Class: OmniauthOpenidFederation::Federation::EntityStatementParser

Inherits:

Object

• Object
• OmniauthOpenidFederation::Federation::EntityStatementParser

Defined in:

lib/omniauth_openid_federation/federation/entity_statement_parser.rb

Overview

Entity Statement Parser for OpenID Federation 1.0

Examples:

Parse an entity statement

parser = EntityStatementParser.new(jwt_string, validate_signature: true)
metadata = parser.parse

Constant Summary

ParseError =

Compatibility alias for backward compatibility

OmniauthOpenidFederation::ValidationError

JWT_PARTS_COUNT =

Standard JWT has 3 parts: header.payload.signature

3

Class Method Summary

• .parse(jwt_string, validate_signature: false, validate_full: true, issuer_entity_configuration: nil) ⇒ Hash

  Parse entity statement JWT.

Instance Method Summary

• #initialize(jwt_string, validate_signature: false, validate_full: true, issuer_entity_configuration: nil) ⇒ EntityStatementParser constructor

  Initialize parser.

• #parse ⇒ Hash

  Parse the entity statement.

Constructor Details

#initialize(jwt_string, validate_signature: false, validate_full: true, issuer_entity_configuration: nil) ⇒ EntityStatementParser

Initialize parser

Parameters:

• jwt_string (String) —

  The JWT string to parse

• validate_signature (Boolean) (defaults to: false) —

  Whether to validate the signature

• validate_full (Boolean) (defaults to: true) —

  Whether to perform full OpenID Federation validation

• issuer_entity_configuration (Hash, EntityStatement, nil) (defaults to: nil) —

  Optional: Issuer’s Entity Configuration

# File 'lib/omniauth_openid_federation/federation/entity_statement_parser.rb', line 51

def initialize(jwt_string, validate_signature: false, validate_full: true, issuer_entity_configuration: nil)
  @jwt_string = jwt_string
  @validate_signature = validate_signature
  @validate_full = validate_full
  @issuer_entity_configuration = issuer_entity_configuration
end

Class Method Details

.parse(jwt_string, validate_signature: false, validate_full: true, issuer_entity_configuration: nil) ⇒ Hash

Parse entity statement JWT

Parameters:

• jwt_string (String) —

  The JWT string to parse

• validate_signature (Boolean) (defaults to: false) —

  Whether to validate the signature (default: false)

• validate_full (Boolean) (defaults to: true) —

  Whether to perform full OpenID Federation validation (default: true)

• issuer_entity_configuration (Hash, EntityStatement, nil) (defaults to: nil) —

  Optional: Issuer’s Entity Configuration for Subordinate Statement validation

Returns:

• (Hash) —

  Parsed entity statement with header, claims, and metadata

Raises:

• (ParseError) —

  If parsing fails

# File 'lib/omniauth_openid_federation/federation/entity_statement_parser.rb', line 41

def self.parse(jwt_string, validate_signature: false, validate_full: true, issuer_entity_configuration: nil)
  new(jwt_string, validate_signature: validate_signature, validate_full: validate_full, issuer_entity_configuration: issuer_entity_configuration).parse
end

Instance Method Details

#parse ⇒ Hash

Parse the entity statement

Returns:

• (Hash) —

  Parsed entity statement with header, claims, and metadata

Raises:

• (ParseError) —

  If parsing fails

# File 'lib/omniauth_openid_federation/federation/entity_statement_parser.rb', line 62

def parse
  # Perform full OpenID Federation validation if requested
  if @validate_full
    validator = EntityStatementValidator.new(
      jwt_string: @jwt_string,
      issuer_entity_configuration: @issuer_entity_configuration
    )
    validated = validator.validate!
    @header = validated[:header]
    @payload = validated[:claims]
  else
    # Basic parsing without full validation (for backward compatibility)
    jwt_parts = @jwt_string.split(".")
    raise ParseError, "Invalid JWT format: expected #{JWT_PARTS_COUNT} parts, got #{jwt_parts.length}" if jwt_parts.length != JWT_PARTS_COUNT

    # Decode header
    @header = JSON.parse(Base64.urlsafe_decode64(jwt_parts[0]))

    # Validate typ header per OpenID Federation 1.0 Section 3.1 and 3.2.1
    # Entity Statement JWTs MUST have typ: "entity-statement+jwt"
    typ = @header["typ"] || @header[:typ]
    unless typ == "entity-statement+jwt"
      raise ValidationError, "Invalid entity statement type: expected 'entity-statement+jwt', got '#{typ}'. Entity statements without the correct typ header MUST be rejected per OpenID Federation 1.0 Section 3.1."
    end

    # Decode payload
    @payload = JSON.parse(Base64.urlsafe_decode64(jwt_parts[1]))
  end

  header = @header
  payload = @payload

  # Extract JWKS from entity statement for signature validation
  entity_jwks = payload.fetch("jwks", {}).fetch("keys", [])

  if @validate_signature && entity_jwks.any?
    # For signature validation, we need the JWT parts
    jwt_parts = @jwt_string.split(".")
    validate_signature(jwt_parts, entity_jwks, header)
  end

  # Extract metadata for all entity types
  metadata_section = payload.fetch("metadata", {})
  provider_metadata = metadata_section.fetch("openid_provider", {})
  rp_metadata = metadata_section.fetch("openid_relying_party", {})

  result = {
    header: header,
    claims: payload,
    issuer: payload["iss"],
    sub: payload["sub"],
    exp: payload["exp"],
    iat: payload["iat"],
    jwks: payload.fetch("jwks", {}),
    metadata: {},
    # Advanced claims (Entity Configuration specific)
    authority_hints: payload["authority_hints"] || payload[:authority_hints],
    trust_marks: payload["trust_marks"] || payload[:trust_marks],
    trust_mark_issuers: payload["trust_mark_issuers"] || payload[:trust_mark_issuers],
    trust_mark_owners: payload["trust_mark_owners"] || payload[:trust_mark_owners],
    # Advanced claims (Subordinate Statement specific)
    metadata_policy: payload["metadata_policy"] || payload[:metadata_policy],
    metadata_policy_crit: payload["metadata_policy_crit"] || payload[:metadata_policy_crit],
    constraints: payload["constraints"] || payload[:constraints],
    source_endpoint: payload["source_endpoint"] || payload[:source_endpoint],
    # Other claims
    crit: payload["crit"] || payload[:crit],
    # Determine statement type
    is_entity_configuration: (payload["iss"] == payload["sub"]),
    is_subordinate_statement: (payload["iss"] != payload["sub"])
  }

  # Extract OpenID Provider metadata if present
  if provider_metadata.any?
    result[:metadata][:openid_provider] = {
      issuer: provider_metadata["issuer"],
      authorization_endpoint: provider_metadata["authorization_endpoint"],
      token_endpoint: provider_metadata["token_endpoint"],
      userinfo_endpoint: provider_metadata["userinfo_endpoint"],
      jwks_uri: provider_metadata["jwks_uri"],
      signed_jwks_uri: provider_metadata["signed_jwks_uri"],
      end_session_endpoint: provider_metadata["end_session_endpoint"],
      client_registration_types_supported: provider_metadata["client_registration_types_supported"],
      federation_registration_endpoint: provider_metadata["federation_registration_endpoint"]
    }
  end

  # Extract OpenID Relying Party metadata if present
  if rp_metadata.any?
    result[:metadata][:openid_relying_party] = {
      application_type: rp_metadata["application_type"],
      redirect_uris: rp_metadata["redirect_uris"],
      client_registration_types: rp_metadata["client_registration_types"],
      signed_jwks_uri: rp_metadata["signed_jwks_uri"],
      jwks_uri: rp_metadata["jwks_uri"],
      organization_name: rp_metadata["organization_name"],
      logo_uri: rp_metadata["logo_uri"],
      grant_types: rp_metadata["grant_types"],
      response_types: rp_metadata["response_types"],
      scope: rp_metadata["scope"]
    }
  end

  result
rescue JSON::ParserError => e
  raise ValidationError, "Failed to parse entity statement: #{e.message}"
rescue ArgumentError => e
  raise ValidationError, "Failed to decode entity statement: #{e.message}"
end