Class: OmniauthOpenidFederation::Federation::EntityStatementBuilder

Inherits:

Object

• Object
• OmniauthOpenidFederation::Federation::EntityStatementBuilder

Defined in:

lib/omniauth_openid_federation/federation/entity_statement_builder.rb

Overview

Entity Statement Builder for OpenID Federation 1.0

Builds self-signed entity statement JWTs for publishing provider configuration.

Instance Method Summary

• #build ⇒ String

  Build and sign the entity statement JWT.

• #initialize(issuer:, subject:, private_key:, jwks:, metadata:, expiration_seconds: 86400, kid: nil, authority_hints: nil, trust_marks: nil, trust_mark_issuers: nil, trust_mark_owners: nil, metadata_policy: nil, metadata_policy_crit: nil, constraints: nil, source_endpoint: nil, crit: nil) ⇒ EntityStatementBuilder constructor

  A new instance of EntityStatementBuilder.

Constructor Details

#initialize(issuer:, subject:, private_key:, jwks:, metadata:, expiration_seconds: 86400, kid: nil, authority_hints: nil, trust_marks: nil, trust_mark_issuers: nil, trust_mark_owners: nil, metadata_policy: nil, metadata_policy_crit: nil, constraints: nil, source_endpoint: nil, crit: nil) ⇒ EntityStatementBuilder

Returns a new instance of EntityStatementBuilder.

Parameters:

• issuer (String) —

  Entity issuer (typically the provider URL)

• subject (String) —

  Entity subject (typically same as issuer for self-issued statements)

• private_key (OpenSSL::PKey::RSA) —

  Private key for signing the entity statement

• jwks (Hash) —

  JWKS hash with “keys” array containing public keys

• metadata (Hash) —

  Provider metadata hash with openid_provider section

• expiration_seconds (Integer) (defaults to: 86400) —

  Expiration time in seconds from now (default: 86400 = 24 hours)

• kid (String, nil) (defaults to: nil) —

  Key ID to use for signing (defaults to first key’s kid in JWKS)

• authority_hints (Array<String>, nil) (defaults to: nil) —

  Optional: Array of Entity Identifiers for Immediate Superiors (Entity Configuration only)

• trust_marks (Array<Hash>, nil) (defaults to: nil) —

  Optional: Array of Trust Mark objects (Entity Configuration only)

• trust_mark_issuers (Hash, nil) (defaults to: nil) —

  Optional: Trust Mark issuers configuration (Trust Anchor only)

• trust_mark_owners (Hash, nil) (defaults to: nil) —

  Optional: Trust Mark owners configuration (Trust Anchor only)

• metadata_policy (Hash, nil) (defaults to: nil) —

  Optional: Metadata policy (Subordinate Statement only)

• metadata_policy_crit (Array<String>, nil) (defaults to: nil) —

  Optional: Critical metadata policy operators (Subordinate Statement only)

• constraints (Hash, nil) (defaults to: nil) —

  Optional: Trust Chain constraints (Subordinate Statement only)

• source_endpoint (String, nil) (defaults to: nil) —

  Optional: Fetch endpoint URL (Subordinate Statement only)

• crit (Array<String>, nil) (defaults to: nil) —

  Optional: Critical claims that must be understood

# File 'lib/omniauth_openid_federation/federation/entity_statement_builder.rb', line 55

def initialize(issuer:, subject:, private_key:, jwks:, metadata:, expiration_seconds: 86400, kid: nil,
  authority_hints: nil, trust_marks: nil, trust_mark_issuers: nil, trust_mark_owners: nil,
  metadata_policy: nil, metadata_policy_crit: nil, constraints: nil, source_endpoint: nil, crit: nil)
  @issuer = issuer
  @subject = subject
  @private_key = private_key
  @jwks = normalize_jwks(jwks)
  @metadata = metadata
  @expiration_seconds = expiration_seconds
  @kid = kid || extract_kid_from_jwks(@jwks)
  @authority_hints = authority_hints
  @trust_marks = trust_marks
  @trust_mark_issuers = trust_mark_issuers
  @trust_mark_owners = trust_mark_owners
  @metadata_policy = metadata_policy
  @metadata_policy_crit = metadata_policy_crit
  @constraints = constraints
  @source_endpoint = source_endpoint
  @crit = crit
end

Instance Method Details

#build ⇒ String

Build and sign the entity statement JWT

Returns:

• (String) —

  The signed entity statement JWT string

Raises:

• (ConfigurationError) —

  If required parameters are missing

• (SignatureError) —

  If signing fails

# File 'lib/omniauth_openid_federation/federation/entity_statement_builder.rb', line 81

def build
  validate_parameters

  payload = build_payload

  # Per OpenID Federation 1.0 Section 3.1: typ MUST be "entity-statement+jwt"
  header = {
    alg: "RS256",
    typ: "entity-statement+jwt",
    kid: @kid
  }

  begin
    JWT.encode(payload, @private_key, "RS256", header)
  rescue => e
    error_msg = "Failed to sign entity statement: #{e.class} - #{e.message}"
    OmniauthOpenidFederation::Logger.error("[EntityStatementBuilder] #{error_msg}")
    raise SignatureError, error_msg, e.backtrace
  end
end