Use JWKS JSON string as Trust Anchor JWKS config

Author: cicnavi

config-templates/module_oidc.php

@@ -327,32 +327,14 @@
     ModuleConfig::OPTION_FEDERATION_ENABLED => false,
 
     // Trust Anchors which are valid for this entity. The key represents the Trust Anchor Entity ID, while the value can
-    // be the Trust Anchor's JWKS array value, or null. If JWKS is provided, it will be used to validate Trust Anchor
-    // Configuration Statement in addition to using JWKS acquired during Trust Chain resolution. If JWKS is not
-    // provided (value null), the validity of Trust Anchor Configuration Statement will "only" be validated
-    // by the JWKS acquired during Trust Chain resolution, meaning that security will rely "only" on
-    // protection implied from using TLS on endpoints used during Trust Chain resolution.
+    // be the Trust Anchor's JWKS JSON object string value, or null. If JWKS is provided, it will be used to validate
+    // Trust Anchor Configuration Statement in addition to using JWKS acquired during Trust Chain resolution. If
+    // JWKS is not provided (value null), the validity of Trust Anchor Configuration Statement will "only" be
+    // validated by the JWKS acquired during Trust Chain resolution, meaning that security will rely "only"
+    // on protection implied from using TLS on endpoints used during Trust Chain resolution.
     ModuleConfig::OPTION_FEDERATION_TRUST_ANCHORS => [
-//        'https://ta.example.org/' => [
-//            'keys' => [
-//                [
-//                    'alg' => 'RS256',
-//                    'use' => 'sig',
-//                    'kty' => 'RSA',
-//                    'n' => 'abc...def',
-//                    'e' => 'AQAB',
-//                    'kid' => '123',
-//                ],
-//                [
-//                    'alg' => 'RS256',
-//                    'use' => 'sig',
-//                    'kty' => 'RSA',
-//                    'n' => 'ghi...jkl',
-//                    'e' => 'AQAB',
-//                    'kid' => '456',
-//                ],
-//            ],
-//        ],
+        // phpcs:ignore
+//        'https://ta.example.org/' => '{"keys":[{"kty": "RSA","alg": "RS256","use": "sig","kid": "Nzb...9Xs","e": "AQAB","n": "pnXB...ub9J"}]}',
 //        'https://ta2.example.org/' => null,
     ],
 

src/ModuleConfig.php

@@ -24,7 +24,6 @@
 use SimpleSAML\Error\ConfigurationError;
 use SimpleSAML\Module\oidc\Bridges\SspBridge;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
-use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\ScopesEnum;
 
 class ModuleConfig
@@ -650,20 +649,16 @@ public function getFederationTrustAnchorIds(): array
     /**
      * @throws \SimpleSAML\Error\ConfigurationError
      */
-    public function getTrustAnchorJwks(string $trustAnchorId): ?array
+    public function getTrustAnchorJwksJson(string $trustAnchorId): ?string
     {
         /** @psalm-suppress MixedAssignment */
         $jwks = $this->getFederationTrustAnchors()[$trustAnchorId] ?? null;
 
-        if ($jwks === null) {
+        if (is_null($jwks)) {
             return null;
         }
 
-        if (
-            is_array($jwks) &&
-            array_key_exists(ClaimsEnum::Keys->value, $jwks) &&
-            (!empty($jwks[ClaimsEnum::Keys->value]))
-        ) {
+        if (is_string($jwks)) {
             return $jwks;
         }
 

src/Server/RequestRules/Rules/ClientIdRule.php

@@ -141,6 +141,19 @@ public function checkRule(
             );
         }
 
+        // Validate TA with locally saved JWKS, if available.
+        $trustAnchorEntityConfiguration = $trustChain->getResolvedTrustAnchor();
+        $localTrustAnchorJwksJson = $this->moduleConfig
+            ->getTrustAnchorJwksJson($trustAnchorEntityConfiguration->getIssuer());
+        if (!is_null($localTrustAnchorJwksJson)) {
+            /** @psalm-suppress MixedArgument */
+            $localTrustAnchorJwks = $this->federation->helpers()->json()->decode($localTrustAnchorJwksJson);
+            if (!is_array($localTrustAnchorJwks)) {
+                throw OidcServerException::serverError('Unexpected JWKS format.');
+            }
+            $trustAnchorEntityConfiguration->verifyWithKeySet($localTrustAnchorJwks);
+        }
+
         $clientFederationEntity = $trustChain->getResolvedLeaf();
 
         if ($clientFederationEntity->getIssuer() !== $clientEntityId) {

templates/config/federation.twig

@@ -64,7 +64,7 @@
                 {{ 'JWKS'|trans }}:
                 {% if jwks|default is not empty %}
                     <code class="code-box code-box-content">
-                        {{- jwks|json_encode(constant('JSON_PRETTY_PRINT')) -}}
+                        {{- jwks -}}
                     </code>
                 {% else %}
                     {{ 'N/A'|trans }}