Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Role: Issues credentials (e.g., EHIC, PDA1) to wallets upon successful interaction.
  • Endpoint: https://satosa-test-1.sunet.se/
  • Notes: Supports credential issuance based on OpenID4VCI protocols.

...

Usage Notes

Metadata Retrieval

...


Retrieve the Entity Configuration Document from a federation node’s /.well-known/openid-federation endpoint:

Code Block
languagebash
curl https://openidfed-test-1.sunet.se:7001/.well-known/openid-federation

...

The metadata is encoded as a JSON Web Token (JWT), which must be validated and decoded securely

...

...

Decoding Metadata

...

:

...

Decode the JWT to inspect the payload:

  • Extract the payload (the second segment of the JWT).
  • Decode it using tools such as base64

...

  • :

    Code Block
    languagebash

...

  • echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -


Validating Metadata Signatures:

To validate the signature of metadata, the public keys of the entity can be represented in one of three ways in the metadata. Each representation has specific handling requirements.

  • jwks (JSON Web Key Set by Value):

    • The keys are embedded directly in the metadata. They are inherently validated as part of the metadata’s cryptographic signature. No additional fetch operation is required.

  • jwks_uri and signed_jwks_uri:

    • jwks_uri: A URI pointing to the JSON Web Key Set hosted by the entity.
    • signed_jwks_uri: A URI pointing to a signed JWT containing the key set.
    • In both cases, the keys must be fetched from the URI:

      Code Block
      languagebash
      curl <jwks-uri>


    • For signed_jwks_uri, the fetched JWT must also be validated before the keys can be used.

Signature Validation:
Use a library or tool such as CryptoJWT to validate the signature. CryptoJWT is a Python library specifically designed for OpenID-related standards, including JSON Web Token (JWT) handling and signature verification.

Decoding Metadata After Validation:

Once the metadata’s signature is validated, decode it securely:

  • Extract the payload (the second segment of the JWT).
  • Decode it using tools such as base64:

    Code Block
    languagebash
    echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -d

Fetching and Validating Trust Marks:

Trust Marks are also JWTs and must be validated before use:

  • Fetch the Trust Mark Issuer’s public keys from its /.well-known/jwks.json endpoint:

    Code Block
    languagebash
    curl https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json


  • Validate the Trust Mark’s signature against the public keys of the Trust Mark Issuer.

Inspecting Decoded JSON:

  • After validation, use tools like jq to explore the JSON payload:

    Code Block
    languagebash
    echo '<Decoded JSON>' | jq


Security Notes:

Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s kid (Key ID) in the JWT header matches a key in the jwks.json document.