Versions Compared

Old Version 16

changes.mady.by.user Stefan Halen

Saved on

compared with

New Version 17

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The entity must expose an entity configuration document Entity Configuration at:

/.well-known/openid-federation

...

Code Block
languagejs
{
  "sub": "https://my-entity.example.com",
  "authority_hints": [
    "https://mi-intermediate.example.org"
  ],
  "metadata": {
    "federation_entity": {
      "organization_name": "Example Org",
      "contacts": ["support@example.com"]
    },
    "oauth_authorization_server": {
      "token_endpoint": "https://entity.example.com/token",
      "authorization_endpoint": "https://entity.example.com/authorize",
      "jwks_uri": "https://entity.example.com/jwks/oauth"
    },
  },
  "jwks": {
    "keys": [
      {
        "kty": "RSA",
        "use": "sig",
        "kid": "example-key-id",
        "e": "AQAB",
        "n": "example-modulus"
      }
    ]
  }
}

...

Trust Marks are JWTs issued by a Trust Mark entity Issuer to validate compliance with Trust Infrastructure policies.

...

  1. Inputs to Trust Mark Issuer operator:
    • id: The identifier for the Trust Mark.
    • sub: The entity's entity Identifier.
  2. Steps:
    • Supply the id and sub to the Trust Mark entityIssuer.
    • Retrieve the issued Trust Mark as a signed JWT.
  3. Include in Metadata: Add issued Trust Marks to your entity’s metadata:

...

  1. Decode JWT: Use tools like jwt.io to inspect the Trust Mark's claims and ensure all required fields are present.
  2. Verify Signature: Validate the JWT signature against the Trust Mark entityIssuer's public key.
  3. Check Expiration: Ensure the exp claim (if present) has not expired.
  4. Validate References: Follow the ref URL (if provided) to confirm compliance with human-readable policy documents.

...

  1. Validate trust marks
    Use tools like jwt.io to decode and verify trust marks using the Trust Anchor's Mark Issuer’s public keys.

  2. Retrieve metadata
    Ensure the .well-known/openid-federation endpoint correctly serves the entity’s entity configuration:

    Code Block
    languagebash
    curl https://your-entity.example.com/.well-known/openid-federation

  3. Check authority hints
    Verify that authority_hints points to the correct Superior

  4. Validate public keys
    Confirm that the Trust Anchor’s public keys match those provided in your local configuration.

...