Versions Compared

Old Version 9

changes.mady.by.user Rasmus Larsson

Saved on

compared with

New Version 10

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Role: Issues credentials (e.g., EHIC, PDA1) to wallets upon successful interaction.
  • Endpoint: https://satosa-test-1.sunet.se/
  • Notes: Supports credential issuance based on OpenID4VCI protocols.

...

Usage Notes

Metadata Retrieval

...


Retrieve the Entity Configuration Document from a federation node’s /.well-known/openid-federation endpoint:

Code Block
languagebash
curl https://openidfed-test-1.sunet.se:7001/.well-known/openid-federation

...

The metadata is encoded as a JSON Web Token (JWT), which must be validated and decoded securely
...
...
Decoding Metadata
...
:
...
Decode the JWT to inspect the payload:
  • Extract the payload (the second segment of the JWT).
  • Decode it using tools such as base64
...
  • :
     Code Block
    languagebash
...
  • echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -

Validating Metadata Signatures:
To validate the signature of metadata, the public keys of the entity can be represented in one of three ways in the metadata. Each representation has specific handling requirements.
  • jwks (JSON Web Key Set by Value):
    • The keys are embedded directly in the metadata. They are inherently validated as part of the metadata’s cryptographic signature. No additional fetch operation is required.
  • jwks_uri and signed_jwks_uri:
    • jwks_uri: A URI pointing to the JSON Web Key Set hosted by the entity.
    • signed_jwks_uri: A URI pointing to a signed JWT containing the key set.
    • In both cases, the keys must be fetched from the URI:
       Code Block
      languagebash
      curl <jwks-uri>

    • For signed_jwks_uri, the fetched JWT must also be validated before the keys can be used.
Signature Validation:
Use a library or tool such as CryptoJWT to validate the signature. CryptoJWT is a Python library specifically designed for OpenID-related standards, including JSON Web Token (JWT) handling and signature verification.
Decoding Metadata After Validation:
Once the metadata’s signature is validated, decode it securely:
  • Extract the payload (the second segment of the JWT).
  • Decode it using tools such as base64:
     Code Block
    languagebash
    echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -d
Fetching and Validating Trust Marks:
Trust Marks are also JWTs and must be validated before use:
  • Fetch the Trust Mark Issuer’s public keys from its /.well-known/jwks.json endpoint:
     Code Block
    languagebash
    curl https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json

  • Validate the Trust Mark’s signature against the public keys of the Trust Mark Issuer.
Inspecting Decoded JSON:
  • After validation, use tools like jq to explore the JSON payload:
     Code Block
    languagebash
    echo '<Decoded JSON>' | jq

Security Notes:
Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s kid (Key ID) in the JWT header matches a key in the jwks.json document.