...
- Role: Issues credentials (e.g., EHIC, PDA1) to wallets upon successful interaction.
- Endpoint:
https://satosa-test-1.sunet.se/
- Notes: Supports credential issuance based on OpenID4VCI protocols.
...
Usage Notes
Metadata Retrieval
...
Retrieve the Entity Configuration Document from a federation node’s /.well-known/openid-federation
endpoint:
Code Block | ||
---|---|---|
| ||
curl https://openidfed-test-1.sunet.se:7001/.well-known/openid-federation |
...
The metadata is encoded as a JSON Web Token (JWT), which must be validated and decoded securely
...
...
Decoding Metadata
...
:
...
Decode the JWT to inspect the payload:
- Extract the payload (the second segment of the JWT).
Decode it using tools such as
base64
...
:
Code Block language bash
...
echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -
Validating Metadata Signatures:
To validate the signature of metadata, the public keys of the entity can be represented in one of three ways in the metadata. Each representation has specific handling requirements.
jwks
(JSON Web Key Set by Value):The keys are embedded directly in the metadata. They are inherently validated as part of the metadata’s cryptographic signature. No additional fetch operation is required.
jwks_uri
andsigned_jwks_uri
:
jwks_uri
: A URI pointing to the JSON Web Key Set hosted by the entity.signed_jwks_uri
: A URI pointing to a signed JWT containing the key set.In both cases, the keys must be fetched from the URI:
Code Block language bash curl <jwks-uri>
- For
signed_jwks_uri
, the fetched JWT must also be validated before the keys can be used.
Signature Validation:
Use a library or tool such as CryptoJWT to validate the signature. CryptoJWT is a Python library specifically designed for OpenID-related standards, including JSON Web Token (JWT) handling and signature verification.
Decoding Metadata After Validation:
Once the metadata’s signature is validated, decode it securely:
- Extract the payload (the second segment of the JWT).
Decode it using tools such as
base64
:Code Block language bash echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -d
Fetching and Validating Trust Marks:
Trust Marks are also JWTs and must be validated before use:
Fetch the Trust Mark Issuer’s public keys from its
/.well-known/jwks.json
endpoint:Code Block language bash curl https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json
- Validate the Trust Mark’s signature against the public keys of the Trust Mark Issuer.
Inspecting Decoded JSON:
After validation, use tools like
jq
to explore the JSON payload:Code Block language bash echo '<Decoded JSON>' | jq
Security Notes:
Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s kid
(Key ID) in the JWT header matches a key in the jwks.json
document.