OpenID Federation Trust Chain
A Trust Chain is a sequence of signed statements–Entity Statements–that enables an entity to prove its trustworthiness in a federation. Each statement is a signed JSON Web Token (JWT) that conveys metadata and trust relationships between entities.
A trust chain is a cryptographically verifiable path that connects an entity to a trust anchor through a series of Entity Statements. It enables automated, scalable trust establishment between entities—such as OPs, RPs, and intermediaries—within a federation, without requiring direct, pre-established relationships.
A Trust Chain begins with the Entity Configuration of the entity for which trust is being established. This entity is known as the subject of the Trust Chain. Subjects often play protocol roles—such as OpenID Provider (OP) or OpenID Relying Party (RP)—and are typically Leaf Entities. However, this is not always the case.
An entity can simultaneously act as an OP and an Intermediate Entity. For example, an OP may serve subordinate RPs or other intermediates. In such cases, the OP is not a Leaf Entity, yet can still be the subject of a Trust Chain.
A Trust Chain ends with the Entity Configuration of a Trust Anchor—an entity that vouches for its subordinates and serves as a cryptographic root of trust. While Trust Anchors often have no superiors, they may have one if participating in a hierarchical federation, where they serve as intermediates within a larger federation structure.
Trust Chain Structure
The Trust Chain flows from the subject to the Trust Anchor, built by linking signed JWTs:
| Position | JWT Type | Description |
|---|---|---|
| Subject Entity | Entity Configuration | Self-issued JWT initiating the trust chain |
| Intermediate(s) | Entity Statement | (Optional) Issued by intermediates about their subordinates |
| Trust Anchor | Entity Configuration | Self-issued JWT terminating the chain, serving as the root of trust |
The number of intermediaries depends on the federation topology. Chains may be short or span several levels, especially in hierarchical federations.
Establishing Trust Chain
In OpenID Federation, each participating entity must publish a verifiable self-description in the form of a self-signed Entity Statement, allowing other parties to discover and validate them as part of a Trust Chain.
Each party–whether a Relying Party (RP), OpenID Provider (OP), or Trust Anchor (TA)–begins the trust establishment process by generating and publishing its own Entity Configuration, which is a self-issued JWT containing the following critical claims:
-
iss: The entity’s own identifier (e.g., its URL). -
sub: Same as iss, since the entity is describing itself. -
jwks: A JSON Web Key Set representing the entity’s public keys. -
authority_hints: A list of superior entities (usually one or more Trust Anchors).
Each Entity Configuration is:
-
Signed using the entity's private key.
-
Published at a /.well-known URL, following the
{entity_id}/.well-known/openid-federationformat.
This allows others to discover it in a standardized way.
Trust Chain Resolution
When an RP attempts to interact with an OP (or vice versa), it retrieves the
other's Entity Configuration. From there, it follows the authority_hints to
request and build a chain of Entity Statements, signed by each superior entity
in the hierarchy.
For example:
-
The RP retrieves the OP’s Entity Configuration.
-
The OP’s authority_hints point to the Trust Anchor (TA).
-
The RP retrieves the Entity Statement the TA has issued about the OP.
The RP builds a Trust Chain: TA → OP → RP
This process may be repeated or reversed depending on which party initiates the interaction - but always ends at the Trust Anchor the parties agreed to trust.
Validation and Trust Decision
Once the full chain of JWTs is retrieved:
-
Each JWT is cryptographically verified using the public keys found in the issuer’s Entity Configuration.
-
Federation policies are validated at each level of the chain.
-
If all signatures and policy validations pass, the Trust Chain is accepted, and the entities can securely interact.
