Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Extract the payload (the second segment of the JWT).
  • Decode it using tools such as base64 and  use tools like jq to explore the JSON payload:


    Code Block
    languagebash
    echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 - | jq


Validating Metadata Signatures:

...

Fetching and Validating Trust Marks:

Trust Marks are also represented as JWTs and must be validated before use. The validation process aligns with the steps outlined in Validating Metadata Signatures:

Fetch the Trust Mark Issuer’s Metadata:

  • Retrieve the Entity Configuration Document of the Trust Mark Issuer public keys from its /.well-known/jwks.json endpoint:
    Code Block
    languagebash
    curl https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json
    openid-federation endpoint.
  • Follow the steps in Validating Metadata Signatures to decode and validate the metadata to obtain the public keys (jwks, jwks_uri, or signed_jwks_uri).

Validate the Trust Mark:

  • Use the validated Validate the Trust Mark’s signature against the public keys of the Trust Mark Issuer to verify the cryptographic signature of the Trust Mark JWT.
  • Confirm that the Trust Mark is valid and applies to the intended entity.

Inspecting Decoded JSON:

...