Skip to content

Add rollover metadata containing all available keys#1899

Merged
kayjoosten merged 3 commits intoOpenConext:mainfrom
tvdijen:feature/rollover-metadata
Mar 27, 2026
Merged

Add rollover metadata containing all available keys#1899
kayjoosten merged 3 commits intoOpenConext:mainfrom
tvdijen:feature/rollover-metadata

Conversation

@tvdijen
Copy link
Contributor

@tvdijen tvdijen commented Dec 16, 2025

We sign our AuthnRequests to our IdPs, so we need to have metadata containing both the current and the rollover-certificate.
With this patch, the default metadata (keyslug=default or no keyslug) will contain all the configured keys.

@tvdijen tvdijen force-pushed the feature/rollover-metadata branch from 07e9c6c to 38b72e8 Compare December 16, 2025 11:41
@baszoetekouw baszoetekouw requested a review from johanib January 7, 2026 07:56
@cdbesten
Copy link

cdbesten commented Feb 19, 2026

Dit lijkt me zeer gewenst. Wij moeten volgend jaar op productie ook rollover'en en alles wat dit proces soepeler kan laten verlopen is mooi meegenomen.

@johanib johanib moved this from New to Backlog in PHP development Feb 23, 2026
@johanib
Copy link
Contributor

johanib commented Mar 18, 2026

@kayjoosten Can you:

  • Add .feature test
  • Check test coverage (unit needed/possible)
  • Review implementation
  • Assume current implementation is correct

@kayjoosten kayjoosten self-assigned this Mar 18, 2026
@kayjoosten kayjoosten force-pushed the feature/rollover-metadata branch from 39cf222 to fc47521 Compare March 20, 2026 11:59
@johanib johanib linked an issue Mar 25, 2026 that may be closed by this pull request
/metadata endpoint should expose all the available keys #1223
Closed
@kayjoosten
Copy link
Contributor

kayjoosten commented Mar 25, 2026

Request: GET /authentication/sp/metadata
GET /authentication/sp/metadata/key:rollover

  1. Controller (MetadataController) receives the request, extracts the keyId (defaults to default if none given), calls MetadataProvider::metadataForSp($keyId)
  2. MetadataProvider builds the SP entity object (which, after this PR, includes all keys in its KeyDescriptor list when using the default endpoint), then passes to MetadataRenderer::fromServiceProviderEntity($sp, $keyId)
  3. MetadataRenderer does two things:
    • Renders the Twig XML template → the md:KeyDescriptor elements in the output
    • Calls DocumentSigner->sign($xml, $signingKeyPair) where the signing key pair is built

So when you request key:rollover, the document is signed with the rollover private key. When you request the default, it's signed with the default private key.

@kayjoosten
Add tests for rollover metadata key support
783497e 
- Fix broken unit tests in decorator classes after array change
- Add buildAll() unit test to KeyPairFactoryTest
- Add Behat scenarios verifying all keys appear in default metadata
- Update FrontPage test to expect rollover key links
- Add CI and dev env parameters with rollover key for testing
- Remove unused X509Certificate import from EngineBlockServiceProvider
@kayjoosten kayjoosten force-pushed the feature/rollover-metadata branch from fc47521 to 783497e Compare March 25, 2026 09:53
@kayjoosten kayjoosten requested a review from johanib March 25, 2026 11:12
@kayjoosten kayjoosten merged commit 5c3ca2a into OpenConext:main Mar 27, 2026
2 checks passed
@github-project-automation github-project-automation bot moved this from Backlog to Delivered in PHP development Mar 27, 2026
@tvdijen tvdijen deleted the feature/rollover-metadata branch March 27, 2026 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johanib johanib johanib approved these changes

Assignees

@kayjoosten kayjoosten

Labels

None yet

Projects

PHP development
Status: Delivered

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

/metadata endpoint should expose all the available keys

4 participants

@tvdijen @cdbesten @johanib @kayjoosten