...
- An understanding of your federation's structure and the required credential types.
- Access to the Trust Anchor (TA) with its entity ID and keys.
- HTTPS is properly set up for your issuer.
...
Key Configuration Points
Federation
...
Entity Configuration Information
The federation info endpoint exposes the issuer's metadata to other configuration endpoint publishes the Entity Configuration document, detailing the issuer’s configuration information for federation participants.
Define the Endpoint:
- The endpoint is defined under the following path:
.well-known/openid-federation
- The endpoint is defined under the following path:
Implementation:
- Ensure this endpoint serves the issuer’s metadata as specified in the OIDC Federation 1.0 standard.
Example Metadata: Here is an example of metadata that can be exposed at the endpoint:
Code Block language js collapse true { "sub": "https://my-issuer.example.com:8000", "metadata": { "federation_entity": { "organization_name": "The OP operator", "contacts": "operations@op.example.com" }, "oauth_authorization_server": { "jwks_uri": "https://my-issuer.example.com:8000/jwks/oauth_authorization_server", "token_endpoint_auth_methods_supported": [], "token_endpoint_auth_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "HS256", "HS384", "HS512", "Ed25519", "Ed448", "EdDSA" ], "response_types_supported": [ "code" ], "response_modes_supported": [ "code" ], "acr_values_supported": [], "scopes_supported": [], "authorization_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "HS256", "HS384", "HS512", "Ed25519", "Ed448", "EdDSA" ], "request_object_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "HS256", "HS384", "HS512", "Ed25519", "Ed448", "EdDSA" ], "claims_parameter_supported": true, "request_parameter_supported": true, "request_object_encryption_alg_values_supported": [], "request_object_encryption_enc_values_supported": [], "code_challenge_methods_supported": [ "plain", "S256", "S384", "S512" ], "deny_unknown_scopes": false, "ui_locales_supported": [], "token_endpoint": "https://my-issuer.example.com:8000/token", "token_endpoint_auth_methods": [ "attest_jwt_client_auth" ], "authorization_endpoint": "https://my-issuer.example.com:8000/authorization", "authorization_endpoint_auth_methods": [ "pushed_authz" ], "pushed_authorization_request_endpoint": "https://my-issuer.example.com:8000/par", "pushed_authorization_request_endpoint_auth_methods": [ "attest_jwt_client_auth" ] }, "openid_credential_issuer": { "attribute_disclosure": { "": [ "given_name", "family_name", "name", "email", "nickname" ] }, "credential_configurations_supported": { "PDA1Credential": { "format": "vc+sd-jwt", "id": "eudiw.pda1.se", "cryptographic_binding_methods_supported": [ "jwk" ], "cryptographic_suites_supported": [ "RS256", "RS512", "ES256", "ES512" ], "display": { "name": "Swedish PDA1 Provider Example", "locale": "en-US" }, "vct": "PDA1Credential", "credential_definition": { "type": [ "PDA1Credential" ], "credentialSubject": { "family_name": { "display": [ { "locale": "en-US", "name": "Current Family Name" } ], "mandatory": true }, "given_name": { "display": [ { "locale": "en-US", "name": "Current First Name" } ], "mandatory": true }, "birth_date": { "display": [ { "locale": "en-US", "name": "Birth date" } ] } } } }, "EHICCredential": { "format": "vc+sd-jwt", "id": "eudiw.ehic.se", "cryptographic_binding_methods_supported": [ "jwk" ], "cryptographic_suites_supported": [ "RS256", "RS512", "ES256", "ES512" ], "display": { "name": "Swedish EHIC Provider Example", "locale": "en-US" }, "vct": "EHICCredential", "credential_definition": { "type": [ "EHICCredential" ], "credentialSubject": { "family_name": { "display": [ { "locale": "en-US", "name": "Current Family Name" } ], "mandatory": true }, "given_name": { "display": [ { "locale": "en-US", "name": "Current First Name" } ], "mandatory": true }, "birth_date": { "display": [ { "locale": "en-US", "name": "Birth date" } ] } } } } }, "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "kid": "ODR1b1ZjUEpsRzVhVHBSaWxLR1hxQ2x3WTU2ZVFDcnVsMXBmdEF5WUM4UQ", "e": "AQAB", "n": "vqLXJgOHZn7YFqL78Kth6vP..." }, { "kty": "EC", "use": "sig", "kid": "YzIwZjJEaFJxU0NOLXJ5MS1mSXgyLUp5RWNZb3I4M1lRMDVhQWxMUjhsZw", "crv": "P-256", "x": "FdYslsTybViEudE4T-gyBrcKeZNleH9-QajFYVpOYW8", "y": "If-rr6KWEEnC_R8N93SrcQRn4E7lC4WXOqgANj-o0UE" }, { "kty": "EC", "kid": "default_signing_key_id", "crv": "P-256", "x": "-i8_UtCwdCic10eDuNwr68IEHWk4B1HSn119fdNT-pQ", "y": "UIMFXTj4kOWF2gZaKDTP3n3K-08TfkLHw8hIV6bOxqw" }, { "kty": "EC", "kid": "default_signing_key_id", "crv": "P-256", "x": "-i8_UtCwdCic10eDuNwr68IEHWk4B1HSn119fdNT-pQ", "y": "UIMFXTj4kOWF2gZaKDTP3n3K-08TfkLHw8hIV6bOxqw" } ] }, "credential_response_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW" ], "credential_response_encryption_enc_values_supported": [ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ], "require_credential_response_encryption": false, "credentials_supported": [ "vp_token" ], "credential_endpoint": "https://my-issuer.example.com:8000/credential", "credential_endpoint_auth_methods": [ "dpop_client_auth" ] } }, "authority_hints": [ "https://trust-anchor.example.com:7001" ], "trust_marks": [ "eyJhbGciOiJSUzI1Ni...", "eyJhbGciOiJSUzI1N..." ], "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "kid": "VmhPQndmVDNja09ZYTQ4UlM3eWl2Z3BxMlp1cVd1ZFB1YnhwdWUxa3p4Zw", "e": "AQAB", "n": "y68Zlt9DHIXHvH3HMFtY..." }, { "kty": "EC", "use": "sig", "kid": "dTlESU50RVVjVDA3eWFPV0dMQ2taMC0tbDlWclBjQTBUdkpyNlVhSVBfOA", "crv": "P-256", "x": "IqpTNpOAXTsQVVlO18zzAV1rHI36qBvZv7VbdtniV-c", "y": "JozJQWmYCkvxD4PtUnr6sKXRL8SOj7ggx6WHzQxHgaw" } ] }, "iss": "https://my-issuer.example.com:8000", "iat": 1732718163, "exp": 1732804563 }
...