Disclaimer

This document provides a practical overview of key processes related to metadata and Trust Mark validation in the OpenID Federation. It is not exhaustive and does not cover all aspects of the OpenID Federation 1.0 specification. For complete details, including advanced use cases and comprehensive workflows, refer to the OpenID Federation 1.0 specification.

Implementers are advised to consult the official specification to ensure full compliance and alignment with federation standards.

...

Introduction

The OpenID Federation forms the backbone of the DC4EU Pilot Wallet ecosystem, enabling secure,

Introduction

The OpenID Federation forms the backbone of the DC4EU Pilot Wallet ecosystem, enabling secure, scalable, and interoperable interactions between diverse entities such as credential issuers, verifiers, and wallet providers.

...

• Definition: A set of public keys in JSON format, typically published at /.well-known/jwks.json..
• Purpose: Used for verifying the signatures of JWTs.

...

• Role: The Trust Mark Issuer (TMI) certifies entities’ compliance with federation policies by issuing cryptographic Trust Marks.
• Endpoint: https://openidfed-test-1.sunet.se:6001
• Notes: The TMI’s public keys for verifying Trust Marks are Metadata for the TMI is accessible at: https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json openid-federation

...

Wallet Provider

• Role: Acts as the intermediary for wallets to interact with the federation, supporting Wallet Instance registration.
• Endpoint: https://openidfed-test-1.sunet.se:5001
• Notes: Metadata for the Wallet Provider is accessible at: https://openidfed-test-1.sunet.se:5001/.well-known/openid-federation

...

Credential Issuer

• Role: Issues credentials (e.g., EHIC, PDA1) to wallets upon successful interaction.
• Endpoint: https://satosa-test-1.sunet.se/
• Notes: Supports credential issuance based on OpenID4VCI protocols.

...

Signature Validation:
Use a library or tool such as CryptoJWT to validate the signature. CryptoJWT is a Python library specifically designed for OpenID-related standards, including JSON Web Token (JWT) handling and signature verification.

Decoding Metadata After Validation:

Once the metadata’s signature is validated, decode it securely:

...

Decode it using tools such as base64:

echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 -d

Fetching and Validating Trust Marks:

Trust Marks are also represented as JWTs and must be validated before use. The validation process aligns with the steps outlined in Validating Metadata Signatures:

Fetch the Trust Mark Issuer’s Metadata:

• Retrieve the Entity Configuration Document of the Trust Mark Issuer from its /.well-known/openid-federation endpoint.
• Follow the steps in Validating Metadata Signatures to decode and validate the metadata to obtain the public keys (jwks, jwks_uri, or signed_jwks_uri).

Validate the Trust Mark:

• Use the validated public keys of the Trust Mark Issuer to verify the cryptographic signature of the Trust Mark JWT.
• Confirm that the Trust Mark is valid and applies to the intended entity.

Inspecting Decoded JSON:

After validation, use tools like jq to explore the JSON payload:

...

...

Security Notes:

Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s kid (Key ID) in the JWT header matches a key in the jwks.json document.