Module: OmniAuth
- Defined in:
- lib/omniauth_openid_federation.rb,
lib/omniauth_openid_federation/strategy.rb,
sig/strategy.rbs
Overview
OpenID Federation strategy for OAuth 2.0 / OpenID Connect providers This strategy implements OpenID Federation features for providers requiring compliance with regulatory requirements and security best practices.
Features implemented:
- Signed Request Objects (RFC 9101, Section 12.1.1.1.1) - Required for secure authorization requests
- ID Token Encryption/Decryption (RSA-OAEP + A128CBC-HS256) - Required for token security
- Client Assertion (private_key_jwt) - Required for token endpoint authentication
- OpenID Federation Entity Statements (Section 3) - Optional but recommended
- Signed JWKS Support (Section 5.2.1.1) - Required for key rotation compliance
Features implemented:
- Trust Chain Resolution (Section 10) - Resolves trust chains when trust_anchors configured
- Metadata Policy Merging (Section 5.1) - Applies metadata policies from trust chain
- Automatic Client Registration (Section 11.1) - Uses Entity ID as client_id
Features NOT implemented (optional):
- Trust marks (Section 7) - Optional feature (parsed but not validated)
- Federation endpoints (Section 8) - Server-side feature (Fetch Endpoint implemented separately)
This strategy uses OmniauthOpenidFederation::OidcClient and extends OAuth2 with federation-specific features.
Defined Under Namespace
Modules: Strategies