...
- An understanding of your federation's structure and the required credential types.
- Access to the Trust Anchor (TA) with its entity ID and keys.
- HTTPS is properly set up for your issuer.
...
Key Configuration Points
Registering the Issuer as a Subordinate Entity
In an OpenID Federation trust framework, the Issuer must be added as a **Subordinate Entity** under a **Superior Entity** (e.g., a Trust Anchor or an Intermediate Entity). This process ensures that the Issuer is recognized as part of the trust hierarchy.
Key Steps for the Issuer Operator
...
Federation Info Endpoint
The federation info endpoint exposes the issuer's metadata to other federation participants.
...
Define the Endpoint:
- The endpoint is defined under the following path:
.well-known/openid-federation
...
- Once the metadata is published, provide the `entity_id` to the Superior Entity.
- The Superior Entity will retrieve the metadata from the `.well-known/openid-federation` endpoint and complete the registration process.
...
- The Superior Entity must approve the Issuer's inclusion in the federation.
- If additional details are required, ensure they are provided as per the federation's guidelines.
Implementation:
- Ensure this endpoint serves the issuer’s metadata as specified in the OIDC Federation 1.0 standard.
Example Metadata: Here is an example of metadata that can be exposed at the endpoint:
Code Block language js collapse true { "sub": "https://my-issuer.example.com:8000", "metadata": { "federation_entity": { "organization_name": "The OP operator", "contacts": "operations@op.example.com" }, "oauth_authorization_server": { "jwks_uri": "https://my-issuer.example.com:8000/jwks/oauth_authorization_server", "token_endpoint_auth_methods_supported": [], "token_endpoint_auth_signing_alg_values_supported": [ "RS256", "RS384",
Authority Hints
The authority_hints parameter specifies the URL of the Intermediate Entities or Trust Anchors that are Immediate Superiors of the Entity. This helps other federation participants understand upstream trust relationships.
Add to Configuration: Add authority_hints in your issuer’s metadata configuration:
| Code Block | ||
|---|---|---|
| ||
authority_hints:
- "https://openidfed-test-1.sunet.se:7001" |
...
Purpose: This parameter establishes hierarchical trust relationships from your issuer to the Trust Anchor.
Trust Marks
Trust Marks are JWTs issued by a Trust Mark Issuer to validate compliance with federation policies.
Types of Trust Marks
The following Trust Marks are available for issuance:
EHIC Credential:
ID: http://dc4eu.example.com/EHICCredential/se
PDA1 Credential:
id: http://dc4eu.example.com/PDA1Credential/se
Issuing Trust Marks
...
Inputs to Trust Mark Issuer:
id: The identifier for the Trust Mark (e.g.,http://dc4eu.example.com/EHICCredential/se).sub: The entity's unique identifier (entity_id).
...
Steps:
Supply the
idandsubto the Trust Mark Issuer.Retrieve the issued Trust Mark as a signed JWT.
...
Validation:
- Use a JWT library to verify the Trust Mark's signature using the Trust Mark Issuer's public key:
- Retrieve public keys from the Trust Mark Issuer's
.well-known/jwks.jsonendpoint. - Validate claims such as
iss,sub,id, andiatfor compliance.
- Retrieve public keys from the Trust Mark Issuer's
Include in Metadata: Add issued Trust Marks to your issuer’s metadata:
| Code Block | ||
|---|---|---|
| ||
trust_marks:
- "eyJhbGciOiJIUzI1NiIsInR..."
- "eyJhbGciOiJIUzI1NiIsInR..." |
Testing Trust Marks
Decode JWT: Use tools like
jwt.ioto inspect the Trust Mark's claims and ensure all required fields are present.Verify Signature: Validate the JWT signature against the Trust Mark Issuer's public key.
Check Expiration: Ensure the
expclaim (if present) has not expired.Validate References: Follow the
refURL (if provided) to confirm compliance with human-readable policy documents.
Trust Anchors
The Trust Anchor (TA) is the root of the federation’s trust chain.
Trust Anchor URL:
- For your setup, the Trust Anchor URL is:
https://openidfed-test-1.sunet.se:7001
- For your setup, the Trust Anchor URL is:
Trust Anchor Keys: Add the Trust Anchor’s and public keys to your configuration:
Code Block language yml trust_anchors: https://openidfed-test-1.sunet.se:7001: keys: - kty: RSA use: sig kid: UFpoajluZU42dTNUUXo5RnhBVEJnRk9JY2NtU1JKdlVYUk1RUFRyVkFFRQ n: p9S2whcSjmBdxerp80tIJreUUmZiGNGXIocJlNjx9pgD5_WD2l6mBNuEZMpP-QUB_TSV3VesNiqmOdydGp1wkfQ-NmVdoso29FjEdgrckLIwirAVmVQ6bGQQnXJrR56mRz0QqENi11vVpbDj6hsprxK1EZBQL-sQ2kem289B_BCNT-NvwVHrYJlaQA32z7cs1a7W8wt9eLxA10PeiYMgDVU_69wKBw4YrjjozOHKMRGchUQEjQhfSZfk49bip_5TNz4dmBmSCIbdE2yilFrfRSNrh7q2myuyDE3k2QZbSOXXGGT1LtHO74WIY58v-M3A7_zxp0f2Eo9ZD3N4h-InIw e: AQAB - kty: EC use: sig kid: Nm82cTJKMDkydXhxOUMtTm0teFpMWlZiR0ZVa2U3YVVtbkJTV3hBd3FqOA"RS512", crv: P-256 x: 69XlQkKYfWJDXAv_Vbrqyfz9gfAhu1qQ4mtLde18-Cg y: ntBwdhy4_cS2PRBS-xdKkNwcO1yQP8TdoOHbHN9Yjv8
Purpose: Trust Anchors validate Trust Marks’ signatures and establish trust within the federation.
Federation Info Endpoint
The federation info endpoint exposes the issuer's metadata to other federation participants.
Define the Endpoint:
- The endpoint is defined under the following path:
.well-known/openid-federation
- The endpoint is defined under the following path:
Implementation:
- Ensure this endpoint serves the issuer’s metadata as specified in the OIDC Federation 1.0 standard.
Example Metadata: Here is an example of metadata that can be exposed at the endpoint:
Code Block language js collapse true { "sub": "https://my-issuer.example.com:8000"ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "metadata": { "federation_entity": { HS256", "organization_name": "The OP operator"HS384", "contacts": "operations@op.example.comHS512", }, "oauth_authorization_server": { Ed25519", "jwks_uri": "https://my-issuer.example.com:8000/jwks/oauth_authorization_server "Ed448", "token_endpoint_auth_methods_supported": [ "EdDSA" ], "token_endpoint_auth_signing_alg_valuesresponse_types_supported": [ "RS256code", ], "RS384",response_modes_supported": [ "RS512code", ], "ES256", acr_values_supported": [], "ES256K"scopes_supported": [], "ES384","authorization_signing_alg_values_supported": [ "ES512RS256", "PS256RS384", "PS384RS512", "PS512ES256", "HS256ES256K", "HS384ES384", "HS512ES512", "Ed25519PS256", "Ed448PS384", "EdDSAPS512", ], "response_types_supported": [HS256", "codeHS384", ], "HS512", "response_modes_supported": [ "Ed25519", "code" "Ed448", ], "acr_values_supported": [],EdDSA" "scopes_supported": [], "authorizationrequest_object_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "HS256", "HS384", "HS512", "Ed25519", "Ed448", "EdDSA" ], "request_object_signing_alg_values_supported": [ "RS256EdDSA", ], "RS384" "claims_parameter_supported": true, "request_parameter_supported": true, "RS512", "request_object_encryption_alg_values_supported": [], "ES256", request_object_encryption_enc_values_supported": [], "ES256K",code_challenge_methods_supported": [ "ES384plain", "ES512S256", "PS256S384", "PS384S512", ], "PS512", "deny_unknown_scopes": false, "HS256"ui_locales_supported": [], "HS384"token_endpoint": "https://my-issuer.example.com:8000/token", "HS512","token_endpoint_auth_methods": [ "Ed25519", attest_jwt_client_auth" "Ed448"], "EdDSA""authorization_endpoint": "https://my-issuer.example.com:8000/authorization", ], "authorization_endpoint_auth_methods": [ "claimspushed_parameter_supported": true,authz" "request_parameter_supported": true], "requestpushed_objectauthorization_encryption_alg_values_supported": []request_endpoint": "https://my-issuer.example.com:8000/par", "requestpushed_objectauthorization_encryptionrequest_encendpoint_valuesauth_supportedmethods": [], "codeattest_challengejwt_methodsclient_supportedauth": [ "plain",] }, "S256", openid_credential_issuer": { "S384",attribute_disclosure": { "S512": [ ], "given_name", "deny_unknown_scopes": false, "uifamily_locales_supported": []name", "token_endpoint": "https://my-issuer.example.com:8000/token", "name", "token_endpoint_auth_methods": [ "email", "attest_jwt_client_authnickname" ], ] "authorization_endpoint": "https://my-issuer.example.com:8000/authorization" }, "authorizationcredential_endpointconfigurations_auth_methodssupported": [{ "pushed_authz" PDA1Credential": { ], "format": "vc+sd-jwt", "pushed_authorization_request_endpointid": "https://my-issuer.example.com:8000/pareudiw.pda1.se", "pushed_authorization_request_endpoint_authcryptographic_binding_methods_supported": [ "attest_jwt_client_auth "jwk" ] }], "openid_credential_issuer": { "attributecryptographic_suites_disclosuresupported": {[ "RS256": [ , "given_nameRS512", "family_nameES256", "nameES512", "email"], "nicknamedisplay" : { ] }, "name": "Swedish PDA1 Provider Example", "credential_configurations_supported": { "PDA1Credentiallocale": {"en-US" "format": "vc+sd-jwt"}, "idvct": "eudiw.pda1.sePDA1Credential", "cryptographic_binding_methods_supportedcredential_definition": [{ "jwktype" : [ ], "cryptographic_suites_supported": [PDA1Credential" "RS256"], "RS512credentialSubject",: { "ES256", "family_name": { "ES512" "display": [ ], "display": { { "name": "Swedish PDA1 Provider Example", "locale": "en-US", }, "vctname": "PDA1CredentialCurrent Family Name", "credential_definition": { } "type": [ ], "PDA1Credential" "mandatory": true ], "credentialSubject": { }, "familygiven_name": { "display": [ { "locale": "en-US", "name": "Current FamilyFirst Name" } ], "mandatory": true }, "givenbirth_namedate": { "display": [ { "locale": "en-US", "name": "CurrentBirth First Namedate" } ], } "mandatory": true } }, }, "birth_dateEHICCredential": { "format": "vc+sd-jwt", "display": [ "id": "eudiw.ehic.se", "cryptographic_binding_methods_supported": [ { "jwk" ], "locale": "en-US", "cryptographic_suites_supported": [ "name": "Birth date"RS256", "RS512", } "ES256", ] "ES512" }], }"display": { } "name": "Swedish EHIC Provider Example", }, "EHICCredentiallocale": {"en-US" "format": "vc+sd-jwt"}, "idvct": "eudiw.ehic.seEHICCredential", "cryptographic_binding_methods_supportedcredential_definition": [{ "jwktype" : [ ], "cryptographic_suites_supported": [EHICCredential" "RS256"], "RS512credentialSubject", : { "ES256", "family_name": { "ES512" "display": [ ], "display": { { "name": "Swedish EHIC Provider Example", "locale": "en-US", }, "vctname": "EHICCredentialCurrent Family Name", "credential_definition": { } "type": [ ], "EHICCredential" ], "mandatory": true "credentialSubject": { }, "familygiven_name": { "display": [ { "locale": "en-US", "name": "Current FamilyFirst Name" } ], "mandatory": true }, "givenbirth_namedate": { "display": [ { "locale": "en-US", "name": "Current First Name" ": "Birth date" } ] } } } } ], } }, "mandatoryjwks": true{ "keys": [ }, { "birth_date": { "kty": "RSA", "displayuse": ["sig", "kid": "ODR1b1ZjUEpsRzVhVHBSaWxLR1hxQ2x3WTU2ZVFDcnVsMXBmdEF5WUM4UQ", { "e": "AQAB", "localen": "en-US",vqLXJgOHZn7YFqL78Kth6vP..." }, "name": "Birth date" { "kty": "EC", } "use": "sig", ] "kid": "YzIwZjJEaFJxU0NOLXJ5MS1mSXgyLUp5RWNZb3I4M1lRMDVhQWxMUjhsZw", } "crv": "P-256", } "x": "FdYslsTybViEudE4T-gyBrcKeZNleH9-QajFYVpOYW8", } "y": "If-rr6KWEEnC_R8N93SrcQRn4E7lC4WXOqgANj-o0UE" }, }, { "jwks": { "keyskty": ["EC", { "kid": "default_signing_key_id", "ktycrv": "RSAP-256", "usex": "sig-i8_UtCwdCic10eDuNwr68IEHWk4B1HSn119fdNT-pQ", "kidy": "ODR1b1ZjUEpsRzVhVHBSaWxLR1hxQ2x3WTU2ZVFDcnVsMXBmdEF5WUM4UQUIMFXTj4kOWF2gZaKDTP3n3K-08TfkLHw8hIV6bOxqw", }, "e": "AQAB", { "nkty": "vqLXJgOHZn7YFqL78Kth6vP...EC", } "kid": "default_signing_key_id", { "crv": "P-256", "ktyx": "EC-i8_UtCwdCic10eDuNwr68IEHWk4B1HSn119fdNT-pQ", "usey": "sigUIMFXTj4kOWF2gZaKDTP3n3K-08TfkLHw8hIV6bOxqw", } "kid": "YzIwZjJEaFJxU0NOLXJ5MS1mSXgyLUp5RWNZb3I4M1lRMDVhQWxMUjhsZw", ] }, "crvcredential_response_encryption_alg_values_supported": "P-256",[ "RSA1_5", "x": "FdYslsTybViEudE4T-gyBrcKeZNleH9-QajFYVpOYW8", "RSA-OAEP", "y": "If-rr6KWEEnC_R8N93SrcQRn4E7lC4WXOqgANj-o0UE"RSA-OAEP-256", "A128KW", }, "A192KW", { "A256KW", "kty": "ECECDH-ES", "ECDH-ES+A128KW", "kid": "default_signing_key_id", "ECDH-ES+A192KW", "crv": "PECDH-256ES+A256KW", ], "xcredential_response_encryption_enc_values_supported": "-i8_UtCwdCic10eDuNwr68IEHWk4B1HSn119fdNT-pQ",[ "A128CBC-HS256", "y": "UIMFXTj4kOWF2gZaKDTP3n3KA192CBC-08TfkLHw8hIV6bOxqwHS384", "A256CBC-HS512", }, "A128GCM", { "A192GCM", "kty": "ECA256GCM", ], "kid": "default_signing_key_id"require_credential_response_encryption": false, "credentials_supported": [ "crv": "P-256",vp_token" ], "xcredential_endpoint": "-i8_UtCwdCic10eDuNwr68IEHWk4B1HSn119fdNT-pQ", https://my-issuer.example.com:8000/credential", "y": "UIMFXTj4kOWF2gZaKDTP3n3K-08TfkLHw8hIV6bOxqw" "credential_endpoint_auth_methods": [ } "dpop_client_auth" ] } }, "credential_response_encryption_alg_values_supportedauthority_hints": [ "https://trust-anchor.example.com:7001" ], "RSA1trust_5marks", : [ "RSA-OAEP"eyJhbGciOiJSUzI1Ni...", "RSA-OAEP-256","eyJhbGciOiJSUzI1N..." ], "jwks": { "A128KWkeys",: [ { "A192KW", "A256KW"kty": "RSA", "use": "ECDH-ESsig", "kid": "ECDH-ES+A128KWVmhPQndmVDNja09ZYTQ4UlM3eWl2Z3BxMlp1cVd1ZFB1YnhwdWUxa3p4Zw", "e": "ECDH-ES+A192KWAQAB", "n": "ECDH-ES+A256KWy68Zlt9DHIXHvH3HMFtY..." ]}, "credential_response_encryption_enc_values_supported": [ { "A128CBC-HS256"kty": "EC", "use": "A192CBC-HS384sig", "kid": "A256CBC-HS512dTlESU50RVVjVDA3eWFPV0dMQ2taMC0tbDlWclBjQTBUdkpyNlVhSVBfOA", "crv": "A128GCMP-256", "A192GCM"x": "IqpTNpOAXTsQVVlO18zzAV1rHI36qBvZv7VbdtniV-c", "y": "A256GCMJozJQWmYCkvxD4PtUnr6sKXRL8SOj7ggx6WHzQxHgaw" ],} ] }, "require_credential_response_encryptioniss": false"https://my-issuer.example.com:8000", "iat": 1732718163, "credentials_supported": [ "vp_token""exp": 1732804563 }
...
Trust Anchors
The Trust Anchor (TA) is the root of the federation’s trust chain.
Trust Anchor URL:
- For your setup, the Trust Anchor URL is:
https://openidfed-test-1.sunet.se:7001
- For your setup, the Trust Anchor URL is:
Trust Anchor Keys: Add the Trust Anchor’s and public keys to your configuration:
Code Block language yml trust_anchors: https://openidfed-test-1.sunet.se:7001: keys: - ],kty: RSA "credential_endpoint": "https://my-issuer.example.com:8000/credential", "credential_endpoint_auth_methods": [ use: sig kid: UFpoajluZU42dTNUUXo5RnhBVEJnRk9JY2NtU1JKdlVYUk1RUFRyVkFFRQ "dpop_client_auth" n: p9S2whcSjmBdxerp80tIJreUUmZiGNGXIocJlNjx9pgD5_WD2l6mBNuEZMpP-QUB_TSV3VesNiqmOdydGp1wkfQ-NmVdoso29FjEdgrckLIwirAVmVQ6bGQQnXJrR56mRz0QqENi11vVpbDj6hsprxK1EZBQL-sQ2kem289B_BCNT-NvwVHrYJlaQA32z7cs1a7W8wt9eLxA10PeiYMgDVU_69wKBw4YrjjozOHKMRGchUQEjQhfSZfk49bip_5TNz4dmBmSCIbdE2yilFrfRSNrh7q2myuyDE3k2QZbSOXXGGT1LtHO74WIY58v-M3A7_zxp0f2Eo9ZD3N4h-InIw e: AQAB - kty: ]EC }use: sig }, "authority_hints"kid: [Nm82cTJKMDkydXhxOUMtTm0teFpMWlZiR0ZVa2U3YVVtbkJTV3hBd3FqOA "https://trust-anchor.example.com:7001" crv: P-256 ], x: "trust_marks": [69XlQkKYfWJDXAv_Vbrqyfz9gfAhu1qQ4mtLde18-Cg "eyJhbGciOiJSUzI1Ni...", "eyJhbGciOiJSUzI1N..." ], "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "kid": "VmhPQndmVDNja09ZYTQ4UlM3eWl2Z3BxMlp1cVd1ZFB1YnhwdWUxa3p4Zw", "e": "AQAB", "n": "y68Zlt9DHIXHvH3HMFtY..." }, { "kty": "EC", "use": "sig", "kid": "dTlESU50RVVjVDA3eWFPV0dMQ2taMC0tbDlWclBjQTBUdkpyNlVhSVBfOA", "crv": "P-256", "x": "IqpTNpOAXTsQVVlO18zzAV1rHI36qBvZv7VbdtniV-c", "y": "JozJQWmYCkvxD4PtUnr6sKXRL8SOj7ggx6WHzQxHgaw" } ] }, "iss": "https://my-issuer.example.com:8000", "iat": 1732718163, "exp": 1732804563 }y: ntBwdhy4_cS2PRBS-xdKkNwcO1yQP8TdoOHbHN9Yjv8
Purpose: Trust Anchors validate Trust Marks’ signatures and establish trust within the federation.
...
Registering the Issuer as a Subordinate Entity
In an OpenID Federation trust framework, the Issuer must be added as a **Subordinate Entity** under a **Superior Entity** (e.g., a Trust Anchor or an Intermediate Entity). This process ensures that the Issuer is recognized as part of the trust hierarchy.
Key Steps for the Issuer Operator
- Publish Metadata
- Make the Issuer's metadata available at the following URL:
https://<issuer-entity-id>/.well-known/openid-federation
- Make the Issuer's metadata available at the following URL:
- Share the Entity ID
- Once the metadata is published, provide the `entity_id` to the Superior Entity.
- The Superior Entity will retrieve the metadata from the `.well-known/openid-federation` endpoint and complete the registration process.
- Obtain Approval
- The Superior Entity must approve the Issuer's inclusion in the federation.
- If additional details are required, ensure they are provided as per the federation's guidelines.
...
Authority Hints
The authority_hints parameter specifies the URL of the Intermediate Entities or Trust Anchors that are Immediate Superiors of the Entity. This helps other federation participants understand upstream trust relationships.
Add to Configuration: Add
authority_hintsin your issuer’s metadata configuration:Code Block language yml authority_hints: - "https://openidfed-test-1.sunet.se:7001"Purpose: This parameter establishes hierarchical trust relationships from your issuer to the Trust Anchor.
...
Trust Marks
Trust Marks are JWTs issued by a Trust Mark Issuer to validate compliance with federation policies.
Types of Trust Marks
The following Trust Marks are available for issuance:
EHIC Credential:
ID: http://dc4eu.example.com/EHICCredential/se
PDA1 Credential:
id: http://dc4eu.example.com/PDA1Credential/se
Issuing Trust Marks
Inputs to Trust Mark Issuer:
id: The identifier for the Trust Mark (e.g.,http://dc4eu.example.com/EHICCredential/se).sub: The entity's unique identifier (entity_id).
Steps:
Supply the
idandsubto the Trust Mark Issuer.Retrieve the issued Trust Mark as a signed JWT.
Validation:
- Use a JWT library to verify the Trust Mark's signature using the Trust Mark Issuer's public key:
- Retrieve public keys from the Trust Mark Issuer's
.well-known/jwks.jsonendpoint. - Validate claims such as
iss,sub,id, andiatfor compliance.
- Retrieve public keys from the Trust Mark Issuer's
- Use a JWT library to verify the Trust Mark's signature using the Trust Mark Issuer's public key:
Include in Metadata: Add issued Trust Marks to your issuer’s metadata:
Code Block language yml trust_marks: - "eyJhbGciOiJIUzI1NiIsInR..." - "eyJhbGciOiJIUzI1NiIsInR..."
Testing Trust Marks
Decode JWT: Use tools like
jwt.ioto inspect the Trust Mark's claims and ensure all required fields are present.Verify Signature: Validate the JWT signature against the Trust Mark Issuer's public key.
Check Expiration: Ensure the
expclaim (if present) has not expired.Validate References: Follow the
refURL (if provided) to confirm compliance with human-readable policy documents.
...
Steps to Connect the Issuer
Configure the Issuer:
- Update the issuer’s configuration to include
authority_hints,trust_marks,federation info endpoint, andtrust_anchors.
- Update the issuer’s configuration to include
Register with the Federation:
- Share your
.well-known/openid-federationendpoint with the Trust Anchor or superior entity for registration.
- Share your
Validate Configuration:
- Test the issuer using federation testing tools or with the federation’s sandbox environment.
Monitor the Connection:
- Regularly verify the federation status and ensure Trust Marks are up-to-date.
...
Testing the Trust Relationships
...
Validate Trust Marks: Use tools like
jwt.ioto decode and verify Trust Marks using the Trust Anchor's public keys.Retrieve Metadata: Ensure the
.well-known/openid-federationendpoint correctly serves the issuer’s metadata:Code Block language bash curl -X GET https://your-issuer.example.com/.well-known/openid-federation
Check Authority Hints: Verify that
authority_hintspoints to the correct Trust Anchor:Code Block language yml authority_hints: - "https://openidfed-test-1.sunet.se:7001"
Validate Public Keys: Confirm that the Trust Anchor’s public keys match the ones provided in the configuration.
...