...
Metadata Retrieval:
Retrieve the Entity Configuration Document from a federation node’s
/.well-known/openid-federation
endpoint:Code Block language bash curl https://openidfed-test-1.sunet.se:7001/.well-known/openid-federation
- The metadata is encoded as a JSON Web Token (JWT), which must be validated and decoded securely.
Validating Metadata Signatures:
- Use the Trust Anchor’s public keys to validate the signature of the metadata:
Fetch the public keys from the Trust Anchor’s
/.well-known/jwks.json
endpoint:Code Block language bash curl https://openidfed-test-1.sunet.se:7001/.well-known/jwks.js
- Use a library or tool such as CryptoJWT to validate the signature.
- Use the Trust Anchor’s public keys to validate the signature of the metadata:
Decoding Metadata After Validation:
- Once the metadata’s signature is validated, decode it securely:
- Extract the payload (the second segment of the JWT).
Decode it using tools such as
base64
:Code Block language bash echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -d
- Once the metadata’s signature is validated, decode it securely:
Fetching and Validating Trust Marks:
- Trust Marks are also JWTs and must be validated before use:
Fetch the Trust Mark Issuer’s public keys from its
/.well-known/jwks.json
endpoint:Code Block language bash curl https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json
- Validate the Trust Mark’s signature against the public keys of the Trust Mark Issuer.
- Trust Marks are also JWTs and must be validated before use:
Inspecting Decoded JSON:
After validation, use tools like
jq
to explore the JSON payload:Code Block language bash echo '<Decoded JSON>' | jq
Security Notes:
- Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s
kid
(Key ID) in the JWT header matches a key in thejwks.json
document.
- Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s