specification-compliant toolkit for discovering entities within an OpenID Federation and interacting with Entity Collection Endpoints.
+This library provides a high-performance, specification-compliant toolkit for
+discovering entities within an OpenID Federation and interacting with Entity
+Collection Endpoints.
 
 The functionality is split into two main operational modes:
 
-1.  **Federation Discovery** — A top-down, recursive traversal of a federation hierarchy starting from a Trust Anchor.
-2.  **Entity Collection** — A specialized protocol for optimized bulk-fetching of entities, featuring support for server-side filtering, sorting, and cursor-based pagination.
+1.  **Federation Discovery** — A top-down, recursive traversal of a federation
+hierarchy starting from a Trust Anchor.
+2.  **Entity Collection** — A specialized protocol for optimized bulk-fetching
+of entities, featuring support for server-side filtering, sorting, and
+cursor-based pagination.
 
-All components are integrated and accessible through the `\SimpleSAML\OpenID\Federation` facade.
+All components are integrated and accessible through the
+`\SimpleSAML\OpenID\Federation` facade.
 
 ---
 
 ## Setup and Configuration
 
-To enable federation discovery, initialize the `Federation` facade with a cache and (optionally) a logger.
+To enable federation discovery, initialize the `Federation` facade with a
+cache and (optionally) a logger.
 
 ```php
 <?php
@@ -31,9 +38,12 @@ $federationTools = new Federation(
 
 ### Custom Entity Collection Store
 
-By default, the library persists discovered entity payloads using the configured PSR-16 cache (`CacheEntityCollectionStore`). If no cache is provided, it falls back to an `InMemoryEntityCollectionStore` (ephemeral).
+By default, the library persists discovered entity payloads using the
+configured PSR-16 cache (`CacheEntityCollectionStore`). If no cache is
+provided, it falls back to an `InMemoryEntityCollectionStore` (ephemeral).
 
-For production environments requiring persistent storage (e.g., Database, Redis), you should implement the `EntityCollectionStoreInterface`:
+For production environments requiring persistent storage
+(e.g., Database, Redis), you should implement the `EntityCollectionStoreInterface`:
 
 ```php
 use SimpleSAML\OpenID\Federation\EntityCollection\EntityCollectionStoreInterface;
@@ -43,8 +53,6 @@ class MyDatabaseStore implements EntityCollectionStoreInterface
     public function store(string $trustAnchorId, array $entities, int $ttl): void { /* ... */ }
     public function get(string $trustAnchorId): ?array { /* ... */ }
     public function clear(string $trustAnchorId): void { /* ... */ }
-    
-    // New in v2.0: Track last update time for 'last_updated' response field
     public function storeLastUpdated(string $trustAnchorId, int $timestamp, int $ttl): void { /* ... */ }
     public function getLastUpdated(string $trustAnchorId): ?int { /* ... */ }
     public function clearLastUpdated(string $trustAnchorId): void { /* ... */ }
@@ -56,13 +64,17 @@ $federationTools = new Federation(
 ```
 
 > [!NOTE]
-> The store caches the **JWT payload arrays** of discovered entities. Actual JWS signatures and original JWT strings are managed by the `EntityStatementFetcher` which handles its own caching and validation logic.
+> The store caches the **JWT payload arrays** of discovered entities. Actual
+> JWS signatures and original JWT strings are managed by the
+> `EntityStatementFetcher` which handles its own caching and validation logic.
 
 ---
 
 ## Federation Discovery (Top-Down)
 
-Federation Discovery performs a recursive traversal of the hierarchy. It starts at the Trust Anchor and follows `federation_list_endpoint` links to discover all subordinates.
+Federation Discovery performs a recursive traversal of the hierarchy.
+It starts at the Trust Anchor and follows `federation_list_endpoint` links
+to discover all subordinates.
 
 ### Discovering Entities
 
@@ -88,14 +100,20 @@ try {
 ### Discovery Logic & Loop Protection
 
 1.  **Trust Anchor Config**: Fetches and validates the TA's Entity Configuration.
-2.  **Subordinate Listing**: Fetches the `federation_list_endpoint`. If filters are provided, they are passed as query parameters to this endpoint.
-3.  **Recursion**: For each discovered subordinate, it fetches its configuration and repeats the process.
-4.  **Loop Protection**: The algorithm tracks visited IDs to prevent infinite loops and is limited by `maxDiscoveryDepth`.
-5.  **Deduplication**: Entities appearing in multiple branches are only stored once.
+2.  **Subordinate Listing**: Fetches the `federation_list_endpoint`.
+If filters are provided, they are passed as query parameters to this endpoint.
+3.  **Recursion**: For each discovered subordinate, it fetches its
+configuration and repeats the process.
+4.  **Loop Protection**: The algorithm tracks visited IDs to prevent
+infinite loops and is limited by `maxDiscoveryDepth`.
+5.  **Deduplication**: Entities appearing in multiple branches are only stored
+once.
 
 ### Applying Filters During Discovery
 
-You can pass filters (like `entity_type`) directly to the discovery process. These are passed to the remote `federation_list_endpoint` to optimize the traversal:
+You can pass filters (like `entity_type`) directly to the discovery process.
+These are passed to the remote `federation_list_endpoint` to optimize the
+traversal:
 
 ```php
 $collection = $federationTools->federationDiscovery()
@@ -104,7 +122,8 @@ $collection = $federationTools->federationDiscovery()
 
 ### Performance: Scheduled Refresh
 
-Discovery is an expensive network-heavy operation. You should run it in a background process (Cron) using `forceRefresh: true` to populate the cache:
+Discovery is an expensive network-heavy operation. You should run it in a
+background process (Cron) using `forceRefresh: true` to populate the cache:
 
 ```php
 // In a background job:
@@ -119,7 +138,9 @@ $collection = $federationTools->federationDiscovery()->discover($trustAnchorId);
 
 ## Entity Collection Client
 
-The Entity Collection Client allows fetching pre-filtered lists of entities from a remote `federation_collection_endpoint`. This is much more efficient than full traversal if the remote side supports it.
+The Entity Collection Client allows fetching pre-filtered lists of entities
+from a remote `federation_collection_endpoint`. This is much more efficient
+than full traversal if the remote side supports it.
 
 ### Bulk Fetching with Filters
 
@@ -128,15 +149,15 @@ The client supports all standard OpenID Federation query parameters:
 ```php
 $endpoint = 'https://federation.example.org/collection';
 
-$collection = $federationTools->federationDiscovery()->discoverFromCollectionEndpoint(
+$collection = $federationTools->federationDiscovery()->fetchFromCollectionEndpoint(
     $endpoint,
     [
         'entity_type'     => ['openid_provider'],
         'trust_mark_type' => ['https://example.org/marks/certified'],
         'trust_anchor'    => 'https://trust-anchor.example.org/',
         'query'           => 'university',
         'limit'           => 50,
-        'entity_claims'   => ['display_name', 'contacts'], // Request specific claims
+        'entity_claims'   => ['entity_types', 'ui_infos'], // Request specific claims
     ]
 );
 
@@ -147,18 +168,20 @@ foreach ($collection->getEntities() as $id => $payload) {
 
 ### Client-Side Caching
 
-`discoverFromCollectionEndpoint()` automatically caches the remote response body. If you need fresh data, pass `forceRefresh: true`.
+`fetchFromCollectionEndpoint()` automatically caches the remote response
+body. If you need fresh data, pass `forceRefresh: true`.
 
 ### Pagination Handling
 
-The `EntityCollection` object encapsulates the `next` cursor for seamless pagination:
+The `EntityCollection` object encapsulates the `next` cursor for seamless
+pagination:
 
 ```php
 $results = [];
 $cursor = null;
 
 do {
-    $page = $federationTools->federationDiscovery()->discoverFromCollectionEndpoint(
+    $page = $federationTools->federationDiscovery()->fetchFromCollectionEndpoint(
         $endpoint,
         ['limit' => 100, 'from' => $cursor]
     );
@@ -172,11 +195,14 @@ do {
 
 ## Server-Side Implementation
 
-If you are implementing your own `federation_collection_endpoint`, the library provides high-level building blocks to handle filtering, sorting, and pagination.
+If you are implementing your own `federation_collection_endpoint`, the library
+provides high-level building blocks to handle filtering, sorting, and
+pagination.
 
 ### The Pipeline Pattern
 
-The recommended implementation follows this pipeline: **Discover → Filter → Sort → Paginate → Serialize**.
+The recommended implementation follows this pipeline:
+**Discover → Filter → Sort → Paginate → Serialize**.
 
 ```php
 public function __invoke(ServerRequestInterface $request): ResponseInterface
@@ -192,7 +218,7 @@ public function __invoke(ServerRequestInterface $request): ResponseInterface
 
     // 3. Sort (By nested metadata claims)
     if (isset($params['sort_by'])) {
-        $path = explode('.', $params['sort_by']); // e.g. "federation_entity.display_name"
+        $path = explode('.', $params['sort_by']); // e.g. "metadata.federation_entity.display_name"
         $collection->sort([$path], $params['sort_dir'] ?? 'asc');
     }
 
@@ -217,7 +243,9 @@ public function __invoke(ServerRequestInterface $request): ResponseInterface
 
 ### Sorting Technical Details
 
-The `sort()` method accepts an array of claim paths relative to the **JWT payload root**. When sorting by metadata claims, you must explicitly include the `metadata` prefix:
+The `sort()` method accepts an array of claim paths relative to the
+**JWT payload root**. When sorting by metadata claims, you must explicitly
+include the `metadata` prefix:
 
 ```php
 $collection->sort([
@@ -231,7 +259,8 @@ $collection->sort([
 
 ## Serialized Response Format
 
-The `toCollectionEndpointResponseArray()` method produces a structure compatible with the OpenID Federation specification:
+The `toCollectionEndpointResponseArray()` method produces a structure compatible
+with the OpenID Federation specification:
 
 ```json
 {

src/Federation.php

@@ -352,6 +352,7 @@ public function subordinateListingFetcher(): SubordinateListingFetcher
         return $this->subordinateListingFetcher ??= new SubordinateListingFetcher(
             $this->artifactFetcher(),
             $this->helpers(),
+            $this->maxCacheDurationDecorator(),
             $this->logger,
         );
     }

src/Federation/FederationDiscovery.php

@@ -71,7 +71,7 @@ public function discover(
             $taConfig = $this->entityStatementFetcher->fromCacheOrWellKnownEndpoint($trustAnchorId);
 
             // Recursive traversal
-            $discoveredEntities = $this->traverse($trustAnchorId, $taConfig, $filters);
+            $discoveredEntities = $this->traverse($trustAnchorId, $taConfig, $filters, 0, [], $forceRefresh);
 
             // Compute TTL: lowest of maxCacheDuration and TA expiry
             $ttl = $this->maxCacheDurationDecorator->lowestInSecondsComparedToExpirationTime(
@@ -115,7 +115,7 @@ public function discover(
      * } $filters
      * @throws \SimpleSAML\OpenID\Exceptions\EntityDiscoveryException
      */
-    public function discoverFromCollectionEndpoint(
+    public function fetchFromCollectionEndpoint(
         string $endpointUri,
         array $filters = [],
         bool $forceRefresh = false,
@@ -157,7 +157,7 @@ public function discoverFromCollectionEndpoint(
     }
 
 
-    private function buildEntityCollectionFromResponse(string $responseBody): EntityCollection
+    protected function buildEntityCollectionFromResponse(string $responseBody): EntityCollection
     {
         $decoded = $this->helpers->json()->decode($responseBody);
 
@@ -237,12 +237,13 @@ public function discoverEntityIds(
      * @param string[] $visited
      * @return array<string, array<string, mixed>>
      */
-    private function traverse(
+    protected function traverse(
         string $entityId,
         EntityStatement $entityConfig,
         array $filters,
         int $depth = 0,
         array $visited = [],
+        bool $forceRefresh = false,
     ): array {
         if ($depth > $this->maxDepth || in_array($entityId, $visited, true)) {
             return [];
@@ -257,7 +258,7 @@ private function traverse(
         }
 
         try {
-            $subordinateIds = $this->subordinateListingFetcher->fetch($listEndpoint, $filters);
+            $subordinateIds = $this->subordinateListingFetcher->fetch($listEndpoint, $filters, $forceRefresh);
 
             foreach ($subordinateIds as $subId) {
                 // If we've already visited this subId (loop), skip to avoid infinite recursion
@@ -269,7 +270,7 @@ private function traverse(
                     $subConfig = $this->entityStatementFetcher->fromCacheOrWellKnownEndpoint($subId);
                     $allCollectedEntities = array_merge(
                         $allCollectedEntities,
-                        $this->traverse($subId, $subConfig, $filters, $depth + 1, $visited),
+                        $this->traverse($subId, $subConfig, $filters, $depth + 1, $visited, $forceRefresh),
                     );
                 } catch (Throwable $e) {
                     $this->logger?->warning('Failed to fetch subordinate configuration during discovery.', [

src/Federation/SubordinateListingFetcher.php

@@ -5,7 +5,7 @@
 namespace SimpleSAML\OpenID\Federation;
 
 use Psr\Log\LoggerInterface;
-use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Decorators\DateIntervalDecorator;
 use SimpleSAML\OpenID\Exceptions\EntityDiscoveryException;
 use SimpleSAML\OpenID\Helpers;
 use SimpleSAML\OpenID\Utils\ArtifactFetcher;
@@ -16,6 +16,7 @@ class SubordinateListingFetcher
     public function __construct(
         protected readonly ArtifactFetcher $artifactFetcher,
         protected readonly Helpers $helpers,
+        protected readonly DateIntervalDecorator $maxCacheDurationDecorator,
         protected readonly ?LoggerInterface $logger = null,
     ) {
     }
@@ -26,27 +27,41 @@ public function __construct(
      *
      * @param non-empty-string $listEndpointUri
      * @param array<string, string|string[]> $filters  Optional query params: entity_type, intermediate, etc.
+     * @param bool $forceRefresh  If true, ignore cached listing and fetch from network.
      * @return non-empty-string[]
      * @throws \SimpleSAML\OpenID\Exceptions\FetchException
      * @throws \SimpleSAML\OpenID\Exceptions\EntityDiscoveryException
      */
-    public function fetch(string $listEndpointUri, array $filters = []): array
+    public function fetch(string $listEndpointUri, array $filters = [], bool $forceRefresh = false): array
     {
         $uri = $this->helpers->url()->withMultiValueParams($listEndpointUri, $filters);
 
-        $this->logger?->debug('Fetching subordinate listing.', ['uri' => $uri, 'filters' => $filters]);
+        if (!$forceRefresh) {
+            $this->logger?->debug('Checking for cached subordinate listing.', ['uri' => $uri]);
+            $cached = $this->artifactFetcher->fromCacheAsString($uri);
+            if (is_string($cached)) {
+                $this->logger?->debug('Returning cached subordinate listing.', ['uri' => $uri]);
+                return $this->decodeAndEnsureType($cached);
+            }
+
+            $this->logger?->debug('No cached subordinate listing found.', ['uri' => $uri]);
+        }
+
+        $this->logger?->debug('Fetching subordinate listing from network.', ['uri' => $uri, 'filters' => $filters]);
 
         try {
             $responseBody = $this->artifactFetcher->fromNetworkAsString($uri);
             $this->logger?->debug('Fetched subordinate listing from network.', ['uri' => $uri]);
 
-            $decoded = $this->helpers->json()->decode($responseBody);
+            $result = $this->decodeAndEnsureType($responseBody);
 
-            if (!is_array($decoded)) {
-                throw new EntityDiscoveryException('Subordinate listing response is not a JSON array.');
-            }
+            $this->artifactFetcher->cacheIt(
+                $responseBody,
+                $this->maxCacheDurationDecorator->getInSeconds(),
+                $uri,
+            );
 
-            return $this->helpers->type()->ensureArrayWithValuesAsNonEmptyStrings($decoded, ClaimsEnum::Sub->value);
+            return $result;
         } catch (Throwable $throwable) {
             $message = sprintf(
                 'Unable to fetch subordinate listing from %s. Error: %s',
@@ -57,4 +72,20 @@ public function fetch(string $listEndpointUri, array $filters = []): array
             throw new EntityDiscoveryException($message, (int)$throwable->getCode(), $throwable);
         }
     }
+
+
+    /**
+     * @return non-empty-string[]
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityDiscoveryException
+     */
+    protected function decodeAndEnsureType(string $responseBody): array
+    {
+        $decoded = $this->helpers->json()->decode($responseBody);
+
+        if (!is_array($decoded)) {
+            throw new EntityDiscoveryException('Subordinate listing response is not a JSON array.');
+        }
+
+        return $this->helpers->type()->ensureArrayWithValuesAsNonEmptyStrings($decoded, 'Subordinate Listing');
+    }
 }