...
Trust Anchor: Root of trust. Defines policies and signs metadata.
Resolver: Provides trust chain resolution services, enabling entities to validate metadata against the Trust Anchor.Intermediate: Manages subordinate entities and aggregates metadataBuilds and returns validated trust chains by following authority hints and subordinate statements, allowing entities to establish trust with a Trust Anchor.
Trust Mark Issuer: Issues signed Trust Marks certifying compliance with federation requirements.
Intermediate: Manages subordinate entities and aggregates metadata.
OpenID Provider: Authenticates users and issues tokens under federation policies.
...
curl -s: fetches the JWT,-ssilences progress.cut -d '.' -f2: extracts the payload from the JWT (middle part).tr '_-' '/+': translates Base64URL alphabet into standard Base64.base64 -d: decodes the payload.jq .: pretty-prints the JSON.
Nodes
The following base nodes are available in the Swefed OIDF Sandboxoperated by the federation operator and form the core of the Swefed OIDF Sandbox. These nodes provide the trust anchor, resolution services, and supporting infrastructure.
Additional nodes such as OpenID Providers (OPs), Relying Parties (RPs), and further intermediates are contributed and managed by Sandbox participants.
Trust Anchor
- URL:
https://trust-anchor.oidf.swefed.se - Role: Root of trust. Publishes federation policies and signing keys.
- Provides federation endpoints:
fetch,list,resolve.
...
- All nodes expose their Entity Configuration at
/.well-known/openid-federation. - Trust chains must always be validated against the Trust Anchor.
- JWT signatures must be verified with the published keys from trusted entities.
- Trust Marks must be validated against with the Trust Mark Issuer’s published metadatakeys, provided the issuer’s trust chain resolves to the Trust Anchor.
Entity Integration
This section explains how to connect an entity to the Swefed Sandbox Trust Infrastructure. It covers metadata exposure, configuration of trust anchors, authority hints, and trust marks.
...
| Code Block | ||
|---|---|---|
| ||
{
"sub": "https://my-entity.example.com",
"authority_hints": [
"https://mimy-intermediate.example.org"
],
"metadata": {
"federation_entity": {
"organization_name": "Example Org",
"contacts": ["support@example.com"]
},
"oauth_authorization_server": {
"token_endpoint": "https://my-entity.example.com/token",
"authorization_endpoint": "https://my-entity.example.com/authorize",
"jwks_uri": "https://my-entity.example.com/jwks/oauth"
}
},
"jwks": {
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "example-key-id",
"e": "AQAB",
"n": "example-modulus"
}
]
}
} |
...
The Trust Anchor is the root of the Trust Infrastructure’s federation’s trust chain. Trust Anchors establish trust within the federation by defining policies and anchoring trust It defines policies and anchors all subordinate chains.
For configuration, you must add both the Trust Anchor’s entity identifier and its public keys:
- Trust Anchor URL: For your setup, the Trust Anchor URL is:
Entity ID (URL):
https://trust-anchor.oidf.swefed.se
Trust Anchor Public Keys
: Add the Trust Anchor’s public keys to the configuration(JWKS):
Code Block language js { "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "kid": "d2ZPZDVKa0Z4N1J4LTB2VWM1VFFhTUdSdnU3czZKQzhwc1F1U3ZHWEV3SQJI0SzIoDD4gaEzmLUgKGj-eu5jkTpEHW1JKk7OGdyiQ", "n": "jSDBu2-S3Z2-HN2ToJv3zQWe0lizg2VNq4Y68Xy1513nAv1fa9p1Sw5YRyhWUxCUnWnNCmGS5g11-Npqco8A7XUGzroYgOmD_1Pv0xBhOFpVQDwzLs7vmyaH2GiHDrUGBHVUJrdpjMsT5YD3xw39hQLDVlZ9qZeS4U0jUhGR4qoF5f4KuFxSb6OykDRvMcP2jSf6fvLw5oKg5b16LqLcAB-LVLC43QRXDRj1zAUMuuBa4n_dwyRG0aF2FsNsLnwvWLVGTrcSuwdnagl_T8oLLE_X5HtWQyOn0dmS_zbVZnkzxxso9usuMD4f-7BDTZq5kWRa-HUBqjpEOOcEp-ix-Q", "e": "AQAB", }, "n": "lzLK1jAEMh4duP6Ym_pHWXYJZkJ-LuJvPHqIuQrxZnEhB4ODpA0hfj9g2UdBBVzbZdhOXKg9ObTQhG_TTISDliyjKAphxF5EObMpPtCoy_ImZ262zRdK4nii6AGVuABd5777GEBIwb-zZncWypjCX-1T6CBVECi4DnoHGDHDWhBTcIa9DE6ZDAjAgrKeiDz96gOL3BrGTYHDkjIpp__FP9dZJXJjgDV2n0cvC_MDmp8N8C-Rc1vd63lpmoXxvIqBy8bSM8jXSDxPTNkcJdlducNo9sR9j-7TsGdgE9PNK-iVzyp67QnmokreMCHx3NExkmi-MfkHrPAHwE_OneNVhw" { }"kty": "EC", {"use": "sig", "kty": "EC", "kid": "pj4FG-prDKHyUrliyQb55zFOG3jwu_ivRPWnlB9YgKc", "usecrv": "sigP-256", "kidx": "R180Y3dtOWY2TzVoU3NYT1I2OUcyay0waWdVYVJ2YkFQZmRqaDBJZHZPMAXO0BmxPvPM7kfkfXwpXWOpF8Zm_-xwe_lfz6NWz4dxA", "crvy": "P-256",tXrhZ592sNhS1h3J79_d9kB-nphMLSUkegJ99ak1s-4" } "x": "OSKZj-f9PT5UKWHiQ-VdhY-gfh0h-dA_weaYFqfkuUg", "y": "4y8u3C-CMWySQFMHN0tvafgwKWbDLS5XSQEo83HupyY" } ] } ] }
Authority Hints
The authority_hints parameter specifies the URL of the Intermediate Entities or Trust Anchors that are Immediate Superiors of the entity. This helps other Trust Infrastructure participants understand upstream trust relationships.
...
To register, you must prepare a JSON document that includes your entity identifier, declared entity types, and public keys.
Start with this template:
a JSON document that includes your entity identifier, declared entity types, and public keys.
Start with this template:
| Code Block | ||
|---|---|---|
| ||
{
"<entity-identifier> | ||
| Code Block | ||
| ||
{ "<entity-identifier>": { "entity_types": [ "federation_entity", "<additional-entity-types>" ], "jwks": { "keysentity_types": [ { "kty": "RSAfederation_entity", "use": "sig","<additional-entity-types>" ], "kidjwks": "example-kid",{ "keys": [ "n": "example-n-value", { "e": "AQAB<Key 1>" }, { "<Key 2>" } ] } } } |
Instructions
Replace
<entity-identifier>with the entity_id of your entity (typically its HTTPS URL).Every entity must include
federation_entityas one of its types.Add the entity types that apply to your role in the Sandbox:
openid_relying_partyfor RPs.openid_providerfor OPs.oauth_authorization_serverfor entities acting as OAuth 2.0 AS.
Place your public keys in the
"jwks"section. Only public key parameters are included. Private key material must never be published.
...
| Code Block | ||
|---|---|---|
| ||
{
"https://entity.example.com": {
"entity_types": [
"federation_entity",
"openid_provider",
"oauth_authorization_server"
],
"jwks": {
"keys": [
{
"kty": {"EC",
"keys": [
"use": "sig",
{
"ktykid": "RSAcFFvS3F3ZEZkZXFDS3VtamR2WlI2UEFBNG9neTFMdi1JOFlNdkxHODJWOA",
"usecrv": "sigP-256",
"kidx": "abc123QFPmIUbY-lTLavyqzT-GqVKHCE28ng5QTWzbC3kMMJ8",
"ny": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAF...vRK1LZjF3DSRqEflUwCf5obg86yWvv2Iekae7A5u35E",
"ed": "AQABW5kLTh8IKEY0U281a7ZmGYbFAzV5kq0SjacTIufKBYM"
}
]
}
}
} |
This registration document should be submitted to the Sandbox operator to complete onboarding of the entity.
...
The following Trust Marks are available for issuance:
- Sambi:
...
- ID: https://trust-mark.oidf.swefed.se/sambi
Retrieving Trust Marks
Trust Marks will be supplied on request.
- Inputs to Trust Mark Issuer operator:
id: The identifier for the Trust Mark.sub: The entity's entity Identifier.
- Steps:
- Supply the
idandsubto the Trust Mark Issuer. - Retrieve the issued Trust Mark as a signed JWT.
- Supply the
- Include in Metadata: Add issued Trust Marks to your entity’s metadata:
...
- configuration:
Testing Trust Marks
- Decode JWT: Use tools like
jwt.ioto inspect the Trust Mark's claims and ensure all required fields are present. - Verify Signature: Validate the JWT signature against the Trust Mark Issuer's public key.
- Check Expiration: Ensure the
expclaim (if present) has not expired. - Validate References: Follow the
refURL (if provided) to confirm compliance with human-readable policy documents.
...