Concept Guides
OpenID Federation Trust Anchor
raidiam enables authorities and organisations to create a trust framework based on the openid connect federation where raidiam acts as a trust anchor what federation is the openid federation 1 0 specification outlines a mechanism that allows organisations and their technical resources, such as identity providers/authorization servers (openid providers or ops) and relying parties (rps, i e , applications or clients), to establish mutual trust without requiring a direct relationship this trust is built through a trust chain, enabling the op to accept oauth/oidc requests from rps without the need for prior registration of the rp flowchart tb id1\[trust anchor raidiam] id2\[organisation 1] id3\[op identity provider / authorisation server] id4\[resource server] id5\[organisation 2] id6\[rp client] id7\[resource server] id8\[op identity provider / authorisation server] id1 >id2 id1 >id5 id2 >id3 id2 >id4 id5 >id6 id5 >id7 id5 >id8 federation participants, including identity providers, relying parties, intermediate authorities, and trust anchors, are collectively referred to as federation entities each federation entity is assigned a globally unique identifier known as an entity id in the above diagram trust anchor in this case, raidiam, is an entity that represents a third party that all other parties (organisation 1 and organisation 2) agree to trust organisation can be represented by a number of different technical resources openid provider (op) identity provider / oauth authorisation server resource server (apis) relying party (rp) applications (client applications) ops and rps are usually treated as leaf entities an entity with no subordinate entities meaning there is no other entities between this entity and the trust anchor in the established trust hierarchy trust chain to reflect the established trust, a trust chain is constructed a sequence of entity statements json web tokens (jwts) that represents the chain starting at the leaf entity(op/rp) and ending in the trust anchor flowchart tb id1\[trust anchor raidiam] id3\[op identity provider / authorisation server] id6\[rp client] id3 >|trust chain 1|id1 id1 >|trust chain 1|id6 id6 >|trust chain 2|id1 id1 >|trust chain 2|id3 entity statements with raidiam used as the trust framework, entity statements are json web tokens (jwts) issued by leaf entities (ops/rps) issue self signed jwts signed by the ops/rps private key in the example below, note that because the jwt is self signed, both the issuer and the subject point to the leaf entity { "iss" "leaf entity id", "sub" "leaf entity id", "authority hints" \[ // recognizes the upper authority / trust anchor // trust anchor url raidiam federation ] // other claims "jwks" \[ // leaf entity public key ] } trust anchor raidiam issues a jwt that directly authorizes the leaf entity terminating the trust chain the jwt is signed using the anchor's (raidiam's) private key { "iss" "trust anchor entity id raidiam", "sub" "leaf entity id", // other claims "jwks" \[ // trust anchor public key ] } trust chain resolution sequencediagram participant rp as relying party participant op as openid provider participant ta as trust anchor (raidiam) rp >>rp generate entity statement (jwt) note right of rp "iss" "rp id" note right of rp "sub" "rp id" note right of rp "authority hints" \<br/> \["https //auth sandbox raidiam io/"] note right of rp "jwks" \[rp public key] rp >>rp self sign entity statement note right of rp sign using private key rp >>rp publish self singed jwt note right of rp must be under url following the format \<br/> leaf entity identifier (rp id) +\<br/> / well known/openid federation note over rp, ta all parties perform the above steps rp >>op access api op >>rp get leaf entity identifier (rp id) +\<br/> / well known/openid federation rp >>op entity configuration (statement) op >>op extract authority from entity configuration note right of op the op checks the rp's authority hints\<br/> for the direct authority note right of op in this case, it points to raidiam\<br/>https //auth sandbox raidiam io/ op >>ta get trust anchor (raidiam) entity configuration (statement)\<br/> https //auth sandbox raidiam io/ well known/openid federation note left of ta "iss" "https //auth sandbox raidiam io/" note left of ta "sub" "https //auth sandbox raidiam io/" note left of ta "jwks" \[raidiam public key" note left of ta metadata federation entity federation fetch endpoint note over op,ta ta's configuration is needed to know the location of the /fetch endpoint ta >>op entity configuration op >>ta get /fetch?sub={rp entity configuration sub claim value} ta >>op return jwt (entity statement) of the rp note left of ta "iss" "ta id" note left of ta "sub" "rp id" note left of ta "jwks" "ta's public key" note left of ta signed using ta's private key note over op, ta jwt indicates the trust anchor authorizes the rp and the op can trust the ra