OpenID Federation 1.0 configuration
This is a guide how to configure the Connect2id server as an OpenID Federation 1.0 compliant OpenID provider.
1. Federation entity keys
Unless the Connect2id server is configured in static or PKCS#11 key store mode, the server will automatically generate the required federation entity JWK set on startup.
Register the federation entity public JWK set with the federation authority (trust anchor or intermediate entity) where the Connect2id server is enrolled as an OpenID provider. Multiple authorities are allowed.
The Connect2id server will then use the federation JWK to sign its entity
configuration
made available at the
/.well-known/openid-federation
endpoint.
2. Federation configuration
Enable OpenID Federation 1.0:
op.federation.enable=true
Specify at least one trust anchor and authority hint (immediate superior entity). In the special case when the OpenID provider is also acting as a trust anchor, such as in the Finnish Trust Network (FTN) 213/2023 S profile, these two configuration properties are left blank.
Example configuration for an immediate superior of the OpenID provider that is also the trust anchor of the federation:
op.federation.trustAnchors.1=https://federation.example.com
op.federation.authorityHints.1=https://federation.example.com
If the OpenID provider is expected to support the explicit and / or the
automatic client registration
types described in
OpenID Federation 1.0, enable them and provide the required details.
Example:
op.federation.clientRegistrationTypes=explicit,automatic
op.federation.autoClientAuthMethods.ar=request_object
op.federation.autoClientAuthMethods.par=private_key_jwt,self_signed_tls_client_auth
In federations that use a different method to evaluate the trust chains of clients and register them with OpenID providers, such as the FTN profile, leave the parameter blank:
op.federation.clientRegistrationTypes=
A human readable name of the organisation that owns the federation entity is recommended, an example:
op.federation.organizationName=Trust Connect Inc.
The remaining configuration properties, such as trust marks issued to the OpenID provider, are optional.
To verify the configuration check the Connect2id server log. At startup the server will log the configured federation entity configuration and the loading of the federation entity keys.
Example startup log, the OP0040 identifier can be used to locate the start of
the section:
INFO main MAIN - [OP0040] OpenID Federation: Enabled: true
INFO main MAIN - [OP0041] OpenID Federation: Client registration types: [explicit, automatic]
INFO main MAIN - [OP0055] OpenID Federation: Auto client authentication methods: {pushed_authorization_request_endpoint=[private_key_jwt, tls_client_auth, self_signed_tls_client_auth], authorization_endpoint=[request_object]}
INFO main MAIN - [OP0042] OpenID Federation: Organization mame: Trust Connect Inc.
INFO main MAIN - [OP0043] OpenID Federation: Authority hints: [https://federation.example.com]
INFO main MAIN - [OP0044] OpenID Federation: Trust anchors: [https://federation.example.com]
INFO main MAIN - [OP0045] OpenID Federation: Constraints: Max path length: 2
INFO main MAIN - [OP0046] OpenID Federation: Constraints: Permitted: []
INFO main MAIN - [OP0047] OpenID Federation: Constraints: Excluded: []
INFO main MAIN - [OP0053] OpenID Federation: HTTP request timeout: 500ms
INFO main MAIN - [OP0054] OpenID Federation: HTTP read timeout: 500ms
INFO main MAIN - [OP0048] OpenID Federation: Contacts: null
INFO main MAIN - [OP0056] OpenID Federation: Logo URI: https://demo.c2id.com/logo.png
INFO main MAIN - [OP0049] OpenID Federation: Policy URI: https://demo.c2id.com/policy.html
INFO main MAIN - [OP0050] OpenID Federation: Homepage URI: https://demo.c2id.com
INFO main MAIN - [OP0051] OpenID Federation: Trust marks: none
INFO main MAIN - [OP0052] OpenID Federation: Issued entity statement lifetime: 604800s
INFO main MAIN - [OP0053] OpenID Federation: Auto client lifetime: 3600s
INFO main MAIN - [SE1021] Loaded JWK set from /WEB-INF/federationJWKSet.json file resource with 1 keys
To verify the published federation entity configuration of the OpenID provider check the content of the signed JWT at the .well-known/openid-federation URL. The claims of the JWT are explained in the specification.
3. Debugging trust chain resolution
Every time the Connect2id server receives a request from a federation entity that triggers a chain resolution to find out if the client is allowed to proceed the server logs the process.
Example trust chain resolution for an automatic client making a request at the PAR endpoint:
INFO PAR - HTTP POST request: ip=192.168.0.1 path=/c2id/par/
INFO FED-REG - [OP8025] Resolved 1 trust chains (automatic client):
INFO FED-REG - [OP8026] Trust chain [1] anchor (automatic client): https://federation.example.com
INFO FED-REG - [OP8026] Trust chain [1][1] entity (automatic client): http://rp.example.com
INFO FED-REG - [OP8026] Trust chain [1][1] statement (automatic client): {"sub":"https://rp.example.com",...
INFO FED-REG - [OP8026] Trust chain [1][2] entity (automatic client): https:///rp.example.com
INFO FED-REG - [OP8026] Trust chain [1][2] statement (automatic client): {"sub":"https://rp.example.com",...
INFO FED-REG - [OP8013] Selected trust chain for entity ID https://rp.example (automatic client) with anchor https://federation.example.com and exp 2022-12-30T17:59:15.000+0200
INFO FED-REG - [OP8018] Received automatic registration request from https://rp.example.com with authorities [https://federation.example.com]
INFO FED-REG - [OP8051] Effective metadata RP policy for entity ID https://rp.example.com: {"grant_types":{"subset_of":["authorization_code","refresh_token"]}}
INFO FED-REG - [OP8014] Registered entity ID https://rp.example.com as automatic client with client_id=https://rp.example.com exp=1672415955
INFO PAR - [OP6204] Confidential client authenticated: client_id=https://rp.example.com method=private_key_jwt client_auth_id=tGt9YYlamOgzo0Ra