OpenID Federation 1.0
This is a guide how to configure the Connect2id server for operation as an OpenID Federation 1.0 compliant OpenID provider.
1. Federation entity keys
Generate and configure a JSON Web Key (JWK) set to represent the federation entity keys of the OpenID provider. Note that the federation keys are separate and independent from those used for OAuth 2.0 and OpenID Connect purposes.
The JWK set must consist of at least one RSA key which the Connect2id server will use to sign its entity configuration made available at the /.well-known/openid-federation endpoint.
New keys can be periodically added to the federation JWK set to perform key rollover.
The new federation entity key (only the public one!) must then be registered with the federation authority (trust anchor or intermediate entity, there can be more than one) where the Connect2id server is enrolled as an OpenID provider.
2. Federation configuration
Enable OpenID Federation 1.0 and configure at least one trust anchor and one authority hint. The remaining configuration properties, such as optional trust marks issued to the OpenID provider, are optional.
Example federation configuration:
op.federation.enable=true
op.federation.clientRegistrationTypes=explicit,automatic
op.federation.autoClientAuthMethods.ar=request_object
op.federation.autoClientAuthMethods.par=private_key_jwt,self_signed_tls_client_auth
op.federation.organizationName=Trusted IdP
op.federation.trustAnchors.1=https://federation.example.com
op.federation.authorityHints.1=https://federation.example.com
To verify the configuration check the Connect2id server log. At startup the server will log the configured federation entity configuration and the loading of the federation entity keys.
Example startup log, the OP0040
identifier can be used to locate the start of
the section:
INFO main MAIN - [OP0040] OpenID Federation: Enabled: true
INFO main MAIN - [OP0041] OpenID Federation: Client registration types: [explicit, automatic]
INFO main MAIN - [OP0055] OpenID Federation: Auto client authentication methods: {pushed_authorization_request_endpoint=[private_key_jwt, tls_client_auth, self_signed_tls_client_auth], authorization_endpoint=[request_object]}
INFO main MAIN - [OP0042] OpenID Federation: Organization mame: My IdP
INFO main MAIN - [OP0043] OpenID Federation: Authority hints: [https://federation.example.com]
INFO main MAIN - [OP0044] OpenID Federation: Trust anchors: [https://federation.example.com]
INFO main MAIN - [OP0045] OpenID Federation: Constraints: Max path length: 2
INFO main MAIN - [OP0046] OpenID Federation: Constraints: Permitted: []
INFO main MAIN - [OP0047] OpenID Federation: Constraints: Excluded: []
INFO main MAIN - [OP0053] OpenID Federation: HTTP request timeout: 500ms
INFO main MAIN - [OP0054] OpenID Federation: HTTP read timeout: 500ms
INFO main MAIN - [OP0048] OpenID Federation: Contacts: null
INFO main MAIN - [OP0056] OpenID Federation: Logo URI: https://demo.c2id.com/logo.png
INFO main MAIN - [OP0049] OpenID Federation: Policy URI: https://demo.c2id.com/policy.html
INFO main MAIN - [OP0050] OpenID Federation: Homepage URI: https://demo.c2id.com
INFO main MAIN - [OP0051] OpenID Federation: Trust marks: none
INFO main MAIN - [OP0052] OpenID Federation: Issued entity statement lifetime: 604800s
INFO main MAIN - [OP0053] OpenID Federation: Auto client lifetime: 3600s
INFO main MAIN - [SE1021] Loaded JWK set from /WEB-INF/federationJWKSet.json file resource with 1 keys
To verify the published federation entity configuration of the OpenID provider check the content of the signed JWT at the .well-known/openid-federation URL. The claims of the JWT are explained in the specification.
3. Debugging trust chain resolution
Every time the Connect2id server receives a request from a federation entity that triggers a chain resolution to find out if the client is allowed to proceed the server will log the process.
Example trust chain resolution for an automatic client at the PAR endpoint:
INFO PAR - HTTP POST request: ip=192.168.0.1 path=/c2id/par/
INFO FED-REG - [OP8025] Resolved 1 trust chains (automatic client):
INFO FED-REG - [OP8026] Trust chain [1] anchor (automatic client): https://federation.example.com
INFO FED-REG - [OP8026] Trust chain [1][1] entity (automatic client): http://rp.example.com
INFO FED-REG - [OP8026] Trust chain [1][1] statement (automatic client): {"sub":"https://rp.example.com",...
INFO FED-REG - [OP8026] Trust chain [1][2] entity (automatic client): https:///rp.example.com
INFO FED-REG - [OP8026] Trust chain [1][2] statement (automatic client): {"sub":"https://rp.example.com",...
INFO FED-REG - [OP8013] Selected trust chain for entity ID https://rp.example (automatic client) with anchor https://federation.example.com and exp 2022-12-30T17:59:15.000+0200
INFO FED-REG - [OP8018] Received automatic registration request from https://rp.example.com with authorities [https://federation.example.com]
INFO FED-REG - [OP8051] Effective metadata RP policy for entity ID https://rp.example.com: {"grant_types":{"subset_of":["authorization_code","refresh_token"]}}
INFO FED-REG - [OP8014] Registered entity ID https://rp.example.com as automatic client with client_id=https://rp.example.com exp=1672415955
INFO PAR - [OP6204] Confidential client authenticated: client_id=https://rp.example.com method=private_key_jwt client_auth_id=tGt9YYlamOgzo0Ra