Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Metadata Retrieval:

    • Retrieve the Entity Configuration Document from a federation node’s /.well-known/openid-federation endpoint:

      Code Block
      languagebash
      curl https://openidfed-test-1.sunet.se:7001/.well-known/openid-federation
      
      


    • The metadata is encoded as a JSON Web Token (JWT), which must be validated and decoded securely.
  2. Validating Metadata Signatures:

    • Use the Trust Anchor’s public keys to validate the signature of the metadata:
      • Fetch the public keys from the Trust Anchor’s /.well-known/jwks.json endpoint:

        Code Block
        languagebash
        curl https://openidfed-test-1.sunet.se:7001/.well-known/jwks.js


      • Use a library or tool such as CryptoJWT to validate the signature. CryptoJWT is a Python library specifically designed for OpenID-related standards, including JSON Web Token (JWT) handling and signature verification.
  3. Decoding Metadata After Validation:

    • Once the metadata’s signature is validated, decode it securely:
      • Extract the payload (the second segment of the JWT).
      • Decode it using tools such as base64:

        Code Block
        languagebash
        echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -d


  4. Fetching and Validating Trust Marks:

    • Trust Marks are also JWTs and must be validated before use:
      • Fetch the Trust Mark Issuer’s public keys from its /.well-known/jwks.json endpoint:

        Code Block
        languagebash
        curl https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json


      • Validate the Trust Mark’s signature against the public keys of the Trust Mark Issuer.
  5. Inspecting Decoded JSON:

    • After validation, use tools like jq to explore the JSON payload:

      Code Block
      languagebash
      echo '<Decoded JSON>' | jq


  6. Security Notes:

    • Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s kid (Key ID) in the JWT header matches a key in the jwks.json document.