Feature/oidf 54 (#31)

* feat: Implemented KMS, JWKS generation and JWT sign * fix: Test dependencies * feat: Created sign and verify jwt functions * refactor: Added trailing new line to the files * fix: Removed some targets temporarily to fix build issues. * refactor: made the second paramenter of functions a Map without default value and refactored the key generation * refactor: Fixed build issues and removed commented-out code * fix: Fixed failing test and null pointer exception * refactor: Fixed dependencies and made the protectedHeader a param * refactor: Fixed code formatting * refactor: Made JWT payload and header classes to be used as input * fix: add missing repositories for windows (#22) * fix: add missing repositories for windows * fix: update ci docker compose command * feat: implement jwk persistence * fix: remove unused statement * fix: github CI * fix: add missing entity to openapi spec * feat: persist generated keys * fix: typo * fix: remove unnecessary statement * feat: abstract jwk to its own module * feat: encrypt private keys when saving to database * feat: add note to README regarding usage of Local KMS in prod envs * fix: adapt key encryption test cases for when APP_KEY is null * fix: adjust function name * fix: add kotlin-js-store to gitignore * fix: clean common gradle file * fix: disable android build * fix: remove js implementation from services * feat: implement Subordinate repository (#29) * feat: implement federation server structure (#28) * feat: implement federation server structure * feat: implement Subordinate repository * fix: remove unused files * feat: implement federation list endpoint --------- Co-authored-by: Zoe Maas <[email protected]>
Sphereon-Opensource · Aug 16, 2024 · b12e7bc · b12e7bc
1 parent e754b13
commit b12e7bc
Show file tree

Hide file tree

Showing 59 changed files with 1,430 additions and 3,333 deletions.
diff --git a/.env b/.env
@@ -2,3 +2,4 @@ DATASOURCE_URL=jdbc:postgresql://localhost:5432/openid-federation-db
 DATASOURCE_USER=openid-federation-db-user
 DATASOURCE_PASSWORD=openid-federation-db-password
 DATASOURCE_DB=openid-federation-db
+APP_KEY=Nit5tWts42QeCynT1Q476LyStDeSd4xb
diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,4 @@ captures
 /.temp/
 /docker/.env
 /.run/*
+kotlin-js-store/
diff --git a/README.md b/README.md
@@ -7,16 +7,24 @@
 
 # Background
 
-OpenID Federation is a framework designed to facilitate the secure and interoperable interaction of entities within a federation. This involves the use of JSON Web Tokens (JWTs) to represent and convey necessary information for entities to participate in federations, ensuring trust and security across different organizations and systems.
+OpenID Federation is a framework designed to facilitate the secure and interoperable interaction of entities within a
+federation. This involves the use of JSON Web Tokens (JWTs) to represent and convey necessary information for entities
+to participate in federations, ensuring trust and security across different organizations and systems.
 
-In the context of OpenID Federation, Entity Statements play a crucial role. These are signed JWTs that contain details about the entity, such as its public keys and metadata. This framework allows entities to assert their identity and capabilities in a standardized manner, enabling seamless integration and interoperability within federations.
+In the context of OpenID Federation, Entity Statements play a crucial role. These are signed JWTs that contain details
+about the entity, such as its public keys and metadata. This framework allows entities to assert their identity and
+capabilities in a standardized manner, enabling seamless integration and interoperability within federations.
 
 ## Key Concepts
 
-- **Federation**: A group of organizations that agree to interoperate under a set of common rules defined in a federation policy.
-- **Entity Statements**: JSON objects that contain metadata about entities (IdPs, RPs) and their federation relationships.
-- **Trust Chains**: Mechanisms by which parties in a federation verify each other’s trustworthiness through a chain of entity statements, leading back to a trusted authority.
-- **Federation API**: Interfaces defined for entities to exchange information and perform operations necessary for federation management.
+- **Federation**: A group of organizations that agree to interoperate under a set of common rules defined in a
+  federation policy.
+- **Entity Statements**: JSON objects that contain metadata about entities (IdPs, RPs) and their federation
+  relationships.
+- **Trust Chains**: Mechanisms by which parties in a federation verify each other’s trustworthiness through a chain of
+  entity statements, leading back to a trusted authority.
+- **Federation API**: Interfaces defined for entities to exchange information and perform operations necessary for
+  federation management.
 
 ## Core Components
 
@@ -27,45 +35,60 @@ In the context of OpenID Federation, Entity Statements play a crucial role. Thes
 ## Technical Features
 
 - **JSON Web Tokens (JWT)**: Used for creating verifiable entity statements and security assertions.
-- **JSON Object Signing and Encryption (JOSE)**: Standards for signing and encrypting JSON-based objects to ensure their integrity and confidentiality.
+- **JSON Object Signing and Encryption (JOSE)**: Standards for signing and encrypting JSON-based objects to ensure their
+  integrity and confidentiality.
 
 ## Operational Model
 
-- **Dynamic Federation**: Allows entities to join or adjust their federation relationships dynamically, based on real-time verification of entity statements.
-- **Trust Model**: Establishes a model where trust is derived from known and verifiable sources and can be dynamically adjusted according to real-time interactions and policy evaluations.
+- **Dynamic Federation**: Allows entities to join or adjust their federation relationships dynamically, based on
+  real-time verification of entity statements.
+- **Trust Model**: Establishes a model where trust is derived from known and verifiable sources and can be dynamically
+  adjusted according to real-time interactions and policy evaluations.
 - **Conflict Resolution**: Defines how disputes or mismatches in federation policies among entities are resolved.
 
+# Local Key Management System - Important Notice
+
+Local Key Management Service is designed primarily for testing, development, and local experimentation
+purposes. **It is not intended for use in production environments** due to significant security and compliance risks.
+
 # Data Structure
 
 ## Entity Statement Overview
 
 ### 1. Definition
+
 - An Entity Statement is a signed JWT containing information necessary for the Entity to participate in federations.
 - **Entity Configuration**: An Entity Statement about itself.
 - **Subordinate Statement**: An Entity Statement about an Immediate Subordinate Entity by a Superior Entity.
 
 ### 2. Requirements and Structure
+
 - **Type**: JWT must be explicitly typed as `entity-statement+jwt`.
 - **Signature**: Signed using the issuer’s private key, preferably using ECDSA with P-256 and SHA-256 (ES256).
 - **Key ID (kid)**: The header must include the Key ID of the signing key.
 
 ### 3. Claims in an Entity Statement
+
 - **iss (Issuer)**: Entity Identifier of the issuer.
 - **sub (Subject)**: Entity Identifier of the subject.
 - **iat (Issued At)**: Time the statement was issued.
 - **exp (Expiration Time)**: Time after which the statement is no longer valid.
-- **jwks (JSON Web Key Set)**: Public keys for verifying signatures. Required except in specific cases like Explicit Registration.
-- **authority_hints** (Optional): Identifiers of Intermediate Entities or Trust Anchors that may issue Subordinate Statements.
+- **jwks (JSON Web Key Set)**: Public keys for verifying signatures. Required except in specific cases like Explicit
+  Registration.
+- **authority_hints** (Optional): Identifiers of Intermediate Entities or Trust Anchors that may issue Subordinate
+  Statements.
 - **metadata** (Optional): Represents the Entity’s Types and metadata.
 - **metadata_policy** (Optional): Defines a metadata policy, applicable to the subject and its Subordinates.
 - **constraints** (Optional): Defines Trust Chain constraints.
 - **crit** (Optional): Specifies critical claims that must be understood and processed.
-- **metadata_policy_crit** (Optional): Specifies critical metadata policy operators that must be understood and processed.
+- **metadata_policy_crit** (Optional): Specifies critical metadata policy operators that must be understood and
+  processed.
 - **trust_marks** (Optional): Array of JSON objects, each representing a Trust Mark.
 - **trust_mark_issuers** (Optional): Specifies trusted issuers of Trust Marks.
 - **trust_mark_owners** (Optional): Specifies ownership of Trust Marks by different Entities.
 - **source_endpoint** (Optional): URL to fetch the Entity Statement from the issuer.
 
 ### 4. Usage and Flexibility
+
 - Entity Statements can include additional claims as required by applications and protocols.
 - Metadata in Subordinate Statements overrides that in the Entity’s own configuration.
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.9'
-
 services:
   db:
     image: postgres:latest
-Original file line number
+Diff line change
@@ Expand Up / @@ -22,3 +22,4 @@ captures @@
     /.temp/
     /docker/.env
     /.run/*
+    kotlin-js-store/