Module: OmniAuth

Defined in:

lib/omniauth_openid_federation.rb,
lib/omniauth_openid_federation/strategy.rb

Overview

OpenID Federation strategy for OAuth 2.0 / OpenID Connect providers This strategy implements OpenID Federation features for providers requiring compliance with regulatory requirements and security best practices.

Features implemented:

• Signed Request Objects (RFC 9101, Section 12.1.1.1.1) - Required for secure authorization requests

• ID Token Encryption/Decryption (RSA-OAEP + A128CBC-HS256) - Required for token security

• Client Assertion (private_key_jwt) - Required for token endpoint authentication

• OpenID Federation Entity Statements (Section 3) - Optional but recommended

• Signed JWKS Support (Section 5.2.1.1) - Required for key rotation compliance

Features implemented:

• Trust Chain Resolution (Section 10) - Resolves trust chains when trust_anchors configured

• Metadata Policy Merging (Section 5.1) - Applies metadata policies from trust chain

• Automatic Client Registration (Section 11.1) - Uses Entity ID as client_id

Features NOT implemented (optional):

• Trust marks (Section 7) - Optional feature (parsed but not validated)

• Federation endpoints (Section 8) - Server-side feature (Fetch Endpoint implemented separately)

This strategy uses the openid_connect gem and extends it with federation-specific features.

See Also:

• OpenID Federation 1.0 Specification
• OpenID Federation Documentation
• RFC 9101 - OAuth 2.0 Authorization Request

Defined Under Namespace

Modules: Strategies