From fcf2c51061e629a67b1e8b3e760302e3769320ba Mon Sep 17 00:00:00 2001

From: keith T bieszczat <163609752+grateful345@users.noreply.github.com>

Date: Sat, 9 Nov 2024 01:25:34 -0600
Subject: [PATCH] Update Federation President
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

$AWS_SECRET

GET /trust_marked_list?trust_mark_id=https%3A%2F%2Ffederation.example.org
%2Fopenid_relying_party%2Fprivate%2Funder-age HTTP/1.1
Host: trust-mark-issuer.example.org

13
# Deployment variables will only work within deployment steps in bitbucket-
pipelines.yaml

image: atlassian/default-image:2
pipelines:
default:
- step:
script:
- <script>
- step:
name: Deploy to Test
deployment: Test
script:
- echo $DEPLOYMENT_VARIABLE
Secured

file:

GET /openid/authorization?
request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRVTjJhMDF3Umtoa1NXc
GxRVGh2Y1ZCSU5VSXdUVWRPVUZVMlRtVnJTbWhFUVhnelpYbHBUemRR
TkEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic2NvcGUiOiAi
b3BlbmlkIHByb2ZpbGUgZW1haWwiLCAiY2xpZW50X2lkIjogImh0dHB
zOi8vd2lraS5saWdvLm9yZyIsICJzdGF0ZSI6ICIyZmY3ZTU4OS0zOD
Q4LTQ2ZGEtYTNkMi05NDllMTIzNWU2NzEiLCAibm9uY2UiOiAiZjU4M
WExODYtYWNhNC00NmIzLTk0ZmMtODA0ODQwODNlYjJjIiwgInJlZGly
ZWN0X3VyaSI6ICJodHRwczovL3dpa2kubGlnby5vcmcvb3BlbmlkL2N
hbGxiYWNrIiwgImlzcyI6ICIiLCAiaWF0IjogMTU5MzU4ODA4NSwgIm
F1ZCI6ICJodHRwczovL29wLnVtdS5zZSJ9.cRwSFNcDx6VsacAQDcIx
5OAt_Pj30I_uUKRh04N4QJd6MZ0f50sETRv8uspSt9fMa-5yV3uzthX
_v8OtQrV33gW1vzgOSRCdHgeCN40StbzjFk102seDwtU_Uzrcsy7KrX
YSBp8U0dBDjuxC6h18L8ExjeR-NFjcrhy0wwua7Tnb4QqtN0QCia6DD
8QBNVTL1Ga0YPmMdT25wS26wug23IgpbZB20VUosmMGgGtS5yCI5AwK
Bhozv-oBH5KxxHzH1Oss-RkIGiQnjRnaWwEOTITmfZWra1eHP254wFF
2se-EnWtz1q2XwsD9NSsOEJwWJPirPPJaKso8ng6qrrOSgw
&response_type=code
&client_id=https%3A%2F%2Fwiki.ligo.org
&redirect_uri=https%3A%2F%2Fwiki.ligo.org/openid/callback
&scope=openid+profile+email
HTTP/1.1
Host: op.umu.se
pipelines:
default:
- step:
script:
- expr 10 / $MY_HIDDEN_NUMBER
- echo $

<myhiddennumber>

<< SECRET_PROVIDER_URI>>

docker container run ... -e

SECRET_PROVIDER_URI="http://secret.provider/endpoint" ...

<start.sh>

1
./start.sh ... --secretProviderUri "http://secret.provider/endpoint" ...

.\start ... -secretProviderUri "http://secret.provider/endpoint" ..

<Start.ps1>

| Trust Anchor A | | Trust Anchor B |

'------.--.-------' '----.--.--.------'
| | | | |
.--' '---. .-------------------' | |
| | | | |
.---v. .-----v-v------. .-----------' |
| OP | | Intermediate | | |
'----' '--.--.--.-----' | .---------v----.
| | | | | Intermediate |
.-------' | '------. | '---.--.--.----'
| | | | | | |
.--v-. .-v--. .v--v. .---' | '----.
| RP | | RS | | OP | | | |
'----' '----' '----' | .--v-. .-v--.
| | RP | | RP |
| '----' '----'
|
.-------v------.
| Intermediate |
'----.--.--.---'
| | |
.-----' | '----.
| | |
.--v-. .--v-. .-v--.
| OP | | RP | | AS |
 '----' '----' '----'

{
"https://openid.net/certification/op": ["*"],
"https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf":
["https://swamid.se"]
}
The following is a non-normative example of an Entity Statement before adding a
signature. The example contains a critical extension jti (JWT ID) to the Entity
Statement and one critical extension to the policy language regexp (Regular
expression).

{
"iss": "https://feide.no",
"sub": "https://ntnu.no",
"iat": 1516239022,
"exp": 1516298022,
"crit": ["jti"],
"jti": "7l2lncFdY6SlhNia",
"policy_language_crit": ["regexp"],
"metadata": {
"openid_provider": {
"issuer": "https://ntnu.no",
"organization_name": "NTNU",
},
"oauth_client": {
"organization_name": "NTNU"
}
},
"metadata_policy": {
"openid_provider": {
"id_token_signing_alg_values_supported":
{"subset_of": ["RS256", "RS384", "RS512"]},
"op_policy_uri": {
"regexp":
"^https:\/\/[\\w-]+\\.example\\.com\/[\\w-]+\\.html"}
},
"oauth_client": {
"grant_types": {
"subset_of": ["authorization_code", "client_credentials"]
},
},
"constraints": {
"max_path_length": 2
},
"jwks": {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"key_ops": ["verify"],
"kid": "key1",
"kty": "RSA",
"n": "pnXBOusEANuug6ewezb9J_...",
"use": "sig"
}
]
}
}
3.2. Trust Chain

{
"keys": [
{
"kty": "RSA",
"kid": "SUdtUndEWVY2cUFDeDV5NVlBWDhvOXJodVl2am1mNGNtR0pmd",
"n": "y_Zc8rByfeRIC9fFZrDZ2MGH2ZnxLrc0ZNNwkNet5rwCPYeRF3Sv
5nihZA9NHkDTEX97dN8hG6ACfeSo6JB2P7heJtmzM8oOBZbmQ90n
EA_JCHszkejHaOtDDfxPH6bQLrMlItF4JSUKua301uLB7C8nzTxm
tF3eAhGCKn8LotEseccxsmzApKRNWhfKDLpKPe9i9PZQhhJaurwD
kMwbWTAeZbqCScU1o09piuK1JDf2PaDFevioHncZcQO74Obe4nN3
oNPNAxrMClkZ9s9GMEd5vMqOD4huXlRpHwm9V3oJ3LRutOTxqQLV
yPucu7eHA7her4FOFAiUk-5SieXL9Q",
"e": "AQAB"
},
{
"kty": "EC",
"kid": "MFYycG1raTI4SkZvVDBIMF9CNGw3VEZYUmxQLVN2T21nSWlkd3",
"crv": "P-256",
"x": "qAOdPQROkHfZY1daGofOmSNQWpYK8c9G2m2Rbkpbd4c",
"y": "G_7fF-T8n2vONKM15Mzj4KR_shvHBxKGjMosF6FdoPY"
}
],
"iss": "https://example.org/op",
"iat": 1618410883
}

The following is a non-normative example of an RP's Entity Configuration:

{
"iss": "https://openid.sunet.se",
"sub": "https://openid.sunet.se",
"iat": 1516239022,
"exp": 1516298022,
"metadata": {
"openid_relying_party": {
"application_type": "web",
"redirect_uris": [
"https://openid.sunet.se/rp/callback"
],
"organization_name": "SUNET",
"logo_uri": "https://www.sunet.se/sunet/images/32x32.png",
"grant_types": [
"authorization_code",
"implicit"
],
"signed_jwks_uri":"https://openid.sunet.se/rp/signed_jwks.jose",
"jwks_uri": "https://openid.sunet.se/rp/jwks.json"
}
},
"jwks": {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
 "key_ops": [
"verify"
],
"kid": "key1",
"kty": "RSA",
"n": "pnXBOusEANuug6ewezb9J_...",
"use": "sig"
}
]
},
"authority_hints": [
"https://edugain.org/federation"
]
}
{
"iss":"https://op.umu.se",
"sub":"https://op.umu.se",
"exp":1568397247,
"iat":1568310847,
"metadata":{
"openid_provider":{
"issuer":"https://op.umu.se/openid",
"signed_jwks_uri":"https://op.umu.se/openid/signed_jwks.jose",
"authorization_endpoint":"https://op.umu.se/openid/authorization",
"client_registration_types_supported":[
"automatic",
"explicit"
],
"grant_types_supported":[
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"id_token_signing_alg_values_supported":[
"ES256",
"RS256"
],
"logo_uri":"https://www.umu.se/img/umu-logo-left-neg-SE.svg",
"op_policy_uri":"https://www.umu.se/en/legal-information/",
"response_types_supported":[
"code",
"code id_token",
"token"
],
"subject_types_supported":[
"pairwise",
"public"
],
"token_endpoint":"https://op.umu.se/openid/token",
"federation_registration_endpoint":"https://op.umu.se/openid/fedreg",
"token_endpoint_auth_methods_supported":[
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt"
],
"pushed_authorization_request_endpoint":"https://op.umu.se/openid/par",
"request_authentication_methods_supported": {
"authorization_endpoint": [
 "request_object"
],
"pushed_authorization_request_endpoint": [
"request_object",
"private_key_jwt",
"tls_client_auth",
"self_signed_tls_client_auth"
]
}
}
},
"authority_hints":[
"https://umu.se"
],
"jwks":{
"keys":[
{
"e":"AQAB",
"kid":"dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...",
"kty":"RSA",
"n":"x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..."
}
]
},
}
"federation_entity": {
"federation_fetch_endpoint":
"https://example.com/federation_fetch",
"federation_list_endpoint":
"https://example.com/federation_list",
"federation_trust_mark_status_endpoint": "https://example.com/status",
"federation_trust_mark_list_endpoint": "https://example.com/trust_marked_list",
"organization_name": "The example cooperation",
"homepage_uri": "https://www.example.com"
}

"id_token_signed_response_alg": {
"default": "ES256",
"one_of" : ["ES256", "ES384", "ES512"]
}
Which fits into a metadata policy like this:

"metadata_policy" : {
"openid_relying_party": {
"id_token_signed_response_alg": {
"default": "ES256",
"one_of" : ["ES256", "ES384", "ES512"]
}
}
}

{
"grant_types": {

"subset_of": ["authorization_code", "implicit", "refresh_token"],

"superset_of": ["authorization_code"],

"default": ["authorization_code", "refresh_token"]

 },
"token_endpoint_auth_method": {
"one_of": [
"client_secret_post",
"client_secret_basic"
]
},
"contacts": {
"add": "helpdesk@federation.example.org"
}
}
An organization's policy for OAuth 2.0 clients:

{
"grant_types": {
"subset_of": ["authorization_code", "refresh_token", "implicit"],
"default": ["authorization_code", "refresh_token"]
},
"token_endpoint_auth_method": {
"one_of": [
"client_secret_post",
"client_secret_basic"
],
"default": "client_secret_basic"
},
"contacts": {
"add": "helpdesk@org.example.org"
}
}
The combined metadata policy then becomes:

{
"grant_types": {
"subset_of": ["authorization_code", "refresh_token"],
"superset_of": ["authorization_code"],
"default": ["authorization_code", "refresh_token"]
},
"token_endpoint_auth_method": {
"one_of": [
"client_secret_post",
"client_secret_basic"
],
"default": "client_secret_basic"
},
"contacts": {
"add": [
"helpdesk@federation.example.org",
"helpdesk@org.example.org"
]
}
}

{
"contacts": [
"rp_admins@cs.example.com"
],
"redirect_uris": [
"https://cs.example.com/rp1"
],
 "response_types": [
"code"
]
}
The federation's policy for RPs:

{
"id_token_signed_response_alg": {
"one_of": [
"ES256",
"ES384"
],
"default": "ES256",
},
"response_types": {
"subset_of": [
"code",
"code id_token"
]
}
}
The organization's policy for RPs:

{
"metadata_policy": {
"openid_relying_party": {
"contacts": {
"add": "helpdesk@example.com"
},
"logo_uri": {
"one_of": [
"https://example.com/logo_small.svg",
"https://example.com/logo_big.svg"
],
"default": "https://example.com/logo_small.svg"
}
}
},
"metadata": {
"openid_relying_party": {
"policy_uri": "https://example.com/policy.html",
"tos_uri": "https://example.com/tos.html"
}
}
}
After applying the policies above, the metadata for the Entity in question would
become:

{
"contacts": [
"rp_admins@cs.example.com",
"helpdesk@example.com"
],
"logo_uri": "https://example.com/logo_small.svg",
"policy_uri": "https://example.com/policy.html",
"tos_uri": "https://example.com/tos.html",
"id_token_signed_response_alg": "ES256",
"response_types": [
"code"
 ],
"redirect_uris": [
"https://cs.example.com/rp1"
]
}

{
"naming_constraints": {
"permitted": [
"https://.example.com"
],
"excluded": [
"https://east.example.com"
]
},
"max_path_length": 2,
"allowed_leaf_entity_types": ["openid_provider", "openid_relying_party"]
}
{
"iss": "https://rp.example.it/spid/",
"sub": "https://rp.example.it/spid/",
"iat": 1516239022,
"exp": 1516298022,
"trust_marks": [
{
"id": "https://www.spid.gov.it/certification/rp/",
"trust_mark":
"eyJraWQiOiJmdWtDdUtTS3hwWWJjN09lZUk3Ynlya3N5a0E1bDhPb2RFSXVyOH"
"JoNFlBIiwidHlwIjoidHJ1c3QtbWFyaytqd3QiLCJhbGciOiJSUzI1NiJ9.eyJ"
"pc3MiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi8vc"
"nAuZXhhbXBsZS5pdC9zcGlkIiwiaWF0IjoxNTc5NjIxMTYwLCJpZCI6Imh0dHB"
"zOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAiLCJsb2dvX3Vya"
"SI6Imh0dHBzOi8vd3d3LmFnaWQuZ292Lml0L3RoZW1lcy9jdXN0b20vYWdpZC9"
"sb2dvLnN2ZyIsInJlZiI6Imh0dHBzOi8vZG9jcy5pdGFsaWEuaXQvZG9jcy9zc"
"GlkLWNpZS1vaWRjLWRvY3MvaXQvdmVyc2lvbmUtY29ycmVudGUvIn0.AGf5Y4M"
"oJt22rznH4i7Wqpb2EF2LzE6BFEkTzY1dCBMCK-8P_vj4Boz7335pUF45XXr2j"
"x5_waDRgDoS5vOO-wfc0NWb4Zb_T1RCwcryrzV0z3jJICePMPM_1hZnBZjTNQd"
"4EsFNvKmUo_teR2yzAZjguR2Rid30O5PO8kJtGaXDmz-rWaHbmfLhlNGJnqcp9"
"Lo1bhkU_4Cjpn2bdX7RN0JyfHVY5IJXwdxUMENxZd-VtA5QYiw7kPExT53XcJO"
"89ebe_ik4D0dl-vINwYhrIz2RPnqgA1OdbK7jg0vm8Tb3aemRLG7oLntHwqLO-"
"gGYr6evM2_SgqwA0lQ9mB9yhw"
}
],
"metadata": {
"openid_relying_party": {
"application_type": "web",
"client_registration_types": ["automatic"],
"client_name": "https://rp.example.it/spid/",
"contacts": [
"ops@rp.example.it"
],

... follows other claims ...

... follows other claims ...

An example of a decoded Trust Mark issued to an RP, attesting the conformance to a

national public service profile:
{
"id":"https://federation.id/openid_relying_party/public/",
"iss": "https://trust-anchor.gov.id",
"sub": "https://rp.cie.id",
"iat": 1579621160,
"organization_name": "Organization name",
"policy_uri": "https://rp.cie.id/privacy_policy",
"tos_uri": "https://rp.cie.id/info_policy",
"service_documentation": "https://rp.cie.id/api/v1/get/services",
"ref": "https://rp.cie.id/documentation/manuale_operativo.pdf"
}
+-----+ +-----+
+-------------+
| RP | | OP | |
TrustAnchor |
+-----+ +-----+
+-------------+
| |
|
| Entity Configuration Request |
|
|<---------------------------------|
|
| |
|
| Entity Configuration Response |
|
|--------------------------------->|
|
| |
|
| | Evaluates authority_hints
|
| |--------------------------
|
| | |
|
| |<-------------------------
|
| |
|
| | Entity Configuration Request
|
|
|--------------------------------------------->|
| |
|
| | Entity Configuration
Response |
| |
<---------------------------------------------|
| |
|
| | Obtains Fetch endpoint
|
| |-----------------------
|
| | |
|
| |<----------------------
|
| |
|
| | Request Entity Statement about the RP
|
|
|--------------------------------------------->|
| |
|
| | Entity Statement about the
RP |
| |
<---------------------------------------------|
| |
|
| | Evaluates the Trust Chain
|
| |--------------------------
|
| | |
|
| |<-------------------------
|
| |
|
| | Applies metadata policies
|
| |--------------------------
|
| | |
|
| |<-------------------------
|
| |
|
| | Derivates the RP's final metadata
|
| |----------------------------------
|
| | |
|
| |<---------------------------------
|
| |
|
8.2. Validating a Trust Chain

As

An example of a decoded Trust Mark issued to an RP, attesting its conformance to

the rules for data management of underage users:

{
"id":"https://federation.id/openid_relying_party/private/under-age",
 "iss": "https://trust-anchor.gov.id",
"sub": "https://rp.cie.id",
"iat": 1579621160,
"organization_name": "Organization name",
"policy_uri": "https://rp.cie.id/privacy_policy",
"tos_uri": "https://rp.cie.id/info_policy"
}

An example of a Trust Mark attesting a stipulation of an agreement between an RP

and an Attribute Authority:

{
"id": "https://deleghedigitali.gov.it/openid_relying_party/sgd/",
"iss": "https://deleghedigitali.gov.it",
"sub": "https://rp.cie.id",
"iat": 1579621160,
"logo_uri": "https://deleghedigitali.gov.it/sgd-cmyk-150dpi-90mm.svg",
"organization_type": "public",
"id_code": "123456",
"email": "info@rp.cie.id",
"organization_name#it": "Nome dell'organizazzione",
"policy_uri#it": "https://rp.cie.id/privacy_policy",
"tos_uri#it": "https://rp.cie.id/info_policy",
"service_documentation": "https://rp.cie.id/api/v1/get/services",
"ref": "https://deleghedigitali.gov.it/documentation/manuale_operativo.pdf"
}
An example of a Trust Mark asserting conformance to a security profile:

{
"iss": "https://secusign.org",
"sub": "https://example.com/op",
"iat": 1579621160,
"id": "https://secusign.org/level/A",
"logo_uri": "https://secusign.org/static/levels/
certification-level-A-150dpi-90mm.svg",
"ref": "https://secusign.org/conformances/"
}
An example of a decoded self-signed Trust Mark:

{
"iss": "https://example.com/op",
"sub": "https://example.com/op",
"iat": 1579621160,
"id": "https://openid.net/certification/op",
"logo_uri": "http://openid.net/wordpress-content/uploads/2016/
05/oid-l-certification-mark-l-cmyk-150dpi-90mm.svg",
"ref": "https://openid.net/wordpress-content/uploads/2015/
09/RolandHedberg-pyoidc-0.7.7-Basic-26-Sept-2015.zip"
}
An example of a third-party accreditation authority:

{
"iss": "https://swamid.se",
"sub": "https://umu.se/op",
"iat": 1577833200,
"exp": 1609369200,
"id": "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf"
}
$ GET /.well-known/openid-federation HTTP/1.1
Host: openid.sunet.se

<federation_entity>

200 OK
Content-Type: application/entity-statement+jwt

{
"iss": "https://openid.sunet.se",
"sub": "https://openid.sunet.se",
"iat": 1516239022,
"exp": 1516298022,
"metadata": {
"openid_provider": {
"issuer": "https://openid.sunet.se",
"signed_jwks_uri": "https://openid.sunet.se/jwks.jose",
"authorization_endpoint":
"https://openid.sunet.se/authorization",
"client_registration_types_supported": [
"automatic",
"explicit"
],
"grant_types_supported": [
"authorization_code"
],
"id_token_signing_alg_values_supported": [
"ES256", "RS256"
],
"logo_uri":
"https://www.umu.se/img/umu-logo-left-neg-SE.svg",
"op_policy_uri":
"https://www.umu.se/en/website/legal-information/",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"pairwise",
"public"
],
"token_endpoint": "https://openid.sunet.se/token",
"federation_registration_endpoint":
"https://op.umu.se/openid/fedreg",
"token_endpoint_auth_methods_supported": [
"private_key_jwt"
]

}
},
"jwks": {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"key_ops": [
"verify"
],
 "kid": "key1",
"kty": "RSA",
"n": "pnXBOusEANuug6ewezb9J_...",
"use": "sig"
}
]
},
"authority_hints": [
"https://edugain.org/federation"
]
}

GET /federation_fetch_endpoint?
iss=https%3A%2F%2Fedugain.org%2Ffederation&
sub=https%3A%2F%2Fopenid%2Esunet%2Ese HTTP/1.1
Host: edugain.org

GET /federation_fetch_endpoint?
iss=https%3A%2F%2Fedugain.org%2Ffederation&
sub=https%3A%2F%2Fopenid%2Esunet%2Ese HTTP/1.1
Host: edugain.org

200 OK
Content-Type: application/entity-statement+jwt

{
"iss": "https://edugain.org/federation",
"sub": "https://openid.sunet.se"
"exp": 1568397247,
"iat": 1568310847,
"jwks": {
"keys": [
{
"e": "AQAB",
"kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...",
"kty": "RSA",
"n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..."
}
]
},
"metadata":{
"federation_entity": {
"organization_name":"SUNET"
}
}
"metadata_policy": {
"openid_provider": {
"subject_types_supported": {
"value": [
"pairwise"
]
},
"token_endpoint_auth_methods_supported": {
"default": [
"private_key_jwt"
],
"subset_of": [
"private_key_jwt",
 "client_secret_jwt"
],
"superset_of": [
"private_key_jwt"
]
}
}
}
}
7
GET /resolve?
sub=https%3A%2F%2Fop.example.it%2Fspid&
type=openid_provider&
anchor=https%3A%2F%2Fswamid.se HTTP/1.1
Host: openid.sunet.se

GET /resolve?
sub=https%3A%2F%2Fop.example.it%2Fspid&
type=openid_provider&
anchor=https%3A%2F%2Fswamid.se HTTP/1.1
Host: openid.sunet.se

{
"iss": "https://resolver.spid.gov.it/",
"sub": "https://op.example.it/spid/",
"iat": 1516239022,
"exp": 1516298022,
"metadata": {
"openid_provider": {
"contacts": ["legal@example.it", "technical@example.it"],
"logo_uri":
"https://op.example.it/static/img/op-logo.svg",
"op_policy_uri":
"https://op.example.it/en/about-the-website/legal-information/",
"federation_registration_endpoint":"https://op.example.it/spid/fedreg/",
"authorization_endpoint":
"https://op.example.it/spid/authorization/",
"token_endpoint": "https://op.example.it/spid/token/",
"response_types_supported": [
"code",
"code id_token",
"token"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"subject_types_supported": ["pairwise"],
"id_token_signing_alg_values_supported": ["RS256"],
"issuer": "https://op.example.it/spid/",
"jwks": {
"keys": [
{
"kty": "RSA",
"use": "sig",
"n": "1Ta-sE ...",
"e": "AQAB",
 "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs"
}
]
}
}
},
"trust_marks": [
{"id": "https://www.spid.gov.it/certification/op/",
"trust_mark":
"eyJhbGciOiJSUzI1NiIsImtpZCI6ImRGRTFjMFF4UzBFdFFrWmxNRXR3ZWxOQl"
"eyJhbGciOiJSUzI1NiIsImtpZCI6Ijh4c3VLV2lWZndTZ0hvZjFUZTRPVWRjeT"
"RxN2RKcktmRlJsTzV4aEhJYTAifQ.eyJpc3MiOiJodHRwczovL3d3dy5hZ2lkL"
"mdvdi5pdCIsInN1YiI6Imh0dHBzOi8vb3AuZXhhbXBsZS5pdC9zcGlkLyIsIml"
"hdCI6MTU3OTYyMTE2MCwiaWQiOiJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9jZ"
"XJ0aWZpY2F0aW9uL29wLyIsImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cuYWdpZC5"
"nb3YuaXQvdGhlbWVzL2N1c3RvbS9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0c"
"HM6Ly9kb2NzLml0YWxpYS5pdC9pdGFsaWEvc3BpZC9zcGlkLXJlZ29sZS10ZWN"
"uaWNoZS1vaWRjL2l0L3N0YWJpbGUvaW5kZXguaHRtbCJ9"
}
],
"trust_chain" : [
"eyJhbGciOiJSUzI1NiIsImtpZCI6Ims1NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
"eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ...",
"eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ..."
]
}

GET /list HTTP/1.1

Host: openid.sunet.se
7.3.2. Subordinate Listing Response

A successful response MUST use the HTTP status code 200 and the content type set to
application/json, containing a JSON array with the known Entity Identifiers.

If the response is negative, the response should be produced in accordance with

what is defined in Section 7.7.

The following is a non-normative example of a response, containing the Subordinate

Entities:

200 OK
Content-Type: application/json

[
"https://ntnu.andreas.labs.uninett.no/",
"https://blackboard.ntnu.no/openid/callback",
"https://serviceprovider.andreas.labs.uninett.no/application17"
]

POST /federation_trust_mark_status_endpoint HTTP/1.1

Host: op.example.org
Content-Type: application/x-www-form-urlencoded

sub=https%3A%2F%2Fopenid.sunet.se%2FRP
&id=https%3A%2F%2Frefeds.org%2Fsirtfi

POST /federation_trust_mark_status_endpoint HTTP/1.1

Host: op.example.org
Content-Type: application/x-www-form-urlencoded

sub=https%3A%2F%2Fopenid.sunet.se%2FRP
&id=https%3A%2F%2Frefeds.org%2Fsirtfi

200 OK
Content-Type: application/json

{
"active": true
}

200 OK
Content-Type: application/json

{
"active": true
}

GET /trust_marked_list?trust_mark_id=https%3A%2F%2Ffederation.example.org
%2Fopenid_relying_party%2Fprivate%2Funder-age HTTP/1.1
Host: trust-mark-issuer.example.org

200 OK
Content-Type: application/json

[
"https://blackboard.ntnu.no/openid/rp",
"https://that-rp.example.org"
]
GET /.well-known/openid-federation-historical-jwks HTTP/1.1
Host: trust-anchor.example.com

HTTP/1.1 200 OK
Content-Type: application/jwk-set+jwt

{
"iss": "https://trust-anchor.federation.example.com",
"iat": 123972394272,
"keys":
[
{
"kty":"RSA",
"n":"5s4qi …",
"e":"AQAB",
"kid":"2HnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
"iat": 123972394872,
"exp": 123974395972
},
{
"kty":"RSA",
"n":"ng5jr …",
"e":"AQAB",
"kid":"8KnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMJJr",
"iat": 123972394872,
"exp": 123974394972
 "revoked": {
"revoked_at": 123972495172,
"reason": "keyCompromise",
"reason_code": 1
}
}
]
}
7.6.3

400 Bad request

Content-Type: application/json

{
"error": "invalid_request",
"error_description":
"Required request parameter [sub] was missing."
}
8+-----+ +-----+
+-------------+
| RP | | OP | |
TrustAnchor |
+-----+ +-----+
+-------------+
| |
|
| Entity Configuration Request |
|
|<---------------------------------|
|
| |
|
| Entity Configuration Response |
|
|--------------------------------->|
|
| |
|
| | Evaluates authority_hints
|
| |--------------------------
|
| | |
|
| |<-------------------------
|
| |
|
| | Entity Configuration Request
|
|
|--------------------------------------------->|
| |
|
| | Entity Configuration
Response |
| |
<---------------------------------------------|
 | |
|
| | Obtains Fetch endpoint
|
| |-----------------------
|
| | |
|
| |<----------------------
|
| |
|
| | Request Entity Statement about the RP
|
|
|--------------------------------------------->|
| |
|
| | Entity Statement about the
RP |
| |
<---------------------------------------------|
| |
|
| | Evaluates the Trust Chain
|
| |--------------------------
|
| | |
|
| |<-------------------------
|
| |
|
| | Applies metadata policies
|
| |--------------------------
|
| | |
|
| |<-------------------------
|
| |
|
| | Derivates the RP's final metadata
|
| |----------------------------------
|
| | |
|
| |<---------------------------------
|
| |
|
8.2. Validating a Trust Chain

As

<private_key_jwt>
{
"alg": "RS256",
"kid": "that-kid-which-points-to-a-jwk-contained-in-the-trust-chain",
"trust_chain" : [
"eyJhbGciOiJSUzI1NiIsImtpZCI6Ims1NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
"eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ...",
"eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ..."
]
}
.
{
"aud": "https://op.example.org",
"client_id": "https://rp.example.com",
"exp": 1589699162,
"iat": 1589699102,
"iss": "https://rp.example.com",
"jti": "4d3ec0f81f134ee9a97e0449be6d32be",
"nonce": "4LX0mFMxdBjkGmtx7a8WIOnB",
"redirect_uri": "https://rp.example.com/authz_cb",
"response_type": "code",
"scope": "openid profile email address phone",
"state": "YmX8PM9I7WbNoMnnieKKBiptVW0sP2OZ"
}
The following is a non-normative example of an Authentication Request using the
request parameter (with line wraps within values for display purposes only):

https://server.example.com/authorize?
redirect_uri=https%3A%2F%2Frp.example.com%2Fauthz_cb
&scope=openid+profile+email+address+phone
&response_type=code
&client_id=https%3A%2F%2Frp.example.com
&request=eyJ0cnVzdF9jaGFpbiI6WyJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2SW1z
MU5FaFJkRVJwWW5sSFkzTTVXbGRXVFdaMmFVaG0gLi4uIiwiZXlKaGJHY2lPaUpT
VXpJMU5pSXNJbXRwWkNJNklrSllkbVp5Ykc1b1FVMTFTRkl3TjJGcVZXMUJZMEpT
IC4uLiIsImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJa0pZZG1aeWJHNW9R
VTExU0ZJd04yRnFWVzFCWTBKUyAuLi4iXSwiYWxnIjoiUlMyNTYiLCJraWQiOiI2
X2VGcGNoNXpTYm1QT3hMdGRGLXlrM1dqVFJvUGpBMll6UTd5YnJmV2dvIn0.eyJh
dWQiOiJodHRwczovL29wLmV4YW1wbGUub3JnIiwiY2xpZW50X2lkIjoiaHR0cHM6
Ly9ycC5leGFtcGxlLmNvbSIsImV4cCI6MTU4OTY5OTE2MiwiaWF0IjoxNTg5Njk5
MTAyLCJpc3MiOiJodHRwczovL3JwLmV4YW1wbGUuY29tIiwianRpIjoiNGQzZWMw
ZjgxZjEzNGVlOWE5N2UwNDQ5YmU2ZDMyYmUiLCJub25jZSI6IjRMWDBtRk14ZEJq
a0dtdHg3YThXSU9uQiIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vcnAuZXhhbXBs
ZS5jb20vYXV0aHpfY2IiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInNjb3BlIjoi
b3BlbmlkIHByb2ZpbGUgZW1haWwgYWRkcmVzcyBwaG9uZSIsInN0YXRlIjoiWW1Y
OFBNOUk3V2JOb01ubmllS0tCaXB0Vlcwc1AyT1oiLCJzdWIiOiJodHRwczovL3Jw
LmV4YW1wbGUuY29tIn0.Gjo1NSYAx5PIllnUJhRCzZT-ezqyofU95pnGsgzclTfj
cYCwSef_g2cniIWX4-35cAYR-NcAGEzaDIvQgzQ90O_24HlCtZ6yvUlb65uhZGGt
O1TvsI7bl-92yrYCKD8fmaWH73R7qXZ8uLNspRy0L4emGXdUrFJ8RozE5asEdY_L
_1orhot6uwWWrYE5cSyxJqCk_G1ackqKRmOlHB3EX3pNmVZodz6DQyONLeBqiMId
xpvVALEkmpAQavEwrfpA-s4K3QIJrKAbEVQ1AfyQR0cGDd7fF4bju-wigYhBura0
Pv4PrEFSNYG22b5ZPoubTPoFe-7W5Ypec_Io1aXNDA

eduGAIN
|
+------------------+------------------+
| |
SWAMID InCommon
| |
 umu.se |
| |
op.umu.se wiki.ligo.org

POST /par HTTP/1.1

Host: op.example.org
Content-Type: application/x-www-form-urlencoded

redirect_uri=https%3A%2F%2Frp.example.com%2Fauthz_cb
&scope=openid+profile+email+address+phone
&response_type=code
&nonce=4LX0mFMxdBjkGmtx7a8WIOnB
&state=YmX8PM9I7WbNoMnnieKKBiptVW0sP2OZ
&client_id=https%3A%2F%2Frp.example.com
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
client-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRVTjJ
hMDF3Umtoa1NXcGxRVGh2Y1ZCSU5VSXdUVWRPVUZVMlRtVnJTbW
hFUVhnelpYbHBUemRRTkEifQ.eyJzdWIiOiAiaHR0cHM6Ly9ycC
5leGFtcGxlLmNvbSIsICJpc3MiOiAiaHR0cHM6Ly9ycC5leGFtc
GxlLmNvbSIsICJpYXQiOiAxNTg5NzA0NzAxLCAiZXhwIjogMTU4
OTcwNDc2MSwgImF1ZCI6ICJodHRwczovL29wLmV4YW1wbGUub3J
nL2F1dGhvcml6YXRpb24iLCAianRpIjogIjM5ZDVhZTU1MmQ5Yz
Q4ZjBiOTEyZGM1NTY4ZWQ1MGQ2In0.oUt9Knx_lxb4V2S0tyNFH
CNZeP7sImBy5XDsFxv1cUpGkAojNXSy2dnU5HEzscMgNW4wguz6
KDkC01aq5OfN04SuVItS66bsx0h4Gs7grKAp_51bClzreBVzU4g
_-dFTgF15T9VLIgM_juFNPA_g4Lx7Eb5r37rWTUrzXdmfxeou0X
FC2p9BIqItU3m9gmH0ojdBCUX5Up0iDsys6_npYomqitAcvaBRD
PiuUBa5Iar9HVR-H7FMAr7aq7s-dH5gx2CHIfM3-qlc2-_Apsy0
BrQl6VePR6j-3q6JCWvNw7l4_F2UpHeanHb31fLKQbK-1yoXDNz
DwA7B0ZqmuSmMFQ

HTTP/1.1 302 Found

Location: https://client.example.org/cb?
error=missing_trust_anchor
&error_description=
Could%20not%20find%20a%20trusted%20anchor
&state=af0ifjsldkj

eduGAIN
|
+------------------+------------------+
| |
SWAMID InCommon
| |
umu.se |
| |
op.umu.se wiki.ligo.org

{
"authority_hints": [
"https://umu.se"
],
"exp": 1568397247,
"iat": 1568310847,
"iss": "https://op.umu.se",
"sub": "https://op.umu.se",
"jwks": {
"keys": [
 {
"e": "AQAB",
"kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...",
"kty": "RSA",
"n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..."
}
]
},
"metadata": {
"openid_provider": {
"issuer": "https://op.umu.se/openid",
"signed_jwks_uri": "https://op.umu.se/openid/jwks.jose",
"authorization_endpoint":
"https://op.umu.se/openid/authorization",
"client_registration_types_supported": [
"automatic",
"explicit"
],
"request_parameter_supported": true,
"grant_types_supported": [
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"id_token_signing_alg_values_supported": [
"ES256", "RS256"
],
"logo_uri":
"https://www.umu.se/img/umu-logo-left-neg-SE.svg",
"op_policy_uri":
"https://www.umu.se/en/website/legal-information/",
"response_types_supported": [
"code",
"code id_token",
"token"
],
"subject_types_supported": [
"pairwise",
"public"
],
"token_endpoint": "https://op.umu.se/openid/token",
"federation_registration_endpoint":
"https://op.umu.se/openid/fedreg",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt"
]
}
}
}
The <<authority_hints>> points to the Intermediate Entity <<https://umu.se>>

GET /.well-known/openid-federation HTTP/1.1

Host: umu.se
And the GET will return:

{
 "authority_hints": [
"https://swamid.se"
],
"exp": 1568397247,
"iat": 1568310847,
"iss": "https://umu.se",
"sub": "https://umu.se",
"jwks": {
"keys": [
{
"e": "AQAB",
"kid": "endwNUZrNTJsX2NyQlp4bjhVcTFTTVltR2gxV2RV...",
"kty": "RSA",
"n": "vXdXzZwQo0hxRSmZEcDIsnpg-CMEkor50SOG-1XUlM..."
}
]
},
"metadata": {
"federation_entity": {
"contacts": "ops@umu.se",
"federation_fetch_endpoint": "https://umu.se/oidc/fedapi",
"homepage_uri": "https://www.umu.se",
"organization_name": "UmU"
}
}
}
The only piece of information that is used from this Entity Statement is the
<<federation_fetch_endpoint>> which is used in the next step.

A.2.3. Entity Statement Published by 'https://umu.se' about 'https://op.umu.se'

The RP uses the fetch endpoint provided by https://umu.se as defined in Section

7.1.1 to fetch information about "https://op.umu.se".

The request will look like this:

GET /oidc/fedapi?sub=https%3A%2F%2Fop.umu.se&
iss=https%3A%2F%2Fumu.se HTTP/1.1
Host: umu.se
and the result is this:

{
"exp": 1568397247,
"iat": 1568310847,
"iss": "https://umu.se",
"jwks": {
"keys": [
{
"e": "AQAB",
"kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...",
"kty": "RSA",
"n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..."
}
]
},
"metadata_policy": {
"openid_provider": {
"contacts": {
"add": [
 "ops@swamid.se"
]
},
"organization_name": {
"value": "University of Ume\u00e5"
},
"subject_types_supported": {
"value": [
"pairwise"
]
},
"token_endpoint_auth_methods_supported": {
"default": [
"private_key_jwt"
],
"subset_of": [
"private_key_jwt",
"client_secret_jwt"
],
"superset_of": [
"private_key_jwt"
]
}
}
},
"sub": "https://op.umu.se"
}

GET /.well-known/openid-federation HTTP/1.1

Host: swamid.se
And the GET will return:

{
"authority_hints": [
"https://edugain.geant.org"
],
"exp": 1568397247,
"iat": 1568310847,
"iss": "https://swamid.se",
"jwks": {
"keys": [
{
"e": "AQAB",
"kid": "N1pQTzFxUXZ1RXVsUkVuMG5uMnVDSURGRVdhUzdO...",
"kty": "RSA",
"n": "3EQc6cR_GSBq9km9-WCHY_lWJZWkcn0M05TGtH6D9S..."
}
]
},
"metadata": {
"federation_entity": {
"contacts": "ops@swamid.se",
"federation_fetch_endpoint":
"https://swamid.se/fedapi",
"homepage_uri": "https://www.sunet.se/swamid/",
"organization_name": "SWAMID"
}
},
"sub": "https://swamid.se"
}
The only piece of information that is used from this Entity Statement is the
federation_fetch_endpoint, which is used in the next step.

A.2.5. Entity Statement Published by 'https://swamid.se' about 'https://umu.se'

The LIGO Wiki RP uses the fetch endpoint provided by "https://swamid.se" as defined
in Section 7.1.1 to fetch information about "https://umu.se".

The request will look like this:

GET /fedapi?sub=https%3A%2F%2Fumu.se&
iss=https%3A%2F%2Fswamid.se HTTP/1.1
Host: swamid.se
and the result is this:

{
"exp": 1568397247,
"iat": 1568310847,
"iss": "https://swamid.se",
"jwks": {
"keys": [
{
"e": "AQAB",
"kid": "endwNUZrNTJsX2NyQlp4bjhVcTFTTVltR2gxV2RV...",
"kty": "RSA",
"n": "vXdXzZwQo0hxRSmZEcDIsnpg-CMEkor50SOG-1XUlM..."
}
]
},
"metadata_policy": {
"openid_provider": {
"id_token_signing_alg_values_supported": {
"subset_of": [
"RS256",
"ES256",
"ES384",
"ES512"
]
},
"token_endpoint_auth_methods_supported": {
"subset_of": [
"client_secret_jwt",
"private_key_jwt"
]
},
"userinfo_signing_alg_values_supported": {
"subset_of": [
"ES256",
"ES384",
"ES512"
]
}
}
},
"sub": "https://umu.se"
}

GET /.well-known/openid-federation HTTP/1.1

Host: edugain.geant.org
And the GET will return:

{
"exp": 1568397247,
"iat": 1568310847,
"iss": "https://edugain.geant.org",
"sub": "https://edugain.geant.org",
"jwks": {
"keys": [
{
"e": "AQAB",
"kid": "Sl9DcjFxR3hrRGdabUNIR21KT3dvdWMyc2VUM2Fr...",
"kty": "RSA",
"n": "xKlwocDXUw-mrvDSO4oRrTRrVuTwotoBFpozvlq-1q..."
}
]
},
"metadata": {
"federation_entity": {
"federation_fetch_endpoint": "https://geant.org/edugain/api"
}
}
}

Within the Trust Anchor Entity Configuration, the Relying Party looks for the
federation_fetch_endpoint and gets the updated Federation Entity Keys of the Trust
Anchor. Each Entity within a Federation may change their Federation Entity Keys, or
any other attributes, at any time. See Section 9.2 for futhers details.

A.2.7. Entity Statement Published by 'https://edugain.geant.org' about

'https://swamid.se'

The LIGO Wiki RP uses the fetch endpoint of https://edugain.geant.org as defined in

Section 7.1.1 to fetch information about "https://swamid.se".

The request will look like this:

GET /edugain/api?sub=https%3A%2F%2Fswamid.se&
iss=https%3A%2F%2Fedugain.geant.org HTTP/1.1
Host: geant.org
and the result is this:

{
"exp": 1568397247,
"iat": 1568310847,
"iss": "https://edugain.geant.org",
"jwks": {
"keys": [
{
"e": "AQAB",
"kid": "N1pQTzFxUXZ1RXVsUkVuMG5uMnVDSURGRVdhUzdO...",
"kty": "RSA",
"n": "3EQc6cR_GSBq9km9-WCHY_lWJZWkcn0M05TGtH6D9S..."
}
]
},
"metadata_policy": {
"openid_provider": {
 "contacts": {
"add": "ops@edugain.geant.org"
}
},
"openid_relying_party": {
"contacts": {
"add": "ops@edugain.geant.org"
}
}
},
"sub": "https://swamid.se"
}
{
"authorization_endpoint":
"https://op.umu.se/openid/authorization",
"claims_parameter_supported": false,
"contacts": [
"ops@swamid.se"
],
"federation_registration_endpoint":
"https://op.umu.se/openid/fedreg",
"client_registration_types_supported": [
"automatic",
"explicit"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"id_token_signing_alg_values_supported": [
"RS256",
"ES256"
],
"issuer": "https://op.umu.se/openid",
"signed_jwks_uri": "https://op.umu.se/openid/jwks.jose",
"logo_uri":
"https://www.umu.se/img/umu-logo-left-neg-SE.svg",
"organization_name": "University of Ume\u00e5",
"op_policy_uri":
"https://www.umu.se/en/website/legal-information/",
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_types_supported": [
"code",
"code id_token",
"token"
],
"subject_types_supported": [
"pairwise"
],
"token_endpoint": "https://op.umu.se/openid/token",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_jwt"
]
}
GET /openid/authorization?
 request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRVTjJhMDF3Umtoa1NXc
GxRVGh2Y1ZCSU5VSXdUVWRPVUZVMlRtVnJTbWhFUVhnelpYbHBUemRR
TkEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic2NvcGUiOiAi
b3BlbmlkIHByb2ZpbGUgZW1haWwiLCAiY2xpZW50X2lkIjogImh0dHB
zOi8vd2lraS5saWdvLm9yZyIsICJzdGF0ZSI6ICIyZmY3ZTU4OS0zOD
Q4LTQ2ZGEtYTNkMi05NDllMTIzNWU2NzEiLCAibm9uY2UiOiAiZjU4M
WExODYtYWNhNC00NmIzLTk0ZmMtODA0ODQwODNlYjJjIiwgInJlZGly
ZWN0X3VyaSI6ICJodHRwczovL3dpa2kubGlnby5vcmcvb3BlbmlkL2N
hbGxiYWNrIiwgImlzcyI6ICIiLCAiaWF0IjogMTU5MzU4ODA4NSwgIm
F1ZCI6ICJodHRwczovL29wLnVtdS5zZSJ9.cRwSFNcDx6VsacAQDcIx
5OAt_Pj30I_uUKRh04N4QJd6MZ0f50sETRv8uspSt9fMa-5yV3uzthX
_v8OtQrV33gW1vzgOSRCdHgeCN40StbzjFk102seDwtU_Uzrcsy7KrX
YSBp8U0dBDjuxC6h18L8ExjeR-NFjcrhy0wwua7Tnb4QqtN0QCia6DD
8QBNVTL1Ga0YPmMdT25wS26wug23IgpbZB20VUosmMGgGtS5yCI5AwK
Bhozv-oBH5KxxHzH1Oss-RkIGiQnjRnaWwEOTITmfZWra1eHP254wFF
2se-EnWtz1q2XwsD9NSsOEJwWJPirPPJaKso8ng6qrrOSgw
&response_type=code
&client_id=https%3A%2F%2Fwiki.ligo.org
&redirect_uri=https%3A%2F%2Fwiki.ligo.org/openid/callback
&scope=openid+profile+email
HTTP/1.1
Host: op.umu.se

edugain.geant.org
"metadata_policy": {
"openid_provider": {
"contacts": {
"add": "ops@edugain.geant.org"
}
},
"openid_relying_party": {
"contacts": {
"add": "ops@edugain.geant.org"
}
}
}
incommon.org
"metadata_policy": {
"openid_relying_party": {
"application_type": {
"one_of": [
"web",
"native"
]
},
"contacts": {
"add": "ops@incommon.org"
},
"grant_types": {
"subset_of": [
"authorization_code",
"refresh_token"
]
}
}
}
Combining these and apply them to the metadata for wiki.ligo.org:

"metadata": {
 "application_type": "web",
"client_name": "LIGO Wiki",
"contacts": [
"ops@ligo.org"
],
"grant_types": [
"authorization_code",
"refresh_token"
],
"id_token_signed_response_alg": "RS256",
"signed_jwks_uri": "https://wiki.ligo.org/jwks.jose",
"redirect_uris": [
"https://wiki.ligo.org/openid/callback"
],
"response_types": [
"code"
],
"subject_type": "public"
}
The final result is:

{
"application_type": "web",
"client_name": "LIGO Wiki",
"contacts": [
"ops@ligo.org",
"ops@edugain.geant.org",
"ops@incommon.org"
],
"grant_types": [
"refresh_token",
"authorization_code"
],
"id_token_signed_response_alg": "RS256",
"signed_jwks_uri": "https://wiki.ligo.org/jwks.jose",
"redirect_uris": [
"https://wiki.ligo.org/openid/callback"
],
"response_types": [
"code"
],
"subject_type": "public"
}
Once the Trust Chain and the final Relying Party metadata have been obtained, the
OpenID Provider has everything needed to validate the signature of the Request
Object in the Authentication Request, using the public keys made available at the
signed_jwks_uri endpoint.

A.3.2. Client Starts with Registration (Explicit Client Registration)

Here the LIGO Wiki RP sends a client registration request to the

federation_registration_endpoint of the OP (op.umu.se). What it sends is an Entity
Configuration.

The JWT Claims Set of that Entity Configuration might look like this:

{
"iss": "https://wiki.ligo.org",
"sub": "https://wiki.ligo.org",
 "iat": 1676045527,
"exp": 1676063610,
"aud": "https://op.umu.se",
"metadata": {
"openid_relying_party": {
"application_type": "web",
"client_name": "LIGO Wiki",
"contacts": ["ops@ligo.org"],
"grant_types": ["authorization_code"],
"id_token_signed_response_alg": "RS256",
"signed_jwks_uri": "https://wiki.ligo.org/jwks.jose",
"redirect_uris": [
"https://wiki.ligo.org/openid/callback"
],
"response_types": ["code"],
"subject_type": "public"
}
},
"jwks": {
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid":
"U2JTWHY0VFg0a2FEVVdTaHptVDJsNDNiSDk5MXRBVEtNSFVkeXZwb",
"e": "AQAB",
"n":
"4AZjgqFwMhTVSLrpzzNcwaCyVD88C_Hb3Bmor97vH-2AzldhuVb8K..."
}
]
},
"authority_hints": ["https://incommon.org"]
}
Once the OP has the Entity Configuration, it proceeds with the same sequence of
steps as laid out in Appendix A.2.

The OP will end up with the same RP metadata described in Appendix A.3.1.2, but it
now can return a metadata policy that it wants to be applied to the RP's metadata.
This metadata policy will be combined with the Trust Chain's combined metadata
policy before being applied to the RP's metadata.

If we assume that the OP does not support refresh tokens, it MAY want to add a
metadata policy that says:

"metadata_policy": {
"openid_relying_party": {
"grant_types": {
"subset_of": [
"authorization_code"
]
}
}
}
Thus, the Entity Statement returned by the OP to the RP MAY look like this:

{
"trust_anchor_id": "https://edugain.geant.org",
"metadata_policy": {
"openid_relying_party": {
 "contacts": {
"add": [
"ops@incommon.org",
"ops@edugain.geant.org"
]
}
}
},
"metadata": {
"openid_relying_party": {
"client_id": "m3GyHw",
"client_secret_expires_at": 1604049619,
"client_secret":
"cb44eed577f3b5edf3e08362d47a0dc44630b3dc6ea99f7a79205"
"client_id_issued_at": 1601457619
}
},
"authority_hints": [
"https://incommon.org"
],
"aud": "https://wiki.ligo.org",
"jwks": {
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid":
"U2JTWHY0VFg0a2FEVVdTaHptVDJsNDNiSDk5MXRBVEtNSFVkeXZwb",
"e": "AQAB",
"n":
"4AZjgqFwMhTVSLrpzzNcwaCyVD88C_Hb3Bmor97vH-2AzldhuVb8K..."
},
{
"kty": "EC",
"use": "sig",
"kid": "LWtFcklLOGdrW",
"crv": "P-256",
"x": "X2S1dFE7zokQDST0bfHdlOWxOc8FC1l4_sG1Kwa4l4s",
"y": "812nU6OCKxgc2ZgSPt_dkXbYldG_smHJi4wXByDHc6g"
}
]
},
"iss": "https://op.umu.se",
"iat": 1601457619,
"exp": 1601544019
}
And the resulting metadata used by the RP could look like:

{
"application_type": "web",
"client_name": "LIGO Wiki",
"client_id": "m3GyHw",
"client_secret_expires_at": 1604049619,
"client_secret": "cb44eed577f3b5edf3e08362d47a0dc44630b3dc6ea99f7a79205"
"client_id_issued_at": 1601457619,
"contacts": [
"ops@edugain.geant.org",
"ops@incommon.org",
"ops@ligo.org"
 ],
"grant_types": [
"authorization_code"
],
"id_token_signed_response_alg": "RS256",
"signed_jwks_uri": "https://wiki.ligo.org/jwks.jose",
"redirect_uris": [
"https://wiki.ligo.org/openid/callback"
],
"response_types": [
"code"
],
"subject_type": "public"
}
---
Federation President | 1708 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 1708 insertions(+)

diff --git a/Federation President b/Federation President

index 85ad92d..9239b35 100644
--- a/Federation President
+++ b/Federation President
@@ -1705,3 +1705,1711 @@ And the resulting metadata used by the RP could look like:
],
"subject_type": "public"
}
+
+$ AWS_SECRET
+
+
+GET /trust_marked_list?trust_mark_id=https%3A%2F%2Ffederation.example.org
%2Fopenid_relying_party%2Fprivate%2Funder-age HTTP/1.1
+Host: trust-mark-issuer.example.org
+
+
+13
+# Deployment variables will only work within deployment steps in bitbucket-
pipelines.yaml
+
+image: atlassian/default-image:2
+pipelines:
+ default:
+ - step:
+ script:
+ - <script>
+ - step:
+ name: Deploy to Test
+ deployment: Test
+ script:
+ - echo $DEPLOYMENT_VARIABLE
+Secured
+
+file:
+
+ GET /openid/authorization?
+ request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRVTjJhMDF3Umtoa1NXc
+ GxRVGh2Y1ZCSU5VSXdUVWRPVUZVMlRtVnJTbWhFUVhnelpYbHBUemRR
+ TkEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic2NvcGUiOiAi
+ b3BlbmlkIHByb2ZpbGUgZW1haWwiLCAiY2xpZW50X2lkIjogImh0dHB
+ zOi8vd2lraS5saWdvLm9yZyIsICJzdGF0ZSI6ICIyZmY3ZTU4OS0zOD
+ Q4LTQ2ZGEtYTNkMi05NDllMTIzNWU2NzEiLCAibm9uY2UiOiAiZjU4M
+ WExODYtYWNhNC00NmIzLTk0ZmMtODA0ODQwODNlYjJjIiwgInJlZGly
+ ZWN0X3VyaSI6ICJodHRwczovL3dpa2kubGlnby5vcmcvb3BlbmlkL2N
+ hbGxiYWNrIiwgImlzcyI6ICIiLCAiaWF0IjogMTU5MzU4ODA4NSwgIm
+ F1ZCI6ICJodHRwczovL29wLnVtdS5zZSJ9.cRwSFNcDx6VsacAQDcIx
+ 5OAt_Pj30I_uUKRh04N4QJd6MZ0f50sETRv8uspSt9fMa-5yV3uzthX
+ _v8OtQrV33gW1vzgOSRCdHgeCN40StbzjFk102seDwtU_Uzrcsy7KrX
+ YSBp8U0dBDjuxC6h18L8ExjeR-NFjcrhy0wwua7Tnb4QqtN0QCia6DD
+ 8QBNVTL1Ga0YPmMdT25wS26wug23IgpbZB20VUosmMGgGtS5yCI5AwK
+ Bhozv-oBH5KxxHzH1Oss-RkIGiQnjRnaWwEOTITmfZWra1eHP254wFF
+ 2se-EnWtz1q2XwsD9NSsOEJwWJPirPPJaKso8ng6qrrOSgw
+ &response_type=code
+ &client_id=https%3A%2F%2Fwiki.ligo.org
+ &redirect_uri=https%3A%2F%2Fwiki.ligo.org/openid/callback
+ &scope=openid+profile+email
+ HTTP/1.1
+Host: op.umu.se
+
+
+
+
+pipelines:
+ default:
+ - step:
+ script:
+ - expr 10 / $MY_HIDDEN_NUMBER
+ - echo $
+
+ <myhiddennumber>
+
+
+
+ << SECRET_PROVIDER_URI>>
+
+
+
+
+ docker container run ... -e
SECRET_PROVIDER_URI="http://secret.provider/endpoint" ...
+
+
+ <start.sh>
+
+
+ 1
+./start.sh ... --secretProviderUri "http://secret.provider/endpoint" ...
+
+
+.\start ... -secretProviderUri "http://secret.provider/endpoint" ..
+<Start.ps1>
+
+
+| Trust Anchor A | | Trust Anchor B |
+'------.--.-------' '----.--.--.------'
+ | | | | |
+ .--' '---. .-------------------' | |
+ | | | | |
+.---v. .-----v-v------. .-----------' |
+| OP | | Intermediate | | |
+'----' '--.--.--.-----' | .---------v----.
+ | | | | | Intermediate |
+ .-------' | '------. | '---.--.--.----'
+ | | | | | | |
+.--v-. .-v--. .v--v. .---' | '----.
+| RP | | RS | | OP | | | |
+'----' '----' '----' | .--v-. .-v--.
+ | | RP | | RP |
+ | '----' '----'
+ |
+ .-------v------.
+ | Intermediate |
+ '----.--.--.---'
+ | | |
+ .-----' | '----.
+ | | |
+ .--v-. .--v-. .-v--.
+ | OP | | RP | | AS |
+ '----' '----' '----'
+
+{
+ "https://openid.net/certification/op": ["*"],
+ "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf":
+ ["https://swamid.se"]
+}
+The following is a non-normative example of an Entity Statement before adding a
signature. The example contains a critical extension jti (JWT ID) to the Entity
Statement and one critical extension to the policy language regexp (Regular
expression).
+
+{
+ "iss": "https://feide.no",
+ "sub": "https://ntnu.no",
+ "iat": 1516239022,
+ "exp": 1516298022,
+ "crit": ["jti"],
+ "jti": "7l2lncFdY6SlhNia",
+ "policy_language_crit": ["regexp"],
+ "metadata": {
+ "openid_provider": {
+ "issuer": "https://ntnu.no",
+ "organization_name": "NTNU",
+ },
+ "oauth_client": {
+ "organization_name": "NTNU"
+ }
+ },
+ "metadata_policy": {
+ "openid_provider": {
+ "id_token_signing_alg_values_supported":
+ {"subset_of": ["RS256", "RS384", "RS512"]},
+ "op_policy_uri": {
+ "regexp":
+ "^https:\/\/[\\w-]+\\.example\\.com\/[\\w-]+\\.html"}
+ },
+ "oauth_client": {
+ "grant_types": {
+ "subset_of": ["authorization_code", "client_credentials"]
+ },
+ },
+ "constraints": {
+ "max_path_length": 2
+ },
+ "jwks": {
+ "keys": [
+ {
+ "alg": "RS256",
+ "e": "AQAB",
+ "key_ops": ["verify"],
+ "kid": "key1",
+ "kty": "RSA",
+ "n": "pnXBOusEANuug6ewezb9J_...",
+ "use": "sig"
+ }
+ ]
+ }
+}
+3.2. Trust Chain
+
+
+
+ {
+ "keys": [
+ {
+ "kty": "RSA",
+ "kid": "SUdtUndEWVY2cUFDeDV5NVlBWDhvOXJodVl2am1mNGNtR0pmd",
+ "n": "y_Zc8rByfeRIC9fFZrDZ2MGH2ZnxLrc0ZNNwkNet5rwCPYeRF3Sv
+ 5nihZA9NHkDTEX97dN8hG6ACfeSo6JB2P7heJtmzM8oOBZbmQ90n
+ EA_JCHszkejHaOtDDfxPH6bQLrMlItF4JSUKua301uLB7C8nzTxm
+ tF3eAhGCKn8LotEseccxsmzApKRNWhfKDLpKPe9i9PZQhhJaurwD
+ kMwbWTAeZbqCScU1o09piuK1JDf2PaDFevioHncZcQO74Obe4nN3
+ oNPNAxrMClkZ9s9GMEd5vMqOD4huXlRpHwm9V3oJ3LRutOTxqQLV
+ yPucu7eHA7her4FOFAiUk-5SieXL9Q",
+ "e": "AQAB"
+ },
+ {
+ "kty": "EC",
+ "kid": "MFYycG1raTI4SkZvVDBIMF9CNGw3VEZYUmxQLVN2T21nSWlkd3",
+ "crv": "P-256",
+ "x": "qAOdPQROkHfZY1daGofOmSNQWpYK8c9G2m2Rbkpbd4c",
+ "y": "G_7fF-T8n2vONKM15Mzj4KR_shvHBxKGjMosF6FdoPY"
+ }
+ ],
+ "iss": "https://example.org/op",
+ "iat": 1618410883
+ }
+
+The following is a non-normative example of an RP's Entity Configuration:
+
+
+ {
+ "iss": "https://openid.sunet.se",
+ "sub": "https://openid.sunet.se",
+ "iat": 1516239022,
+ "exp": 1516298022,
+ "metadata": {
+ "openid_relying_party": {
+ "application_type": "web",
+ "redirect_uris": [
+ "https://openid.sunet.se/rp/callback"
+ ],
+ "organization_name": "SUNET",
+ "logo_uri": "https://www.sunet.se/sunet/images/32x32.png",
+ "grant_types": [
+ "authorization_code",
+ "implicit"
+ ],
+ "signed_jwks_uri":"https://openid.sunet.se/rp/signed_jwks.jose",
+ "jwks_uri": "https://openid.sunet.se/rp/jwks.json"
+ }
+ },
+ "jwks": {
+ "keys": [
+ {
+ "alg": "RS256",
+ "e": "AQAB",
+ "key_ops": [
+ "verify"
+ ],
+ "kid": "key1",
+ "kty": "RSA",
+ "n": "pnXBOusEANuug6ewezb9J_...",
+ "use": "sig"
+ }
+ ]
+ },
+ "authority_hints": [
+ "https://edugain.org/federation"
+ ]
+ }
+{
+ "iss":"https://op.umu.se",
+ "sub":"https://op.umu.se",
+ "exp":1568397247,
+ "iat":1568310847,
+ "metadata":{
+ "openid_provider":{
+ "issuer":"https://op.umu.se/openid",
+ "signed_jwks_uri":"https://op.umu.se/openid/signed_jwks.jose",
+ "authorization_endpoint":"https://op.umu.se/openid/authorization",
+ "client_registration_types_supported":[
+ "automatic",
+ "explicit"
+ ],
+ "grant_types_supported":[
+ "authorization_code",
+ "implicit",
+ "urn:ietf:params:oauth:grant-type:jwt-bearer"
+ ],
+ "id_token_signing_alg_values_supported":[
+ "ES256",
+ "RS256"
+ ],
+ "logo_uri":"https://www.umu.se/img/umu-logo-left-neg-SE.svg",
+ "op_policy_uri":"https://www.umu.se/en/legal-information/",
+ "response_types_supported":[
+ "code",
+ "code id_token",
+ "token"
+ ],
+ "subject_types_supported":[
+ "pairwise",
+ "public"
+ ],
+ "token_endpoint":"https://op.umu.se/openid/token",
+ "federation_registration_endpoint":"https://op.umu.se/openid/fedreg",
+ "token_endpoint_auth_methods_supported":[
+ "client_secret_post",
+ "client_secret_basic",
+ "client_secret_jwt",
+ "private_key_jwt"
+ ],
+ "pushed_authorization_request_endpoint":"https://op.umu.se/openid/par",
+ "request_authentication_methods_supported": {
+ "authorization_endpoint": [
+ "request_object"
+ ],
+ "pushed_authorization_request_endpoint": [
+ "request_object",
+ "private_key_jwt",
+ "tls_client_auth",
+ "self_signed_tls_client_auth"
+ ]
+ }
+ }
+ },
+ "authority_hints":[
+ "https://umu.se"
+ ],
+ "jwks":{
+ "keys":[
+ {
+ "e":"AQAB",
+ "kid":"dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...",
+ "kty":"RSA",
+ "n":"x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..."
+ }
+ ]
+ },
+}
+"federation_entity": {
+ "federation_fetch_endpoint":
+ "https://example.com/federation_fetch",
+ "federation_list_endpoint":
+ "https://example.com/federation_list",
+ "federation_trust_mark_status_endpoint": "https://example.com/status",
+ "federation_trust_mark_list_endpoint": "https://example.com/trust_marked_list",
+ "organization_name": "The example cooperation",
+ "homepage_uri": "https://www.example.com"
+}
+
+"id_token_signed_response_alg": {
+ "default": "ES256",
+ "one_of" : ["ES256", "ES384", "ES512"]
+}
+Which fits into a metadata policy like this:
+
+"metadata_policy" : {
+ "openid_relying_party": {
+ "id_token_signed_response_alg": {
+ "default": "ES256",
+ "one_of" : ["ES256", "ES384", "ES512"]
+ }
+ }
+}
+
+{
+ "grant_types": {
+
+ "subset_of": ["authorization_code", "implicit", "refresh_token"],
+
+ "superset_of": ["authorization_code"],
+
+ "default": ["authorization_code", "refresh_token"]
+ },
+ "token_endpoint_auth_method": {
+ "one_of": [
+ "client_secret_post",
+ "client_secret_basic"
+ ]
+ },
+ "contacts": {
+ "add": "helpdesk@federation.example.org"
+ }
+}
+An organization's policy for OAuth 2.0 clients:
+
+{
+ "grant_types": {
+ "subset_of": ["authorization_code", "refresh_token", "implicit"],
+ "default": ["authorization_code", "refresh_token"]
+ },
+ "token_endpoint_auth_method": {
+ "one_of": [
+ "client_secret_post",
+ "client_secret_basic"
+ ],
+ "default": "client_secret_basic"
+ },
+ "contacts": {
+ "add": "helpdesk@org.example.org"
+ }
+}
+The combined metadata policy then becomes:
+
+{
+ "grant_types": {
+ "subset_of": ["authorization_code", "refresh_token"],
+ "superset_of": ["authorization_code"],
+ "default": ["authorization_code", "refresh_token"]
+ },
+ "token_endpoint_auth_method": {
+ "one_of": [
+ "client_secret_post",
+ "client_secret_basic"
+ ],
+ "default": "client_secret_basic"
+ },
+ "contacts": {
+ "add": [
+ "helpdesk@federation.example.org",
+ "helpdesk@org.example.org"
+ ]
+ }
+}
+
+{
+ "contacts": [
+ "rp_admins@cs.example.com"
+ ],
+ "redirect_uris": [
+ "https://cs.example.com/rp1"
+ ],
+ "response_types": [
+ "code"
+ ]
+}
+The federation's policy for RPs:
+
+{
+ "id_token_signed_response_alg": {
+ "one_of": [
+ "ES256",
+ "ES384"
+ ],
+ "default": "ES256",
+ },
+ "response_types": {
+ "subset_of": [
+ "code",
+ "code id_token"
+ ]
+ }
+}
+The organization's policy for RPs:
+
+{
+ "metadata_policy": {
+ "openid_relying_party": {
+ "contacts": {
+ "add": "helpdesk@example.com"
+ },
+ "logo_uri": {
+ "one_of": [
+ "https://example.com/logo_small.svg",
+ "https://example.com/logo_big.svg"
+ ],
+ "default": "https://example.com/logo_small.svg"
+ }
+ }
+ },
+ "metadata": {
+ "openid_relying_party": {
+ "policy_uri": "https://example.com/policy.html",
+ "tos_uri": "https://example.com/tos.html"
+ }
+ }
+}
+After applying the policies above, the metadata for the Entity in question would
become:
+
+{
+ "contacts": [
+ "rp_admins@cs.example.com",
+ "helpdesk@example.com"
+ ],
+ "logo_uri": "https://example.com/logo_small.svg",
+ "policy_uri": "https://example.com/policy.html",
+ "tos_uri": "https://example.com/tos.html",
+ "id_token_signed_response_alg": "ES256",
+ "response_types": [
+ "code"
+ ],
+ "redirect_uris": [
+ "https://cs.example.com/rp1"
+ ]
+}
+
+
+{
+ "naming_constraints": {
+ "permitted": [
+ "https://.example.com"
+ ],
+ "excluded": [
+ "https://east.example.com"
+ ]
+ },
+ "max_path_length": 2,
+ "allowed_leaf_entity_types": ["openid_provider", "openid_relying_party"]
+}
+{
+ "iss": "https://rp.example.it/spid/",
+ "sub": "https://rp.example.it/spid/",
+ "iat": 1516239022,
+ "exp": 1516298022,
+ "trust_marks": [
+ {
+ "id": "https://www.spid.gov.it/certification/rp/",
+ "trust_mark":
+ "eyJraWQiOiJmdWtDdUtTS3hwWWJjN09lZUk3Ynlya3N5a0E1bDhPb2RFSXVyOH"
+ "JoNFlBIiwidHlwIjoidHJ1c3QtbWFyaytqd3QiLCJhbGciOiJSUzI1NiJ9.eyJ"
+ "pc3MiOiJodHRwczovL3d3dy5hZ2lkLmdvdi5pdCIsInN1YiI6Imh0dHBzOi8vc"
+ "nAuZXhhbXBsZS5pdC9zcGlkIiwiaWF0IjoxNTc5NjIxMTYwLCJpZCI6Imh0dHB"
+ "zOi8vd3d3LnNwaWQuZ292Lml0L2NlcnRpZmljYXRpb24vcnAiLCJsb2dvX3Vya"
+ "SI6Imh0dHBzOi8vd3d3LmFnaWQuZ292Lml0L3RoZW1lcy9jdXN0b20vYWdpZC9"
+ "sb2dvLnN2ZyIsInJlZiI6Imh0dHBzOi8vZG9jcy5pdGFsaWEuaXQvZG9jcy9zc"
+ "GlkLWNpZS1vaWRjLWRvY3MvaXQvdmVyc2lvbmUtY29ycmVudGUvIn0.AGf5Y4M"
+ "oJt22rznH4i7Wqpb2EF2LzE6BFEkTzY1dCBMCK-8P_vj4Boz7335pUF45XXr2j"
+ "x5_waDRgDoS5vOO-wfc0NWb4Zb_T1RCwcryrzV0z3jJICePMPM_1hZnBZjTNQd"
+ "4EsFNvKmUo_teR2yzAZjguR2Rid30O5PO8kJtGaXDmz-rWaHbmfLhlNGJnqcp9"
+ "Lo1bhkU_4Cjpn2bdX7RN0JyfHVY5IJXwdxUMENxZd-VtA5QYiw7kPExT53XcJO"
+ "89ebe_ik4D0dl-vINwYhrIz2RPnqgA1OdbK7jg0vm8Tb3aemRLG7oLntHwqLO-"
+ "gGYr6evM2_SgqwA0lQ9mB9yhw"
+ }
+ ],
+ "metadata": {
+ "openid_relying_party": {
+ "application_type": "web",
+ "client_registration_types": ["automatic"],
+ "client_name": "https://rp.example.it/spid/",
+ "contacts": [
+ "ops@rp.example.it"
+ ],
+
+ ... follows other claims ...
+
+ ... follows other claims ...
+
+An example of a decoded Trust Mark issued to an RP, attesting the conformance to a
national public service profile:
+
+{
+ "id":"https://federation.id/openid_relying_party/public/",
+ "iss": "https://trust-anchor.gov.id",
+ "sub": "https://rp.cie.id",
+ "iat": 1579621160,
+ "organization_name": "Organization name",
+ "policy_uri": "https://rp.cie.id/privacy_policy",
+ "tos_uri": "https://rp.cie.id/info_policy",
+ "service_documentation": "https://rp.cie.id/api/v1/get/services",
+ "ref": "https://rp.cie.id/documentation/manuale_operativo.pdf"
+}
++-----+ +-----+
+-------------+
+| RP | | OP | |
TrustAnchor |
++-----+ +-----+
+-------------+
+ | |
|
+ | Entity Configuration Request |
|
+ |<---------------------------------|
|
+ | |
|
+ | Entity Configuration Response |
|
+ |--------------------------------->|
|
+ | |
|
+ | | Evaluates authority_hints
|
+ | |--------------------------
|
+ | | |
|
+ | |<-------------------------
|
+ | |
|
+ | | Entity Configuration Request
|
+ |
|--------------------------------------------->|
+ | |
|
+ | | Entity Configuration
Response |
+ | |
<---------------------------------------------|
+ | |
|
+ | | Obtains Fetch endpoint
|
+ | |-----------------------
|
+ | | |
|
+ | |<----------------------
|
+ | |
|
+ | | Request Entity Statement about the RP
|
+ |
|--------------------------------------------->|
+ | |
|
+ | | Entity Statement about the
RP |
+ | |
<---------------------------------------------|
+ | |
|
+ | | Evaluates the Trust Chain
|
+ | |--------------------------
|
+ | | |
|
+ | |<-------------------------
|
+ | |
|
+ | | Applies metadata policies
|
+ | |--------------------------
|
+ | | |
|
+ | |<-------------------------
|
+ | |
|
+ | | Derivates the RP's final metadata
|
+ | |----------------------------------
|
+ | | |
|
+ | |<---------------------------------
|
+ | |
|
+8.2. Validating a Trust Chain
+
+As
+
+
+
+
+An example of a decoded Trust Mark issued to an RP, attesting its conformance to
the rules for data management of underage users:
+
+{
+ "id":"https://federation.id/openid_relying_party/private/under-age",
+ "iss": "https://trust-anchor.gov.id",
+ "sub": "https://rp.cie.id",
+ "iat": 1579621160,
+ "organization_name": "Organization name",
+ "policy_uri": "https://rp.cie.id/privacy_policy",
+ "tos_uri": "https://rp.cie.id/info_policy"
+}
+
+An example of a Trust Mark attesting a stipulation of an agreement between an RP
and an Attribute Authority:
+
+{
+ "id": "https://deleghedigitali.gov.it/openid_relying_party/sgd/",
+ "iss": "https://deleghedigitali.gov.it",
+ "sub": "https://rp.cie.id",
+ "iat": 1579621160,
+ "logo_uri": "https://deleghedigitali.gov.it/sgd-cmyk-150dpi-90mm.svg",
+ "organization_type": "public",
+ "id_code": "123456",
+ "email": "info@rp.cie.id",
+ "organization_name#it": "Nome dell'organizazzione",
+ "policy_uri#it": "https://rp.cie.id/privacy_policy",
+ "tos_uri#it": "https://rp.cie.id/info_policy",
+ "service_documentation": "https://rp.cie.id/api/v1/get/services",
+ "ref": "https://deleghedigitali.gov.it/documentation/manuale_operativo.pdf"
+}
+An example of a Trust Mark asserting conformance to a security profile:
+
+{
+ "iss": "https://secusign.org",
+ "sub": "https://example.com/op",
+ "iat": 1579621160,
+ "id": "https://secusign.org/level/A",
+ "logo_uri": "https://secusign.org/static/levels/
+ certification-level-A-150dpi-90mm.svg",
+ "ref": "https://secusign.org/conformances/"
+}
+An example of a decoded self-signed Trust Mark:
+
+{
+ "iss": "https://example.com/op",
+ "sub": "https://example.com/op",
+ "iat": 1579621160,
+ "id": "https://openid.net/certification/op",
+ "logo_uri": "http://openid.net/wordpress-content/uploads/2016/
+ 05/oid-l-certification-mark-l-cmyk-150dpi-90mm.svg",
+ "ref": "https://openid.net/wordpress-content/uploads/2015/
+ 09/RolandHedberg-pyoidc-0.7.7-Basic-26-Sept-2015.zip"
+}
+An example of a third-party accreditation authority:
+
+{
+ "iss": "https://swamid.se",
+ "sub": "https://umu.se/op",
+ "iat": 1577833200,
+ "exp": 1609369200,
+ "id": "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf"
+}
+
+$ GET /.well-known/openid-federation HTTP/1.1
+ Host: openid.sunet.se
+
+
+<federation_entity>
+
+
+200 OK
+Content-Type: application/entity-statement+jwt
+
+{
+ "iss": "https://openid.sunet.se",
+ "sub": "https://openid.sunet.se",
+ "iat": 1516239022,
+ "exp": 1516298022,
+ "metadata": {
+ "openid_provider": {
+ "issuer": "https://openid.sunet.se",
+ "signed_jwks_uri": "https://openid.sunet.se/jwks.jose",
+ "authorization_endpoint":
+ "https://openid.sunet.se/authorization",
+ "client_registration_types_supported": [
+ "automatic",
+ "explicit"
+ ],
+ "grant_types_supported": [
+ "authorization_code"
+ ],
+ "id_token_signing_alg_values_supported": [
+ "ES256", "RS256"
+ ],
+ "logo_uri":
+ "https://www.umu.se/img/umu-logo-left-neg-SE.svg",
+ "op_policy_uri":
+ "https://www.umu.se/en/website/legal-information/",
+ "response_types_supported": [
+ "code"
+ ],
+ "subject_types_supported": [
+ "pairwise",
+ "public"
+ ],
+ "token_endpoint": "https://openid.sunet.se/token",
+ "federation_registration_endpoint":
+ "https://op.umu.se/openid/fedreg",
+ "token_endpoint_auth_methods_supported": [
+ "private_key_jwt"
+ ]
+
+ }
+ },
+ "jwks": {
+ "keys": [
+ {
+ "alg": "RS256",
+ "e": "AQAB",
+ "key_ops": [
+ "verify"
+ ],
+ "kid": "key1",
+ "kty": "RSA",
+ "n": "pnXBOusEANuug6ewezb9J_...",
+ "use": "sig"
+ }
+ ]
+ },
+ "authority_hints": [
+ "https://edugain.org/federation"
+ ]
+}
+
+GET /federation_fetch_endpoint?
+iss=https%3A%2F%2Fedugain.org%2Ffederation&
+sub=https%3A%2F%2Fopenid%2Esunet%2Ese HTTP/1.1
+Host: edugain.org
+
+
+GET /federation_fetch_endpoint?
+iss=https%3A%2F%2Fedugain.org%2Ffederation&
+sub=https%3A%2F%2Fopenid%2Esunet%2Ese HTTP/1.1
+Host: edugain.org
+
+200 OK
+Content-Type: application/entity-statement+jwt
+
+{
+ "iss": "https://edugain.org/federation",
+ "sub": "https://openid.sunet.se"
+ "exp": 1568397247,
+ "iat": 1568310847,
+ "jwks": {
+ "keys": [
+ {
+ "e": "AQAB",
+ "kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...",
+ "kty": "RSA",
+ "n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..."
+ }
+ ]
+ },
+ "metadata":{
+ "federation_entity": {
+ "organization_name":"SUNET"
+ }
+ }
+ "metadata_policy": {
+ "openid_provider": {
+ "subject_types_supported": {
+ "value": [
+ "pairwise"
+ ]
+ },
+ "token_endpoint_auth_methods_supported": {
+ "default": [
+ "private_key_jwt"
+ ],
+ "subset_of": [
+ "private_key_jwt",
+ "client_secret_jwt"
+ ],
+ "superset_of": [
+ "private_key_jwt"
+ ]
+ }
+ }
+ }
+}
+7
+GET /resolve?
+sub=https%3A%2F%2Fop.example.it%2Fspid&
+type=openid_provider&
+anchor=https%3A%2F%2Fswamid.se HTTP/1.1
+Host: openid.sunet.se
+
+GET /resolve?
+sub=https%3A%2F%2Fop.example.it%2Fspid&
+type=openid_provider&
+anchor=https%3A%2F%2Fswamid.se HTTP/1.1
+Host: openid.sunet.se
+
+
+{
+ "iss": "https://resolver.spid.gov.it/",
+ "sub": "https://op.example.it/spid/",
+ "iat": 1516239022,
+ "exp": 1516298022,
+ "metadata": {
+ "openid_provider": {
+ "contacts": ["legal@example.it", "technical@example.it"],
+ "logo_uri":
+ "https://op.example.it/static/img/op-logo.svg",
+ "op_policy_uri":
+ "https://op.example.it/en/about-the-website/legal-information/",
+ "federation_registration_endpoint":"https://op.example.it/spid/fedreg/",
+ "authorization_endpoint":
+ "https://op.example.it/spid/authorization/",
+ "token_endpoint": "https://op.example.it/spid/token/",
+ "response_types_supported": [
+ "code",
+ "code id_token",
+ "token"
+ ],
+ "grant_types_supported": [
+ "authorization_code",
+ "implicit",
+ "urn:ietf:params:oauth:grant-type:jwt-bearer"
+ ],
+ "subject_types_supported": ["pairwise"],
+ "id_token_signing_alg_values_supported": ["RS256"],
+ "issuer": "https://op.example.it/spid/",
+ "jwks": {
+ "keys": [
+ {
+ "kty": "RSA",
+ "use": "sig",
+ "n": "1Ta-sE ...",
+ "e": "AQAB",
+ "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs"
+ }
+ ]
+ }
+ }
+ },
+ "trust_marks": [
+ {"id": "https://www.spid.gov.it/certification/op/",
+ "trust_mark":
+ "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRGRTFjMFF4UzBFdFFrWmxNRXR3ZWxOQl"
+ "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijh4c3VLV2lWZndTZ0hvZjFUZTRPVWRjeT"
+ "RxN2RKcktmRlJsTzV4aEhJYTAifQ.eyJpc3MiOiJodHRwczovL3d3dy5hZ2lkL"
+ "mdvdi5pdCIsInN1YiI6Imh0dHBzOi8vb3AuZXhhbXBsZS5pdC9zcGlkLyIsIml"
+ "hdCI6MTU3OTYyMTE2MCwiaWQiOiJodHRwczovL3d3dy5zcGlkLmdvdi5pdC9jZ"
+ "XJ0aWZpY2F0aW9uL29wLyIsImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cuYWdpZC5"
+ "nb3YuaXQvdGhlbWVzL2N1c3RvbS9hZ2lkL2xvZ28uc3ZnIiwicmVmIjoiaHR0c"
+ "HM6Ly9kb2NzLml0YWxpYS5pdC9pdGFsaWEvc3BpZC9zcGlkLXJlZ29sZS10ZWN"
+ "uaWNoZS1vaWRjL2l0L3N0YWJpbGUvaW5kZXguaHRtbCJ9"
+ }
+ ],
+ "trust_chain" : [
+ "eyJhbGciOiJSUzI1NiIsImtpZCI6Ims1NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
+ "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ...",
+ "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ..."
+ ]
+}
+
+GET /list HTTP/1.1
+Host: openid.sunet.se
+7.3.2. Subordinate Listing Response
+
+A successful response MUST use the HTTP status code 200 and the content type set
to application/json, containing a JSON array with the known Entity Identifiers.
+
+If the response is negative, the response should be produced in accordance with
what is defined in Section 7.7.
+
+The following is a non-normative example of a response, containing the Subordinate
Entities:
+
+200 OK
+Content-Type: application/json
+
+[
+ "https://ntnu.andreas.labs.uninett.no/",
+ "https://blackboard.ntnu.no/openid/callback",
+ "https://serviceprovider.andreas.labs.uninett.no/application17"
+]
+
+
+POST /federation_trust_mark_status_endpoint HTTP/1.1
+Host: op.example.org
+Content-Type: application/x-www-form-urlencoded
+
+sub=https%3A%2F%2Fopenid.sunet.se%2FRP
+&id=https%3A%2F%2Frefeds.org%2Fsirtfi
+
+POST /federation_trust_mark_status_endpoint HTTP/1.1
+Host: op.example.org
+Content-Type: application/x-www-form-urlencoded
+
+sub=https%3A%2F%2Fopenid.sunet.se%2FRP
+&id=https%3A%2F%2Frefeds.org%2Fsirtfi
+
+
+200 OK
+Content-Type: application/json
+
+{
+ "active": true
+}
+
+200 OK
+Content-Type: application/json
+
+{
+ "active": true
+}
+
+
+GET /trust_marked_list?trust_mark_id=https%3A%2F%2Ffederation.example.org
%2Fopenid_relying_party%2Fprivate%2Funder-age HTTP/1.1
+Host: trust-mark-issuer.example.org
+
+200 OK
+Content-Type: application/json
+
+[
+ "https://blackboard.ntnu.no/openid/rp",
+ "https://that-rp.example.org"
+]
+GET /.well-known/openid-federation-historical-jwks HTTP/1.1
+Host: trust-anchor.example.com
+
+
+ HTTP/1.1 200 OK
+Content-Type: application/jwk-set+jwt
+
+{
+ "iss": "https://trust-anchor.federation.example.com",
+ "iat": 123972394272,
+ "keys":
+ [
+ {
+ "kty":"RSA",
+ "n":"5s4qi …",
+ "e":"AQAB",
+ "kid":"2HnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
+ "iat": 123972394872,
+ "exp": 123974395972
+ },
+ {
+ "kty":"RSA",
+ "n":"ng5jr …",
+ "e":"AQAB",
+ "kid":"8KnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMJJr",
+ "iat": 123972394872,
+ "exp": 123974394972
+ "revoked": {
+ "revoked_at": 123972495172,
+ "reason": "keyCompromise",
+ "reason_code": 1
+ }
+ }
+ ]
+}
+7.6.3
+
+
+ 400 Bad request
+Content-Type: application/json
+
+{
+ "error": "invalid_request",
+ "error_description":
+ "Required request parameter [sub] was missing."
+}
+8+-----+ +-----+
+-------------+
+| RP | | OP | |
TrustAnchor |
++-----+ +-----+
+-------------+
+ | |
|
+ | Entity Configuration Request |
|
+ |<---------------------------------|
|
+ | |
|
+ | Entity Configuration Response |
|
+ |--------------------------------->|
|
+ | |
|
+ | | Evaluates authority_hints
|
+ | |--------------------------
|
+ | | |
|
+ | |<-------------------------
|
+ | |
|
+ | | Entity Configuration Request
|
+ |
|--------------------------------------------->|
+ | |
|
+ | | Entity Configuration
Response |
+ | |
<---------------------------------------------|
+ | |
|
+ | | Obtains Fetch endpoint
|
+ | |-----------------------
|
+ | | |
|
+ | |<----------------------
|
+ | |
|
+ | | Request Entity Statement about the RP
|
+ |
|--------------------------------------------->|
+ | |
|
+ | | Entity Statement about the
RP |
+ | |
<---------------------------------------------|
+ | |
|
+ | | Evaluates the Trust Chain
|
+ | |--------------------------
|
+ | | |
|
+ | |<-------------------------
|
+ | |
|
+ | | Applies metadata policies
|
+ | |--------------------------
|
+ | | |
|
+ | |<-------------------------
|
+ | |
|
+ | | Derivates the RP's final metadata
|
+ | |----------------------------------
|
+ | | |
|
+ | |<---------------------------------
|
+ | |
|
+8.2. Validating a Trust Chain
+
+As
+
+ <private_key_jwt>
+
+{
+ "alg": "RS256",
+ "kid": "that-kid-which-points-to-a-jwk-contained-in-the-trust-chain",
+ "trust_chain" : [
+ "eyJhbGciOiJSUzI1NiIsImtpZCI6Ims1NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
+ "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ...",
+ "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ..."
+ ]
+}
+.
+{
+ "aud": "https://op.example.org",
+ "client_id": "https://rp.example.com",
+ "exp": 1589699162,
+ "iat": 1589699102,
+ "iss": "https://rp.example.com",
+ "jti": "4d3ec0f81f134ee9a97e0449be6d32be",
+ "nonce": "4LX0mFMxdBjkGmtx7a8WIOnB",
+ "redirect_uri": "https://rp.example.com/authz_cb",
+ "response_type": "code",
+ "scope": "openid profile email address phone",
+ "state": "YmX8PM9I7WbNoMnnieKKBiptVW0sP2OZ"
+}
+The following is a non-normative example of an Authentication Request using the
request parameter (with line wraps within values for display purposes only):
+
+https://server.example.com/authorize?
+ redirect_uri=https%3A%2F%2Frp.example.com%2Fauthz_cb
+ &scope=openid+profile+email+address+phone
+ &response_type=code
+ &client_id=https%3A%2F%2Frp.example.com
+ &request=eyJ0cnVzdF9jaGFpbiI6WyJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2SW1z
+ MU5FaFJkRVJwWW5sSFkzTTVXbGRXVFdaMmFVaG0gLi4uIiwiZXlKaGJHY2lPaUpT
+ VXpJMU5pSXNJbXRwWkNJNklrSllkbVp5Ykc1b1FVMTFTRkl3TjJGcVZXMUJZMEpT
+ IC4uLiIsImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJa0pZZG1aeWJHNW9R
+ VTExU0ZJd04yRnFWVzFCWTBKUyAuLi4iXSwiYWxnIjoiUlMyNTYiLCJraWQiOiI2
+ X2VGcGNoNXpTYm1QT3hMdGRGLXlrM1dqVFJvUGpBMll6UTd5YnJmV2dvIn0.eyJh
+ dWQiOiJodHRwczovL29wLmV4YW1wbGUub3JnIiwiY2xpZW50X2lkIjoiaHR0cHM6
+ Ly9ycC5leGFtcGxlLmNvbSIsImV4cCI6MTU4OTY5OTE2MiwiaWF0IjoxNTg5Njk5
+ MTAyLCJpc3MiOiJodHRwczovL3JwLmV4YW1wbGUuY29tIiwianRpIjoiNGQzZWMw
+ ZjgxZjEzNGVlOWE5N2UwNDQ5YmU2ZDMyYmUiLCJub25jZSI6IjRMWDBtRk14ZEJq
+ a0dtdHg3YThXSU9uQiIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vcnAuZXhhbXBs
+ ZS5jb20vYXV0aHpfY2IiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInNjb3BlIjoi
+ b3BlbmlkIHByb2ZpbGUgZW1haWwgYWRkcmVzcyBwaG9uZSIsInN0YXRlIjoiWW1Y
+ OFBNOUk3V2JOb01ubmllS0tCaXB0Vlcwc1AyT1oiLCJzdWIiOiJodHRwczovL3Jw
+ LmV4YW1wbGUuY29tIn0.Gjo1NSYAx5PIllnUJhRCzZT-ezqyofU95pnGsgzclTfj
+ cYCwSef_g2cniIWX4-35cAYR-NcAGEzaDIvQgzQ90O_24HlCtZ6yvUlb65uhZGGt
+ O1TvsI7bl-92yrYCKD8fmaWH73R7qXZ8uLNspRy0L4emGXdUrFJ8RozE5asEdY_L
+ _1orhot6uwWWrYE5cSyxJqCk_G1ackqKRmOlHB3EX3pNmVZodz6DQyONLeBqiMId
+ xpvVALEkmpAQavEwrfpA-s4K3QIJrKAbEVQ1AfyQR0cGDd7fF4bju-wigYhBura0
+ Pv4PrEFSNYG22b5ZPoubTPoFe-7W5Ypec_Io1aXNDA
+
+ eduGAIN
+ |
+ +------------------+------------------+
+ | |
+ SWAMID InCommon
+ | |
+ umu.se |
+ | |
+ op.umu.se wiki.ligo.org
+
+ POST /par HTTP/1.1
+Host: op.example.org
+Content-Type: application/x-www-form-urlencoded
+
+redirect_uri=https%3A%2F%2Frp.example.com%2Fauthz_cb
+&scope=openid+profile+email+address+phone
+&response_type=code
+&nonce=4LX0mFMxdBjkGmtx7a8WIOnB
+&state=YmX8PM9I7WbNoMnnieKKBiptVW0sP2OZ
+&client_id=https%3A%2F%2Frp.example.com
+&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
+ client-assertion-type%3Ajwt-bearer
+&client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRVTjJ
+ hMDF3Umtoa1NXcGxRVGh2Y1ZCSU5VSXdUVWRPVUZVMlRtVnJTbW
+ hFUVhnelpYbHBUemRRTkEifQ.eyJzdWIiOiAiaHR0cHM6Ly9ycC
+ 5leGFtcGxlLmNvbSIsICJpc3MiOiAiaHR0cHM6Ly9ycC5leGFtc
+ GxlLmNvbSIsICJpYXQiOiAxNTg5NzA0NzAxLCAiZXhwIjogMTU4
+ OTcwNDc2MSwgImF1ZCI6ICJodHRwczovL29wLmV4YW1wbGUub3J
+ nL2F1dGhvcml6YXRpb24iLCAianRpIjogIjM5ZDVhZTU1MmQ5Yz
+ Q4ZjBiOTEyZGM1NTY4ZWQ1MGQ2In0.oUt9Knx_lxb4V2S0tyNFH
+ CNZeP7sImBy5XDsFxv1cUpGkAojNXSy2dnU5HEzscMgNW4wguz6
+ KDkC01aq5OfN04SuVItS66bsx0h4Gs7grKAp_51bClzreBVzU4g
+ _-dFTgF15T9VLIgM_juFNPA_g4Lx7Eb5r37rWTUrzXdmfxeou0X
+ FC2p9BIqItU3m9gmH0ojdBCUX5Up0iDsys6_npYomqitAcvaBRD
+ PiuUBa5Iar9HVR-H7FMAr7aq7s-dH5gx2CHIfM3-qlc2-_Apsy0
+ BrQl6VePR6j-3q6JCWvNw7l4_F2UpHeanHb31fLKQbK-1yoXDNz
+ DwA7B0ZqmuSmMFQ
+
+HTTP/1.1 302 Found
+ Location: https://client.example.org/cb?
+ error=missing_trust_anchor
+ &error_description=
+ Could%20not%20find%20a%20trusted%20anchor
+ &state=af0ifjsldkj
+
+ eduGAIN
+ |
+ +------------------+------------------+
+ | |
+ SWAMID InCommon
+ | |
+ umu.se |
+ | |
+ op.umu.se wiki.ligo.org
+
+ {
+ "authority_hints": [
+ "https://umu.se"
+ ],
+ "exp": 1568397247,
+ "iat": 1568310847,
+ "iss": "https://op.umu.se",
+ "sub": "https://op.umu.se",
+ "jwks": {
+ "keys": [
+ {
+ "e": "AQAB",
+ "kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...",
+ "kty": "RSA",
+ "n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..."
+ }
+ ]
+ },
+ "metadata": {
+ "openid_provider": {
+ "issuer": "https://op.umu.se/openid",
+ "signed_jwks_uri": "https://op.umu.se/openid/jwks.jose",
+ "authorization_endpoint":
+ "https://op.umu.se/openid/authorization",
+ "client_registration_types_supported": [
+ "automatic",
+ "explicit"
+ ],
+ "request_parameter_supported": true,
+ "grant_types_supported": [
+ "authorization_code",
+ "implicit",
+ "urn:ietf:params:oauth:grant-type:jwt-bearer"
+ ],
+ "id_token_signing_alg_values_supported": [
+ "ES256", "RS256"
+ ],
+ "logo_uri":
+ "https://www.umu.se/img/umu-logo-left-neg-SE.svg",
+ "op_policy_uri":
+ "https://www.umu.se/en/website/legal-information/",
+ "response_types_supported": [
+ "code",
+ "code id_token",
+ "token"
+ ],
+ "subject_types_supported": [
+ "pairwise",
+ "public"
+ ],
+ "token_endpoint": "https://op.umu.se/openid/token",
+ "federation_registration_endpoint":
+ "https://op.umu.se/openid/fedreg",
+ "token_endpoint_auth_methods_supported": [
+ "client_secret_post",
+ "client_secret_basic",
+ "client_secret_jwt",
+ "private_key_jwt"
+ ]
+ }
+ }
+}
+The <<authority_hints>> points to the Intermediate Entity <<https://umu.se>>
+
+GET /.well-known/openid-federation HTTP/1.1
+Host: umu.se
+And the GET will return:
+
+{
+ "authority_hints": [
+ "https://swamid.se"
+ ],
+ "exp": 1568397247,
+ "iat": 1568310847,
+ "iss": "https://umu.se",
+ "sub": "https://umu.se",
+ "jwks": {
+ "keys": [
+ {
+ "e": "AQAB",
+ "kid": "endwNUZrNTJsX2NyQlp4bjhVcTFTTVltR2gxV2RV...",
+ "kty": "RSA",
+ "n": "vXdXzZwQo0hxRSmZEcDIsnpg-CMEkor50SOG-1XUlM..."
+ }
+ ]
+ },
+ "metadata": {
+ "federation_entity": {
+ "contacts": "ops@umu.se",
+ "federation_fetch_endpoint": "https://umu.se/oidc/fedapi",
+ "homepage_uri": "https://www.umu.se",
+ "organization_name": "UmU"
+ }
+ }
+}
+The only piece of information that is used from this Entity Statement is the
<<federation_fetch_endpoint>> which is used in the next step.
+
+A.2.3. Entity Statement Published by 'https://umu.se' about 'https://op.umu.se'
+
+The RP uses the fetch endpoint provided by https://umu.se as defined in Section
7.1.1 to fetch information about "https://op.umu.se".
+
+The request will look like this:
+
+GET /oidc/fedapi?sub=https%3A%2F%2Fop.umu.se&
+iss=https%3A%2F%2Fumu.se HTTP/1.1
+Host: umu.se
+and the result is this:
+
+{
+ "exp": 1568397247,
+ "iat": 1568310847,
+ "iss": "https://umu.se",
+ "jwks": {
+ "keys": [
+ {
+ "e": "AQAB",
+ "kid": "dEEtRjlzY3djcENuT01wOGxrZlkxb3RIQVJlMTY0...",
+ "kty": "RSA",
+ "n": "x97YKqc9Cs-DNtFrQ7_vhXoH9bwkDWW6En2jJ044yH..."
+ }
+ ]
+ },
+ "metadata_policy": {
+ "openid_provider": {
+ "contacts": {
+ "add": [
+ "ops@swamid.se"
+ ]
+ },
+ "organization_name": {
+ "value": "University of Ume\u00e5"
+ },
+ "subject_types_supported": {
+ "value": [
+ "pairwise"
+ ]
+ },
+ "token_endpoint_auth_methods_supported": {
+ "default": [
+ "private_key_jwt"
+ ],
+ "subset_of": [
+ "private_key_jwt",
+ "client_secret_jwt"
+ ],
+ "superset_of": [
+ "private_key_jwt"
+ ]
+ }
+ }
+ },
+ "sub": "https://op.umu.se"
+}
+
+ GET /.well-known/openid-federation HTTP/1.1
+Host: swamid.se
+And the GET will return:
+
+{
+ "authority_hints": [
+ "https://edugain.geant.org"
+ ],
+ "exp": 1568397247,
+ "iat": 1568310847,
+ "iss": "https://swamid.se",
+ "jwks": {
+ "keys": [
+ {
+ "e": "AQAB",
+ "kid": "N1pQTzFxUXZ1RXVsUkVuMG5uMnVDSURGRVdhUzdO...",
+ "kty": "RSA",
+ "n": "3EQc6cR_GSBq9km9-WCHY_lWJZWkcn0M05TGtH6D9S..."
+ }
+ ]
+ },
+ "metadata": {
+ "federation_entity": {
+ "contacts": "ops@swamid.se",
+ "federation_fetch_endpoint":
+ "https://swamid.se/fedapi",
+ "homepage_uri": "https://www.sunet.se/swamid/",
+ "organization_name": "SWAMID"
+ }
+ },
+ "sub": "https://swamid.se"
+}
+The only piece of information that is used from this Entity Statement is the
federation_fetch_endpoint, which is used in the next step.
+
+A.2.5. Entity Statement Published by 'https://swamid.se' about 'https://umu.se'
+
+The LIGO Wiki RP uses the fetch endpoint provided by "https://swamid.se" as
defined in Section 7.1.1 to fetch information about "https://umu.se".
+
+The request will look like this:
+
+GET /fedapi?sub=https%3A%2F%2Fumu.se&
+iss=https%3A%2F%2Fswamid.se HTTP/1.1
+Host: swamid.se
+and the result is this:
+
+{
+ "exp": 1568397247,
+ "iat": 1568310847,
+ "iss": "https://swamid.se",
+ "jwks": {
+ "keys": [
+ {
+ "e": "AQAB",
+ "kid": "endwNUZrNTJsX2NyQlp4bjhVcTFTTVltR2gxV2RV...",
+ "kty": "RSA",
+ "n": "vXdXzZwQo0hxRSmZEcDIsnpg-CMEkor50SOG-1XUlM..."
+ }
+ ]
+ },
+ "metadata_policy": {
+ "openid_provider": {
+ "id_token_signing_alg_values_supported": {
+ "subset_of": [
+ "RS256",
+ "ES256",
+ "ES384",
+ "ES512"
+ ]
+ },
+ "token_endpoint_auth_methods_supported": {
+ "subset_of": [
+ "client_secret_jwt",
+ "private_key_jwt"
+ ]
+ },
+ "userinfo_signing_alg_values_supported": {
+ "subset_of": [
+ "ES256",
+ "ES384",
+ "ES512"
+ ]
+ }
+ }
+ },
+ "sub": "https://umu.se"
+}
+
+GET /.well-known/openid-federation HTTP/1.1
+Host: edugain.geant.org
+And the GET will return:
+
+{
+ "exp": 1568397247,
+ "iat": 1568310847,
+ "iss": "https://edugain.geant.org",
+ "sub": "https://edugain.geant.org",
+ "jwks": {
+ "keys": [
+ {
+ "e": "AQAB",
+ "kid": "Sl9DcjFxR3hrRGdabUNIR21KT3dvdWMyc2VUM2Fr...",
+ "kty": "RSA",
+ "n": "xKlwocDXUw-mrvDSO4oRrTRrVuTwotoBFpozvlq-1q..."
+ }
+ ]
+ },
+ "metadata": {
+ "federation_entity": {
+ "federation_fetch_endpoint": "https://geant.org/edugain/api"
+ }
+ }
+}
+
+Within the Trust Anchor Entity Configuration, the Relying Party looks for the
federation_fetch_endpoint and gets the updated Federation Entity Keys of the Trust
Anchor. Each Entity within a Federation may change their Federation Entity Keys, or
any other attributes, at any time. See Section 9.2 for futhers details.
+
+A.2.7. Entity Statement Published by 'https://edugain.geant.org' about
'https://swamid.se'
+
+The LIGO Wiki RP uses the fetch endpoint of https://edugain.geant.org as defined
in Section 7.1.1 to fetch information about "https://swamid.se".
+
+The request will look like this:
+
+GET /edugain/api?sub=https%3A%2F%2Fswamid.se&
+iss=https%3A%2F%2Fedugain.geant.org HTTP/1.1
+Host: geant.org
+and the result is this:
+
+{
+ "exp": 1568397247,
+ "iat": 1568310847,
+ "iss": "https://edugain.geant.org",
+ "jwks": {
+ "keys": [
+ {
+ "e": "AQAB",
+ "kid": "N1pQTzFxUXZ1RXVsUkVuMG5uMnVDSURGRVdhUzdO...",
+ "kty": "RSA",
+ "n": "3EQc6cR_GSBq9km9-WCHY_lWJZWkcn0M05TGtH6D9S..."
+ }
+ ]
+ },
+ "metadata_policy": {
+ "openid_provider": {
+ "contacts": {
+ "add": "ops@edugain.geant.org"
+ }
+ },
+ "openid_relying_party": {
+ "contacts": {
+ "add": "ops@edugain.geant.org"
+ }
+ }
+ },
+ "sub": "https://swamid.se"
+}
+{
+ "authorization_endpoint":
+ "https://op.umu.se/openid/authorization",
+ "claims_parameter_supported": false,
+ "contacts": [
+ "ops@swamid.se"
+ ],
+ "federation_registration_endpoint":
+ "https://op.umu.se/openid/fedreg",
+ "client_registration_types_supported": [
+ "automatic",
+ "explicit"
+ ],
+ "grant_types_supported": [
+ "authorization_code",
+ "implicit",
+ "urn:ietf:params:oauth:grant-type:jwt-bearer"
+ ],
+ "id_token_signing_alg_values_supported": [
+ "RS256",
+ "ES256"
+ ],
+ "issuer": "https://op.umu.se/openid",
+ "signed_jwks_uri": "https://op.umu.se/openid/jwks.jose",
+ "logo_uri":
+ "https://www.umu.se/img/umu-logo-left-neg-SE.svg",
+ "organization_name": "University of Ume\u00e5",
+ "op_policy_uri":
+ "https://www.umu.se/en/website/legal-information/",
+ "request_parameter_supported": true,
+ "request_uri_parameter_supported": true,
+ "require_request_uri_registration": true,
+ "response_types_supported": [
+ "code",
+ "code id_token",
+ "token"
+ ],
+ "subject_types_supported": [
+ "pairwise"
+ ],
+ "token_endpoint": "https://op.umu.se/openid/token",
+ "token_endpoint_auth_methods_supported": [
+ "private_key_jwt",
+ "client_secret_jwt"
+ ]
+}
+GET /openid/authorization?
+ request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRVTjJhMDF3Umtoa1NXc
+ GxRVGh2Y1ZCSU5VSXdUVWRPVUZVMlRtVnJTbWhFUVhnelpYbHBUemRR
+ TkEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic2NvcGUiOiAi
+ b3BlbmlkIHByb2ZpbGUgZW1haWwiLCAiY2xpZW50X2lkIjogImh0dHB
+ zOi8vd2lraS5saWdvLm9yZyIsICJzdGF0ZSI6ICIyZmY3ZTU4OS0zOD
+ Q4LTQ2ZGEtYTNkMi05NDllMTIzNWU2NzEiLCAibm9uY2UiOiAiZjU4M
+ WExODYtYWNhNC00NmIzLTk0ZmMtODA0ODQwODNlYjJjIiwgInJlZGly
+ ZWN0X3VyaSI6ICJodHRwczovL3dpa2kubGlnby5vcmcvb3BlbmlkL2N
+ hbGxiYWNrIiwgImlzcyI6ICIiLCAiaWF0IjogMTU5MzU4ODA4NSwgIm
+ F1ZCI6ICJodHRwczovL29wLnVtdS5zZSJ9.cRwSFNcDx6VsacAQDcIx
+ 5OAt_Pj30I_uUKRh04N4QJd6MZ0f50sETRv8uspSt9fMa-5yV3uzthX
+ _v8OtQrV33gW1vzgOSRCdHgeCN40StbzjFk102seDwtU_Uzrcsy7KrX
+ YSBp8U0dBDjuxC6h18L8ExjeR-NFjcrhy0wwua7Tnb4QqtN0QCia6DD
+ 8QBNVTL1Ga0YPmMdT25wS26wug23IgpbZB20VUosmMGgGtS5yCI5AwK
+ Bhozv-oBH5KxxHzH1Oss-RkIGiQnjRnaWwEOTITmfZWra1eHP254wFF
+ 2se-EnWtz1q2XwsD9NSsOEJwWJPirPPJaKso8ng6qrrOSgw
+ &response_type=code
+ &client_id=https%3A%2F%2Fwiki.ligo.org
+ &redirect_uri=https%3A%2F%2Fwiki.ligo.org/openid/callback
+ &scope=openid+profile+email
+ HTTP/1.1
+Host: op.umu.se
+
+edugain.geant.org
+"metadata_policy": {
+ "openid_provider": {
+ "contacts": {
+ "add": "ops@edugain.geant.org"
+ }
+ },
+ "openid_relying_party": {
+ "contacts": {
+ "add": "ops@edugain.geant.org"
+ }
+ }
+}
+incommon.org
+"metadata_policy": {
+ "openid_relying_party": {
+ "application_type": {
+ "one_of": [
+ "web",
+ "native"
+ ]
+ },
+ "contacts": {
+ "add": "ops@incommon.org"
+ },
+ "grant_types": {
+ "subset_of": [
+ "authorization_code",
+ "refresh_token"
+ ]
+ }
+ }
+}
+Combining these and apply them to the metadata for wiki.ligo.org:
+
+"metadata": {
+ "application_type": "web",
+ "client_name": "LIGO Wiki",
+ "contacts": [
+ "ops@ligo.org"
+ ],
+ "grant_types": [
+ "authorization_code",
+ "refresh_token"
+ ],
+ "id_token_signed_response_alg": "RS256",
+ "signed_jwks_uri": "https://wiki.ligo.org/jwks.jose",
+ "redirect_uris": [
+ "https://wiki.ligo.org/openid/callback"
+ ],
+ "response_types": [
+ "code"
+ ],
+ "subject_type": "public"
+}
+The final result is:
+
+{
+ "application_type": "web",
+ "client_name": "LIGO Wiki",
+ "contacts": [
+ "ops@ligo.org",
+ "ops@edugain.geant.org",
+ "ops@incommon.org"
+ ],
+ "grant_types": [
+ "refresh_token",
+ "authorization_code"
+ ],
+ "id_token_signed_response_alg": "RS256",
+ "signed_jwks_uri": "https://wiki.ligo.org/jwks.jose",
+ "redirect_uris": [
+ "https://wiki.ligo.org/openid/callback"
+ ],
+ "response_types": [
+ "code"
+ ],
+ "subject_type": "public"
+}
+Once the Trust Chain and the final Relying Party metadata have been obtained, the
OpenID Provider has everything needed to validate the signature of the Request
Object in the Authentication Request, using the public keys made available at the
signed_jwks_uri endpoint.
+
+A.3.2. Client Starts with Registration (Explicit Client Registration)
+
+Here the LIGO Wiki RP sends a client registration request to the
federation_registration_endpoint of the OP (op.umu.se). What it sends is an Entity
Configuration.
+
+The JWT Claims Set of that Entity Configuration might look like this:
+
+{
+ "iss": "https://wiki.ligo.org",
+ "sub": "https://wiki.ligo.org",
+ "iat": 1676045527,
+ "exp": 1676063610,
+ "aud": "https://op.umu.se",
+ "metadata": {
+ "openid_relying_party": {
+ "application_type": "web",
+ "client_name": "LIGO Wiki",
+ "contacts": ["ops@ligo.org"],
+ "grant_types": ["authorization_code"],
+ "id_token_signed_response_alg": "RS256",
+ "signed_jwks_uri": "https://wiki.ligo.org/jwks.jose",
+ "redirect_uris": [
+ "https://wiki.ligo.org/openid/callback"
+ ],
+ "response_types": ["code"],
+ "subject_type": "public"
+ }
+ },
+ "jwks": {
+ "keys": [
+ {
+ "kty": "RSA",
+ "use": "sig",
+ "kid":
+ "U2JTWHY0VFg0a2FEVVdTaHptVDJsNDNiSDk5MXRBVEtNSFVkeXZwb",
+ "e": "AQAB",
+ "n":
+ "4AZjgqFwMhTVSLrpzzNcwaCyVD88C_Hb3Bmor97vH-2AzldhuVb8K..."
+ }
+ ]
+ },
+ "authority_hints": ["https://incommon.org"]
+}
+Once the OP has the Entity Configuration, it proceeds with the same sequence of
steps as laid out in Appendix A.2.
+
+The OP will end up with the same RP metadata described in Appendix A.3.1.2, but it
now can return a metadata policy that it wants to be applied to the RP's metadata.
This metadata policy will be combined with the Trust Chain's combined metadata
policy before being applied to the RP's metadata.
+
+If we assume that the OP does not support refresh tokens, it MAY want to add a
metadata policy that says:
+
+"metadata_policy": {
+ "openid_relying_party": {
+ "grant_types": {
+ "subset_of": [
+ "authorization_code"
+ ]
+ }
+ }
+}
+Thus, the Entity Statement returned by the OP to the RP MAY look like this:
+
+{
+ "trust_anchor_id": "https://edugain.geant.org",
+ "metadata_policy": {
+ "openid_relying_party": {
+ "contacts": {
+ "add": [
+ "ops@incommon.org",
+ "ops@edugain.geant.org"
+ ]
+ }
+ }
+ },
+ "metadata": {
+ "openid_relying_party": {
+ "client_id": "m3GyHw",
+ "client_secret_expires_at": 1604049619,
+ "client_secret":
+ "cb44eed577f3b5edf3e08362d47a0dc44630b3dc6ea99f7a79205"
+ "client_id_issued_at": 1601457619
+ }
+ },
+ "authority_hints": [
+ "https://incommon.org"
+ ],
+ "aud": "https://wiki.ligo.org",
+ "jwks": {
+ "keys": [
+ {
+ "kty": "RSA",
+ "use": "sig",
+ "kid":
+ "U2JTWHY0VFg0a2FEVVdTaHptVDJsNDNiSDk5MXRBVEtNSFVkeXZwb",
+ "e": "AQAB",
+ "n":
+ "4AZjgqFwMhTVSLrpzzNcwaCyVD88C_Hb3Bmor97vH-2AzldhuVb8K..."
+ },
+ {
+ "kty": "EC",
+ "use": "sig",
+ "kid": "LWtFcklLOGdrW",
+ "crv": "P-256",
+ "x": "X2S1dFE7zokQDST0bfHdlOWxOc8FC1l4_sG1Kwa4l4s",
+ "y": "812nU6OCKxgc2ZgSPt_dkXbYldG_smHJi4wXByDHc6g"
+ }
+ ]
+ },
+ "iss": "https://op.umu.se",
+ "iat": 1601457619,
+ "exp": 1601544019
+}
+And the resulting metadata used by the RP could look like:
+
+{
+ "application_type": "web",
+ "client_name": "LIGO Wiki",
+ "client_id": "m3GyHw",
+ "client_secret_expires_at": 1604049619,
+ "client_secret": "cb44eed577f3b5edf3e08362d47a0dc44630b3dc6ea99f7a79205"
+ "client_id_issued_at": 1601457619,
+ "contacts": [
+ "ops@edugain.geant.org",
+ "ops@incommon.org",
+ "ops@ligo.org"
+ ],
+ "grant_types": [
+ "authorization_code"
+ ],
+ "id_token_signed_response_alg": "RS256",
+ "signed_jwks_uri": "https://wiki.ligo.org/jwks.jose",
+ "redirect_uris": [
+ "https://wiki.ligo.org/openid/callback"
+ ],
+ "response_types": [
+ "code"
+ ],
+ "subject_type": "public"
+}