...
Signature Validation:
Use a library or tool such as CryptoJWT to validate the signature. CryptoJWT is a Python library specifically designed for OpenID-related standards, including JSON Web Token (JWT) handling and signature verification.
Decoding Metadata After Validation:
Once the metadata’s signature is validated, decode it securely:
- Extract the payload (the second segment of the JWT).
Decode it using tools such as
base64:Code Block language bash echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -d
Fetching and Validating Trust Marks:
Trust Marks are represented as JWTs and must be validated before use. Retrieve them from the Entity Configuration Document of the entity they apply to. Trust Marks are included in the metadata under the trust_marks claim.
The validation of the Trust Mark’s signature aligns with the steps outlined in Validating Metadata Signatures.
Fetch the Trust Mark Issuer’s Metadata:
- Retrieve the Entity Configuration Document of the Trust Mark Issuer from its
/.well-known/openid-federationendpoint. - Follow the steps in Validating Metadata Signatures to decode and validate the metadata to obtain the public keys (
jwks,jwks_uri, orsigned_jwks_uri).
Validate the Trust Mark:
- Use the validated public keys of the Trust Mark Issuer to verify the cryptographic signature of the Trust Mark JWT.
- Confirm that the Trust Mark is valid and applies to the intended entity.
Security Notes:
Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s kid (Key ID) in the JWT header matches a key in the jwks.json document.