...
EHIC Credential:
ID: http://dc4eu.example.com/EHICCredential/se
PDA1 Credential:
ID: http://dc4eu.example.com/PDA1Credential/se
...
Retrieving Trust Marks
Inputs to Trust Mark Issuer:
id
: The identifier for the Trust Mark (e.g.,http://dc4eu.example.com/EHICCredential/se
).sub
: The entity's entity_id.
Steps:
Supply the
id
andsub
to the Trust Mark Issuer.Retrieve the issued Trust Mark as a signed JWT.
Validation:
- Use a JWT library to verify the Trust Mark's signature using the Trust Mark Issuer's public key:
- Retrieve public keys from the Trust Mark Issuer's /.well-known/jwks.json endpoint.
- Validate claims such as
iss
,sub
,id
, andiat
for compliance.
- Use a JWT library to verify the Trust Mark's signature using the Trust Mark Issuer's public key:
Include in Metadata: Add issued Trust Marks to your issuer’s metadata:
Code Block language yml trust_marks: - "eyJhbGciOiJIUzI1NiIsInR..." - "eyJhbGciOiJIUzI1NiIsInR..."
How to Add Trust Marks to the vc_up_and_running Issuer
To update the Trust Marks, you need to modify the trust_marks section of the satosa/plugins/oidc_frontend.yaml file. Follow the steps below to replace the existing Trust Marks with the ones received from the federation operator.
Locate the Trust Marks Section
In the current configuration, the trust_marks are defined under:
Code Block language yml trust_marks: - <existing-trust-mark-1> - <existing-trust-mark-2>
You need to replace these values with the new Trust Marks provided by the federation operator.
Example Update
If the federation operator provided the following new Trust Marks:
Code Block language yml eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2NWQ2MjY3LTI5MzQtNGJhNy05YjEyLWU4ZmFkNTYwYjZjMyJ9... eyJhbGciOiJSUzI1NiIsImtpZCI6IjkwNTFjZTgzLTY1NzEtNDliYi04ODdjLTc3OWQzMDNmOTRmYyJ9...
Modify the trust_marks section as follows:
Code Block language yml trust_marks: - eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2NWQ2MjY3LTI5MzQtNGJhNy05YjEyLWU4ZmFkNTYwYjZjMyJ9... - eyJhbGciOiJSUzI1NiIsImtpZCI6IjkwNTFjZTgzLTY1NzEtNDliYi04ODdjLTc3OWQzMDNmOTRmYyJ9..
Restart the Issuer to Apply Changes
Once you've updated the configuration file, restart the Issuer container to apply the changes:
Code Block language bash ./stop.sh && \ ./start.sh
Verify the Changes
After restarting the Issuer, verify that the new Trust Marks are correctly applied:Code Block language bash curl -k -s https://<issuer-host>:8000/.well-known/openid-federation | cut -d '.' -f2 | tr '_-' '/+' | base64 -d 2>/dev/null | jq .
Look for the updated trust_marks in the JSON response.
Testing Trust Marks
Decode JWT: Use tools like
jwt.io
to inspect the Trust Mark's claims and ensure all required fields are present.Verify Signature: Validate the JWT signature against the Trust Mark Issuer's public key.
Check Expiration: Ensure the
exp
claim (if present) has not expired.Validate References: Follow the
ref
URL (if provided) to confirm compliance with human-readable policy documents.
...