Versions Compared

Old Version 9

changes.mady.by.user Rasmus Larsson

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Disclaimer

This document provides a practical overview of key processes related to metadata and Trust Mark validation in the OpenID Federation. It is not exhaustive and does not cover all aspects of the OpenID Federation 1.0 specification. For complete details, including advanced use cases and comprehensive workflows, refer to the OpenID Federation 1.0 specification.

Implementers are advised to consult the official specification to ensure full compliance and alignment with federation standards.

...


Table of Contents

Introduction

The OpenID Federation forms the backbone of the DC4EU Pilot Wallet ecosystem, enabling secure,

Table of Contents

Introduction

The OpenID Federation forms the backbone of the DC4EU Pilot Wallet ecosystem, enabling secure, scalable, and interoperable interactions between diverse entities such as credential issuers, verifiers, and wallet providers.

...

  • Definition: A set of public keys in JSON format, typically published at /.well-known/jwks.json..
  • Purpose: Used for verifying the signatures of JWTs.

...

  • Role: The Trust Mark Issuer (TMI) certifies entities’ compliance with federation policies by issuing cryptographic Trust Marks.
  • Endpoint: https://openidfed-test-1.sunet.se:6001
  • Notes: The TMI’s public keys for verifying Trust Marks are Metadata for the TMI is accessible at: https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json openid-federation

...

Wallet Provider

  • Role: Acts as the intermediary for wallets to interact with the federation, supporting Wallet Instance registration.
  • Endpoint: https://openidfed-test-1.sunet.se:5001
  • Notes: Metadata for the Wallet Provider is accessible at: https://openidfed-test-1.sunet.se:5001/.well-known/openid-federation

...

Credential Issuer

  • Role: Issues credentials (e.g., EHIC, PDA1) to wallets upon successful interaction.
  • Endpoint: https://satosa-test-1.sunet.se/
  • Notes: Supports credential issuance based on OpenID4VCI protocols.

...

Usage Notes

Metadata Retrieval

...


Retrieve the Entity Configuration Document from a federation node’s /.well-known/openid-federation endpoint:

Code Block
languagebash
curl https://openidfed-test-1.sunet.se:7001/.well-known/openid-federation

...

The metadata is encoded as a JSON Web Token (JWT), which must be validated and decoded securely
...
...
Decoding Metadata
...
:
...
Decode the JWT to inspect the payload:
  • Extract the payload (the second segment of the JWT).
  • Decode it using tools such as base64 and  use tools like jq to explore the JSON payload:

     Code Block
    languagebash
...
curl https://openidfed-test-1.sunet.se:7001/.well-known/jwks.json
...
Decoding Metadata After Validation:
...
  • echo '<Base64URL-encoded payload>' | tr '_-' '/+' | base64 - | jq

Validating Metadata Signatures:
To validate the signature of metadata, the public keys of the entity can be represented in one of three ways in the metadata. Each representation has specific handling requirements.
  • jwks (JSON Web Key Set by Value):
    • The keys are embedded directly in the metadata. They are inherently validated as part of the metadata’s cryptographic signature. No additional fetch operation is required.
  • jwks_uri and signed_jwks_uri:
    • jwks_uri: A URI pointing to the JSON Web Key Set hosted by the entity.
    • signed_jwks_uri: A URI pointing to a signed JWT containing the key set.
    • In both cases, the keys must be fetched from the URI
...
    • :
       Code Block
      languagebash
...
    • curl 
...
    • <jwks-uri>

    • For signed_jwks_uri, the fetched JWT must also be validated before the keys can be used.
Signature Validation:
Use a library or tool such as CryptoJWT to validate the signature. CryptoJWT is a Python library specifically designed for OpenID-related standards, including JSON Web Token (JWT) handling and signature verification.
Fetching and Validating Trust Marks:
...
Fetch the Trust Mark Issuer’s public keys from its /.well-known/jwks.json endpoint:
 Code Block
languagebash
curl https://openidfed-test-1.sunet.se:6001/.well-known/jwks.json
...
Inspecting Decoded JSON:
After validation, use tools like jq to explore the JSON payload:
...
languagebash
...
Security Notes:
Always validate JWT signatures using trusted public keys before using the data. Ensure the key’s kid (Key ID) in the JWT header matches a key in the jwks.json document.