Page History

...

Metadata Retrieval:
- Retrieve the Entity Configuration Document from a federation node’s /.well-known/openid-federation endpoint:
  Code Block
  language bash
  curl https://openidfed-test-1.sunet.se:7001/.well-known/openid-federation
- The metadata is encoded as a JSON Web Token (JWT), which must be validated and decoded securely.
Validating Metadata Signatures:
- Use the Trust Anchor’s public keys to validate the signature of the metadata:
  - Fetch the public keys from the Trust Anchor’s /.well-known/jwks.json endpoint:
    Code Block
    language bash
    curl https://openidfed-test-1.sunet.se:7001/.well-known/jwks.js
  - Use a library or tool such as CryptoJWT to validate the signature. CryptoJWT is a Python library specifically designed for OpenID-related standards, including JSON Web Token (JWT) handling and signature verification.
Decoding Metadata After Validation:
- Once the metadata’s signature is validated, decode it securely:
  - Extract the payload (the second segment of the JWT).
  - Decode it using tools such as base64:
    Code Block
    language bash
    echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -d
Fetching and Validating Trust Marks:
- Trust Marks are also JWTs and must be validated before use:
  - Fetch the Trust Mark Issuer’s public keys from its /.well-known/jwks.json endpoint:
    Code Block
    language bash
    curl https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json
  - Validate the Trust Mark’s signature against the public keys of the Trust Mark Issuer.
Inspecting Decoded JSON:
- After validation, use tools like jq to explore the JSON payload:
  Code Block
  language bash
  echo '<Decoded JSON>' | jq
Security Notes:
- Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s kid (Key ID) in the JWT header matches a key in the jwks.json document.

Page tree

Versions Compared

Old Version 2

New Version 3

Key