Lesson 3 — Entity Statements | Learn OpenID Federation

What's a JWT? (30-second version)

An Entity Statement is a JSON Web Token — a compact, signed JSON document with three parts separated by dots. JWTs are defined by §3 and grounded in the JOSE RFCs (JWS for signing, JWK for key representation, JWT for token structure):

eyJhbGciOiJSUzI1NiIsInR5cCI6ImVudGl0eS1zdGF0ZW1lbnQrand0In0.eyJpc3MiOiJodHRwczovL2xvZ2luLnVuaS5lZHUiLC....SflKxwRJSMeKKF2QT4fwpM...

Header (algorithm, type) · Payload (claims) · Signature (cryptographic proof)

Two Types of Entity Statements

Entity Configuration

Published at .well-known/openid-federation (§9). iss equals sub — the entity describes itself. Signed with the entity's own private key. Claim schema: §3.1.2.

"iss": "https://login.uni.edu",

"sub": "https://login.uni.edu",

"iat": 1712000000,

"exp": 1712086400,

"jwks":

"keys":

}

"metadata":

"openid_provider":

}

"authority_hints":

"https://uni.edu"

]

"trust_marks":

]

}

Note

The JSON payloads above are illustrative — key material is truncated and URLs are fictitious (login.uni.edu, uni.edu, edufed.gov). All claim names and field shapes match the spec.

SecuritySecurity consideration

Entity Identifier comparisons MUST NOT apply Unicode Normalization (NFC / NFD). Compare strings by direct code-point equality after JSON unescaping only. This prevents canonicalization attacks where visually identical IDs are treated as distinct entities.

§16

Explore Every Claim

Click any claim to see its full definition from §3.1.1 through §3.1.3 of the spec.

Real-World Analogy

Entity Configuration = a self-issued ID card — you write your own name and sign it yourself. Subordinate Statement = a notary's certification — someone higher up vouches for you, signed with the notary's own signature.