Class: OmniauthOpenidFederation::Federation::EntityStatementValidator

Inherits:

Object

• Object
• OmniauthOpenidFederation::Federation::EntityStatementValidator

Defined in:

lib/omniauth_openid_federation/federation/entity_statement_validator.rb

Overview

Entity Statement Validator for OpenID Federation 1.0

Validates entity statements according to Section 3.2.1 of the OpenID Federation 1.0 specification.

Constant Summary

JWT_PARTS_COUNT =

Standard JWT has 3 parts: header.payload.signature

3

REQUIRED_TYP =

Required typ header value for entity statements

"entity-statement+jwt"

SUPPORTED_ALGORITHMS =

Supported signing algorithms (per spec, RS256 is required by OpenID Connect Core)

%w[RS256 PS256 ES256 ES384 ES512].freeze

Instance Method Summary

• #initialize(jwt_string:, issuer_entity_configuration: nil, clock_skew_tolerance: nil) ⇒ EntityStatementValidator constructor

  Initialize validator.

• #validate! ⇒ Hash

  Validate the entity statement.

Constructor Details

#initialize(jwt_string:, issuer_entity_configuration: nil, clock_skew_tolerance: nil) ⇒ EntityStatementValidator

Initialize validator

Parameters:

• jwt_string (String) —

  The entity statement JWT string to validate

• issuer_entity_configuration (Hash, EntityStatement, nil) (defaults to: nil) —

  Optional: Entity Configuration of the issuer Required for validating Subordinate Statements (when iss != sub)

• clock_skew_tolerance (Integer, nil) (defaults to: nil) —

  Clock skew tolerance in seconds (default: from config)

# File 'lib/omniauth_openid_federation/federation/entity_statement_validator.rb', line 42

def initialize(jwt_string:, issuer_entity_configuration: nil, clock_skew_tolerance: nil)
  @jwt_string = jwt_string
  @issuer_entity_configuration = issuer_entity_configuration
  @clock_skew_tolerance = clock_skew_tolerance || OmniauthOpenidFederation.config.clock_skew_tolerance
  @header = nil
  @payload = nil
  @is_entity_configuration = nil
  @is_subordinate_statement = nil
end

Instance Method Details

#validate! ⇒ Hash

Validate the entity statement

Returns:

• (Hash) —

  Validated entity statement with header and claims

Raises:

• (ValidationError) —

  If validation fails at any step

# File 'lib/omniauth_openid_federation/federation/entity_statement_validator.rb', line 56

def validate!
  validate_jwt_format
  validate_typ_header
  validate_alg_header
  validate_sub_claim
  validate_iss_claim
  determine_statement_type
  validate_authority_hints if @is_subordinate_statement
  validate_iat_claim
  validate_exp_claim
  validate_jwks_claim
  validate_kid_header
  validate_kid_matching
  validate_signature if @issuer_entity_configuration || @is_entity_configuration
  validate_crit_claim
  validate_authority_hints_syntax if @header && @payload && @is_entity_configuration
  validate_metadata_syntax
  validate_metadata_policy_presence
  validate_metadata_policy_crit_presence
  validate_constraints_presence
  validate_trust_marks_presence
  validate_trust_mark_issuers_presence
  validate_trust_mark_owners_presence

  {
    header: @header,
    claims: @payload,
    is_entity_configuration: @is_entity_configuration,
    is_subordinate_statement: @is_subordinate_statement
  }
end