Skip to content
Connect2id

OpenID Federation 1.0 configuration

This is a guide how to configure the Connect2id server as an OpenID Federation 1.0 compliant OpenID provider.

1. Federation entity keys

Unless the Connect2id server is configured in static or PKCS#11 key store mode, the server will automatically generate the required federation entity JWK set on startup.

Register the federation entity public JWK set with the federation authority (trust anchor or intermediate entity) where the Connect2id server is enrolled as an OpenID provider. Multiple authorities are allowed.

The Connect2id server will then use the federation JWK to sign its entity
configuration
made available at the /.well-known/openid-federation endpoint.

2. Federation configuration

Enable OpenID Federation 1.0:

op.federation.enable=true

Specify at least one trust anchor and authority hint (immediate superior entity). In the special case when the OpenID provider is also acting as a trust anchor, such as in the Finnish Trust Network (FTN) 213/2023 S profile, these two configuration properties are left blank.

Example configuration for an immediate superior of the OpenID provider that is also the trust anchor of the federation:

op.federation.trustAnchors.1=https://federation.example.com
op.federation.authorityHints.1=https://federation.example.com

If the OpenID provider is expected to support the explicit and / or the automatic client registration types described in OpenID Federation 1.0, enable them and provide the required details.

Example:

op.federation.clientRegistrationTypes=explicit,automatic
op.federation.autoClientAuthMethods.ar=request_object
op.federation.autoClientAuthMethods.par=private_key_jwt,self_signed_tls_client_auth

In federations that use a different method to evaluate the trust chains of clients and register them with OpenID providers, such as the FTN profile, leave the parameter blank:

op.federation.clientRegistrationTypes=

A human readable name of the organisation that owns the federation entity is recommended, an example:

op.federation.organizationName=Trust Connect Inc.

The remaining configuration properties, such as trust marks issued to the OpenID provider, are optional.

To verify the configuration check the Connect2id server log. At startup the server will log the configured federation entity configuration and the loading of the federation entity keys.

Example startup log, the OP0040 identifier can be used to locate the start of the section:

INFO main MAIN - [OP0040] OpenID Federation: Enabled: true
INFO main MAIN - [OP0041] OpenID Federation: Client registration types: [explicit, automatic]
INFO main MAIN - [OP0055] OpenID Federation: Auto client authentication methods: {pushed_authorization_request_endpoint=[private_key_jwt, tls_client_auth, self_signed_tls_client_auth], authorization_endpoint=[request_object]}
INFO main MAIN - [OP0042] OpenID Federation: Organization mame: Trust Connect Inc.
INFO main MAIN - [OP0043] OpenID Federation: Authority hints: [https://federation.example.com]
INFO main MAIN - [OP0044] OpenID Federation: Trust anchors: [https://federation.example.com]
INFO main MAIN - [OP0045] OpenID Federation: Constraints: Max path length: 2
INFO main MAIN - [OP0046] OpenID Federation: Constraints: Permitted: []
INFO main MAIN - [OP0047] OpenID Federation: Constraints: Excluded: []
INFO main MAIN - [OP0053] OpenID Federation: HTTP request timeout: 500ms
INFO main MAIN - [OP0054] OpenID Federation: HTTP read timeout: 500ms
INFO main MAIN - [OP0048] OpenID Federation: Contacts: null
INFO main MAIN - [OP0056] OpenID Federation: Logo URI: https://demo.c2id.com/logo.png
INFO main MAIN - [OP0049] OpenID Federation: Policy URI: https://demo.c2id.com/policy.html
INFO main MAIN - [OP0050] OpenID Federation: Homepage URI: https://demo.c2id.com
INFO main MAIN - [OP0051] OpenID Federation: Trust marks: none
INFO main MAIN - [OP0052] OpenID Federation: Issued entity statement lifetime: 604800s
INFO main MAIN - [OP0053] OpenID Federation: Auto client lifetime: 3600s
INFO main MAIN - [SE1021] Loaded JWK set from /WEB-INF/federationJWKSet.json file resource with 1 keys

To verify the published federation entity configuration of the OpenID provider check the content of the signed JWT at the .well-known/openid-federation URL. The claims of the JWT are explained in the specification.

3. Debugging trust chain resolution

Every time the Connect2id server receives a request from a federation entity that triggers a chain resolution to find out if the client is allowed to proceed the server logs the process.

Example trust chain resolution for an automatic client making a request at the PAR endpoint:

INFO PAR - HTTP POST request: ip=192.168.0.1 path=/c2id/par/
INFO FED-REG - [OP8025] Resolved 1 trust chains (automatic client):
INFO FED-REG - [OP8026] Trust chain [1] anchor (automatic client): https://federation.example.com
INFO FED-REG - [OP8026] Trust chain [1][1] entity (automatic client): http://rp.example.com
INFO FED-REG - [OP8026] Trust chain [1][1] statement (automatic client): {"sub":"https://rp.example.com",...
INFO FED-REG - [OP8026] Trust chain [1][2] entity (automatic client): https:///rp.example.com
INFO FED-REG - [OP8026] Trust chain [1][2] statement (automatic client): {"sub":"https://rp.example.com",...
INFO FED-REG - [OP8013] Selected trust chain for entity ID https://rp.example (automatic client) with anchor https://federation.example.com and exp 2022-12-30T17:59:15.000+0200
INFO FED-REG - [OP8018] Received automatic registration request from https://rp.example.com with authorities [https://federation.example.com]
INFO FED-REG - [OP8051] Effective metadata RP policy for entity ID https://rp.example.com: {"grant_types":{"subset_of":["authorization_code","refresh_token"]}}
INFO FED-REG - [OP8014] Registered entity ID https://rp.example.com as automatic client with client_id=https://rp.example.com exp=1672415955
INFO PAR - [OP6204] Confidential client authenticated: client_id=https://rp.example.com method=private_key_jwt client_auth_id=tGt9YYlamOgzo0Ra