omniauth_openid_federation 1.2.2 → 1.3.2

data/app/controllers/omniauth_openid_federation/federation_controller.rb

@@ -12,7 +12,7 @@
 require "omniauth_openid_federation/cache_adapter"
 
 module OmniauthOpenidFederation
-  class FederationController < ActionController::Base
+  class FederationController < ::ApplicationController
     # Serve the entity statement
     #
     # GET /.well-known/openid-federation
@@ -50,6 +50,19 @@ module OmniauthOpenidFederation
         return
       end
 
+      # Security: Validate entity identifier per OpenID Federation 1.0 spec
+      # Entity identifiers must be valid HTTP/HTTPS URIs
+      begin
+        # Validate and get trimmed value
+        subject_entity_id = OmniauthOpenidFederation::Validators.validate_entity_identifier!(subject_entity_id, max_length: 2048)
+      rescue SecurityError => e
+        render json: {error: "invalid_request", error_description: "Invalid subject entity ID: #{e.message}"}, status: :bad_request
+        return
+      rescue => e
+        render json: {error: "invalid_request", error_description: "Subject entity ID validation failed: #{e.message}"}, status: :bad_request
+        return
+      end
+
       # Validate that subject is not the issuer (invalid request per spec)
       config = OmniauthOpenidFederation::FederationEndpoint.configuration
       if subject_entity_id == config.issuer

data/config/routes.rb

@@ -1,17 +1,27 @@
 # Routes for OpenID Federation well-known endpoints
 # These routes are mounted at the root level (not namespaced) because
 # OpenID Federation spec requires specific well-known paths
-OmniauthOpenidFederation::Engine.routes.draw do
-  # OpenID Federation 1.0 Section 9: Entity Configuration endpoint
-  # MUST be at /.well-known/openid-federation
-  get "/.well-known/openid-federation", to: "omniauth_openid_federation/federation#show", as: :openid_federation
+# Guard to prevent double-loading routes (important for test isolation)
+# Use a file-level instance variable that doesn't trigger class loading
+@_omniauth_openid_federation_routes_loaded ||= false
+unless @_omniauth_openid_federation_routes_loaded
+  @_omniauth_openid_federation_routes_loaded = true
+  begin
+    OmniauthOpenidFederation::Engine.routes.draw do
+      # OpenID Federation 1.0 Section 9: Entity Configuration endpoint
+      # MUST be at /.well-known/openid-federation
+      get "/.well-known/openid-federation", to: "omniauth_openid_federation/federation#show", as: :openid_federation
 
-  # Fetch endpoint for Subordinate Statements (Section 6.1)
-  get "/.well-known/openid-federation/fetch", to: "omniauth_openid_federation/federation#fetch", as: :openid_federation_fetch
+      # Fetch endpoint for Subordinate Statements (Section 6.1)
+      get "/.well-known/openid-federation/fetch", to: "omniauth_openid_federation/federation#fetch", as: :openid_federation_fetch
 
-  # Standard JWKS endpoint
-  get "/.well-known/jwks.json", to: "omniauth_openid_federation/federation#jwks", as: :openid_federation_jwks
+      # Standard JWKS endpoint
+      get "/.well-known/jwks.json", to: "omniauth_openid_federation/federation#jwks", as: :openid_federation_jwks
 
-  # Signed JWKS endpoint (OpenID Federation requirement)
-  get "/.well-known/signed-jwks.json", to: "omniauth_openid_federation/federation#signed_jwks", as: :openid_federation_signed_jwks
+      # Signed JWKS endpoint (OpenID Federation requirement)
+      get "/.well-known/signed-jwks.json", to: "omniauth_openid_federation/federation#signed_jwks", as: :openid_federation_signed_jwks
+    end
+  rescue NameError, LoadError
+    # Rails not available or not fully initialized - routes will be loaded when Engine initializes
+  end
 end

data/examples/config/initializers/devise.rb.example

@@ -1,10 +1,23 @@
 # Example Devise configuration for OmniAuth OpenID Federation
 # Copy this to config/initializers/devise.rb and customize for your provider
+#
+# This example uses a configuration class pattern (OpenIdConnectConfig)
+# See examples/config/open_id_connect_config.rb.example for the config class
 
 require "omniauth_openid_federation"
 
 # Configure global settings (optional but recommended)
 OmniauthOpenidFederation.configure do |config|
+  if Rails.env.development?
+    config.http_options = { ssl: { verify_mode: OpenSSL::SSL::VERIFY_PEER, ca_file: (OpenSSL::X509::DEFAULT_CERT_FILE if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)) } }
+  end
+
+  config.cache_ttl = 24 * 60 * 60
+  config.rotate_on_errors = true
+  config.http_timeout = 10
+  config.max_retries = 3
+  config.verify_ssl = true
+
   # Security instrumentation - get notified about security events, MITM attacks, etc.
   # Example with Sentry:
   # config.instrumentation = ->(event, data) do
@@ -24,51 +37,12 @@ OmniauthOpenidFederation.configure do |config|
   # config.instrumentation = ->(event, data) do
   #   Rails.logger.warn("[Security] #{event}: #{data.inspect}")
   # end
-  
-  # Cache configuration (optional)
-  # config.cache_ttl = 3600  # Refresh provider keys every hour
-  # config.rotate_on_errors = true  # Auto-handle provider key rotation
-end
-
-# Provider configuration
-provider_issuer = ENV["OPENID_PROVIDER_ISSUER"] || "https://provider.example.com"
-client_id = ENV["OPENID_CLIENT_ID"] || "your-client-id"
-redirect_uri = "#{ENV["APP_URL"] || "https://your-app.com"}/users/auth/openid_federation/callback"
-
-# File paths
-private_key_path = Rails.root.join("config", "client-private-key.pem")
-entity_statement_path = Rails.root.join("config", "provider-entity-statement.jwt")
-
-# Load private key
-unless File.exist?(private_key_path)
-  raise "Private key not found at #{private_key_path}. Generate it first using the example in README."
-end
-private_key = OpenSSL::PKey::RSA.new(File.read(private_key_path))
-
-# Resolve endpoints from entity statement or manual configuration
-endpoints = if File.exist?(entity_statement_path)
-  # Use entity statement if available (recommended for OpenID Federation)
-  OmniauthOpenidFederation::EndpointResolver.resolve(
-    entity_statement_path: entity_statement_path.to_s,
-    config: {}
-  )
-else
-  # Fallback to manual configuration
-  {
-    authorization_endpoint: ENV["OPENID_AUTHORIZATION_ENDPOINT"] || "/oauth2/authorize",
-    token_endpoint: ENV["OPENID_TOKEN_ENDPOINT"] || "/oauth2/token",
-    userinfo_endpoint: ENV["OPENID_USERINFO_ENDPOINT"] || "/oauth2/userinfo",
-    jwks_uri: ENV["OPENID_JWKS_URI"] || "/.well-known/jwks.json",
-    audience: provider_issuer
-  }
 end
 
-# Validate endpoints
-OmniauthOpenidFederation::EndpointResolver.validate_and_build_audience(
-  endpoints,
-  issuer_uri: URI.parse(provider_issuer)
-)
+# Load configuration from config class
+open_id_config = OpenIdConnectConfig.new
 
+if open_id_config.enabled?
 Devise.setup do |config|
   # ... your other Devise configuration ...
 
@@ -107,25 +81,40 @@ Devise.setup do |config|
   end
 
   config.omniauth :openid_federation,
+      strategy_class: OmniAuth::Strategies::OpenIDFederation,
     name: :openid_federation,
     scope: [:openid],
     response_type: "code",
     discovery: true,
-    issuer: provider_issuer,
     client_auth_method: :jwt_bearer,
     client_signing_alg: :RS256,
-    audience: endpoints[:audience],
-    entity_statement_path: entity_statement_path.to_s,
+      entity_statement_path: open_id_config.entity_statement_absolute_path,
+      always_encrypt_request_object: true,
+      # Allow-list of custom parameter names to include in signed request object
+      # Parameters must be present in request.params and listed here to be included
+      request_object_params: [:ftn_spname], # Example: include ftn_spname if present
+      # Proc to modify params before adding to signed request object
+      # Useful for combining config values with form values, adding config-based params, etc.
+      prepare_request_object_params: proc do |params|
+        # Example: Combine config acr_values with form acr_values
+        form_acr_values = params["acr_values"]&.to_s&.strip
+        config_acr_values = open_id_config.acr_values.to_s.strip
+        
+        if config_acr_values.present? && form_acr_values.present?
+          params["acr_values"] = "#{config_acr_values} #{form_acr_values}".strip
+        elsif config_acr_values.present?
+          params["acr_values"] = config_acr_values
+        end
+        
+        # Example: Add custom parameter from config
+        params["ftn_spname"] = open_id_config.ftn_spname if open_id_config.ftn_spname.present?
+        
+        params
+      end,
     client_options: {
-      identifier: client_id,
-      redirect_uri: redirect_uri,
-      private_key: private_key,
-      scheme: URI.parse(provider_issuer).scheme,
-      host: URI.parse(provider_issuer).host,
-      authorization_endpoint: endpoints[:authorization_endpoint],
-      token_endpoint: endpoints[:token_endpoint],
-      userinfo_endpoint: endpoints[:userinfo_endpoint],
-      jwks_uri: endpoints[:jwks_uri]
+        identifier: open_id_config.client_id,
+        redirect_uri: open_id_config.redirect_uri,
+        private_key: open_id_config.private_key
     }
 end
-
+end

data/examples/config/initializers/federation_endpoint.rb.example

@@ -187,7 +187,7 @@ end
 # ============================================================================
 # Add to config/routes.rb:
 #
-#   OmniauthOpenidFederation::FederationEndpoint.mount_routes(self)
+#   mount OmniauthOpenidFederation::Engine => "/"
 #
 # This mounts all endpoints:
 #   - GET /.well-known/openid-federation (entity statement)
@@ -202,5 +202,5 @@ end
 #   get "/.well-known/signed-jwks.json", to: "omniauth_openid_federation/federation#signed_jwks"
 
 Rails.logger.info "[FederationEndpoint] Configured. Add the route in config/routes.rb:"
-Rails.logger.info "  OmniauthOpenidFederation::FederationEndpoint.mount_routes(self)"
+Rails.logger.info "  mount OmniauthOpenidFederation::Engine => \"/\""
 

data/examples/config/open_id_connect_config.rb.example

@@ -62,8 +62,6 @@ class OpenIdConnectConfig < ApplicationConfig
     :client_entity_statement_path,
     :client_entity_statement_url,
     :client_entity_identifier,
-    :ftn_spname,
-    :acr_values,
     :organization_name
 
   # Load private key from file or base64 encoded string
@@ -128,8 +126,8 @@ class OpenIdConnectConfig < ApplicationConfig
   # Entity statements MUST be available at /.well-known/openid-federation
   # URL is the source of truth per OpenID Federation spec
   def entity_statement_absolute_path
-    return nil if entity_statement_path.blank?
-    @entity_statement_absolute_path ||= Rails.root.join(entity_statement_path)
+    return Rails.root.join("config", ".federation-entity-statement.jwt").to_s if entity_statement_path.blank?
+    @entity_statement_absolute_path ||= Rails.root.join(entity_statement_path).to_s
   end
 
   # Get provider entity statement URL
@@ -143,7 +141,7 @@ class OpenIdConnectConfig < ApplicationConfig
   # Get client entity statement absolute path
   def client_entity_statement_absolute_path
     return nil if client_entity_statement_path.blank?
-    @client_entity_statement_absolute_path ||= Rails.root.join(client_entity_statement_path)
+    @client_entity_statement_absolute_path ||= Rails.root.join(client_entity_statement_path).to_s
   end
 
   # Get client entity statement path for strategy configuration
@@ -165,7 +163,6 @@ class OpenIdConnectConfig < ApplicationConfig
   # Uses standard path /.well-known/openid-federation (mounted by library)
   def client_entity_statement_url
     return values[:client_entity_statement_url] if values[:client_entity_statement_url].present?
-    # Default to standard federation endpoint if not explicitly configured
     app_url = ENV["APP_URL"] || "https://your-app.example.com"
     "#{app_url}/.well-known/openid-federation"
   end
@@ -174,16 +171,15 @@ end
 # Usage in initializer (config/initializers/omniauth_openid_federation.rb):
 #
 # open_id_config = OpenIdConnectConfig.new
-# if open_id_config.enabled? && open_id_config.private_key.present?
+# if open_id_config.enabled?
 #   app_url = ENV["APP_URL"] || "https://your-app.example.com"
 #
 #   OmniauthOpenidFederation::FederationEndpoint.auto_configure(
 #     issuer: app_url,
-#     # Production (RECOMMENDED): Use separate keys
-#     signing_key: open_id_config.signing_key,
-#     encryption_key: open_id_config.encryption_key,
-#     # Development/Testing (NOT RECOMMENDED FOR PRODUCTION): Single key
-#     # private_key: open_id_config.private_key,
+#     # RECOMMENDED: Use separate signing_key and encryption_key for production
+#     # signing_key: open_id_config.signing_key,
+#     # encryption_key: open_id_config.encryption_key,
+#     private_key: open_id_config.private_key, # DEV/TESTING ONLY - not recommended for production
 #     entity_statement_path: open_id_config.client_entity_statement_absolute_path,
 #     metadata: {
 #       openid_relying_party: {
@@ -202,9 +198,10 @@ end
 #         organization_name: open_id_config.organization_name
 #       }
 #     },
-#     expiration_seconds: (ENV["FEDERATION_EXPIRATION_SECONDS"] || 86400).to_i,
-#     jwks_cache_ttl: (ENV["FEDERATION_JWKS_CACHE_TTL"] || 3600).to_i,
-#     auto_provision_keys: true
+#     expiration_seconds: 86400,
+#     jwks_cache_ttl: 3600,
+#     auto_provision_keys: true,
+#     key_rotation_period: 90.days.to_i
 #   )
 # end
 

data/examples/config/routes.rb.example

@@ -1,12 +1,16 @@
 # Example routes.rb showing how to mount the federation endpoint
 Rails.application.routes.draw do
-  # Mount the federation endpoint (required for serving entity statements)
+  # Mount OpenID Federation engine early to ensure well-known routes are registered before catch-all routes
   # This enables the /.well-known/openid-federation endpoint
-  OmniauthOpenidFederation::FederationEndpoint.mount_routes(self)
-
-  # Or mount manually:
-  # get "/.well-known/openid-federation", to: "omniauth_openid_federation/federation#show", as: :openid_federation
+  if OpenIdConnectConfig.enabled?
+    mount OmniauthOpenidFederation::Engine => "/"
+  end
 
   # Your other routes...
+  devise_for :users, controllers: {
+    omniauth_callbacks: "users/omniauth_callbacks"
+  }
+
+  # ... rest of your routes ...
 end
 

data/examples/integration_test_flow.rb

@@ -319,7 +319,7 @@ class IntegrationTestFlow
       attempt = 0
       ready = false
       server_name = url.include?("9292") ? "OP" : "RP"
-      start_time = Time.now
+      start_time = Time.zone.now
 
       while attempt < max_attempts && !ready
         begin
@@ -330,7 +330,7 @@ class IntegrationTestFlow
           response = http.get(uri.path)
 
           if response.code == "200"
-            elapsed = (Time.now - start_time).round(1)
+            elapsed = (Time.zone.now - start_time).round(1)
             puts "  ✓ #{url} is ready (#{elapsed}s)"
             ready = true
           end
@@ -342,7 +342,7 @@ class IntegrationTestFlow
           attempt += 1
           # Show progress every 5 attempts (1 second)
           if attempt % 5 == 0
-            elapsed = (Time.now - start_time).round(1)
+            elapsed = (Time.zone.now - start_time).round(1)
             print "."
           end
           sleep check_interval
@@ -350,7 +350,7 @@ class IntegrationTestFlow
       end
 
       unless ready
-        elapsed = (Time.now - start_time).round(1)
+        elapsed = (Time.zone.now - start_time).round(1)
         puts "\n  ✗ #{server_name} server at #{url} did not become ready in time (#{elapsed}s)"
         err_log = File.join(@tmp_dir, "#{server_name.downcase}_server_error.log")
         log_file = File.join(@tmp_dir, "#{server_name.downcase}_server.log")

data/examples/mock_op_server.rb

@@ -111,7 +111,7 @@ class MockOPServer
   end
 
   def self.load_signing_key(key_data)
-    if key_data.nil? || key_data.empty?
+    if key_data.blank?
       # Generate a new key for testing
       OpenSSL::PKey::RSA.new(2048)
     elsif key_data.is_a?(String)
@@ -126,7 +126,7 @@ class MockOPServer
   end
 
   def self.load_encryption_key(key_data)
-    return nil if key_data.nil? || key_data.empty?
+    return nil if key_data.blank?
     load_signing_key(key_data)
   end
 
@@ -478,7 +478,7 @@ class MockOPServer
         redirect_uri: redirect_uri,
         state: state,
         nonce: nonce,
-        created_at: Time.now
+        created_at: Time.zone.now
       }
 
       # Redirect back to RP with authorization code

data/examples/mock_rp_server.rb

@@ -66,7 +66,7 @@ class MockRPServer
   end
 
   def self.load_signing_key(key_data)
-    if key_data.nil? || key_data.empty?
+    if key_data.blank?
       OpenSSL::PKey::RSA.new(2048)
     elsif key_data.is_a?(String)
       if key_data.include?("BEGIN")
@@ -80,7 +80,7 @@ class MockRPServer
   end
 
   def self.load_encryption_key(key_data)
-    return nil if key_data.nil? || key_data.empty?
+    return nil if key_data.blank?
     load_signing_key(key_data)
   end
 
@@ -297,7 +297,7 @@ class MockRPServer
         provider_entity_id: provider_entity_id,
         redirect_uri: redirect_uri,
         nonce: nonce,
-        created_at: Time.now
+        created_at: Time.zone.now
       }
 
       # Step 5: Redirect to provider

data/lib/omniauth_openid_federation/configuration.rb

@@ -84,6 +84,13 @@ module OmniauthOpenidFederation
     #   config.instrumentation = nil
     attr_accessor :instrumentation
 
+    # Maximum string length for request parameters (default: 8192 / 8KB)
+    # Prevents DoS attacks while allowing legitimate use cases (e.g., encrypted JWT authorization codes)
+    # @return [Integer] Maximum string length in characters
+    # @example
+    #   config.max_string_length = 16384  # Increase to 16KB
+    attr_accessor :max_string_length
+
     def initialize
       @verify_ssl = true # Default to secure
       @cache_ttl = nil # Default: manual rotation (never expires)
@@ -96,6 +103,7 @@ module OmniauthOpenidFederation
       @root_path = nil
       @clock_skew_tolerance = 60 # Default: 60 seconds clock skew tolerance
       @instrumentation = nil # Default: no instrumentation
+      @max_string_length = 8192 # Default: 8KB - prevents DoS while allowing legitimate use cases
     end
 
     # Configure the gem

data/lib/omniauth_openid_federation/constants.rb

@@ -9,5 +9,10 @@ module OmniauthOpenidFederation
 
     # Maximum retry delay in seconds (prevents unbounded retry delays)
     MAX_RETRY_DELAY_SECONDS = 60
+
+    # Maximum string length for request parameters (8KB)
+    # Prevents DoS attacks while allowing legitimate use cases (e.g., encrypted JWT authorization codes)
+    # Use Configuration.config.max_string_length for runtime configuration instead of patching this constant
+    MAX_STRING_LENGTH = 8192
   end
 end

data/lib/omniauth_openid_federation/entity_statement_reader.rb

@@ -5,6 +5,7 @@ require_relative "key_extractor"
 require_relative "utils"
 require_relative "configuration"
 require_relative "logger"
+require_relative "string_helpers"
 
 # Entity Statement Reader for OpenID Federation 1.0
 # @see https://openid.net/specs/openid-federation-1_0.html OpenID Federation 1.0 Specification
@@ -30,7 +31,7 @@ module OmniauthOpenidFederation
       # @return [Array<Hash>] Array of JWK hash objects
       def fetch_keys(entity_statement_path: nil)
         entity_statement = load_entity_statement(entity_statement_path)
-        return [] if entity_statement.nil? || entity_statement.empty?
+        return [] if StringHelpers.blank?(entity_statement)
 
         # Decode self-signed entity statement
         # Entity statements are self-signed, so we validate using their own JWKS
@@ -53,7 +54,7 @@ module OmniauthOpenidFederation
       # @return [Hash, nil] Hash with provider metadata or nil if not found
       def parse_metadata(entity_statement_path: nil)
         entity_statement = load_entity_statement(entity_statement_path)
-        return nil if entity_statement.nil? || entity_statement.empty?
+        return nil if StringHelpers.blank?(entity_statement)
 
         # Decode JWT payload
         jwt_parts = entity_statement.split(".")
@@ -93,21 +94,45 @@ module OmniauthOpenidFederation
       def load_entity_statement(entity_statement_path)
         return nil if entity_statement_path.nil? || entity_statement_path.to_s.empty?
 
-        # Determine allowed directories for file path validation
-        config = OmniauthOpenidFederation::Configuration.config
-        allowed_dirs = if defined?(Rails) && Rails.root
-          [Rails.root.join("config").to_s]
-        elsif config.root_path
-          [File.join(config.root_path, "config")]
+        # If path is absolute and exists, allow it (for temp files in tests)
+        # For absolute paths that don't exist, validate path traversal but allow outside allowed_dirs
+        # For relative paths, validate against allowed directories
+        path_str = entity_statement_path.to_s
+        is_absolute = path_str.start_with?("/", "~")
+
+        if is_absolute && File.exist?(entity_statement_path)
+          validated_path = entity_statement_path
+        elsif is_absolute
+          # Absolute path - validate path traversal but allow outside allowed_dirs
+          begin
+            validated_path = Utils.validate_file_path!(
+              entity_statement_path,
+              allowed_dirs: nil  # Allow absolute paths outside config directory
+            )
+          rescue SecurityError
+            return nil
+          end
+        else
+          # Relative path - must be in allowed directories
+          config = OmniauthOpenidFederation::Configuration.config
+          allowed_dirs = if defined?(Rails) && Rails.root
+            [Rails.root.join("config").to_s]
+          elsif config.root_path
+            [File.join(config.root_path, "config")]
+          end
+
+          begin
+            # Validate file path to prevent path traversal attacks
+            validated_path = Utils.validate_file_path!(
+              entity_statement_path,
+              allowed_dirs: allowed_dirs
+            )
+          rescue SecurityError
+            return nil
+          end
         end
 
         begin
-          # Validate file path to prevent path traversal attacks
-          validated_path = Utils.validate_file_path!(
-            entity_statement_path,
-            allowed_dirs: allowed_dirs
-          )
-
           return nil unless File.exist?(validated_path)
 
           File.read(validated_path)

data/lib/omniauth_openid_federation/federation/entity_statement_builder.rb

@@ -4,6 +4,7 @@ require "openssl"
 require "time"
 require_relative "../logger"
 require_relative "../errors"
+require_relative "../string_helpers"
 
 # Entity Statement Builder for OpenID Federation 1.0
 # @see https://openid.net/specs/openid-federation-1_0.html OpenID Federation 1.0 Specification
@@ -82,7 +83,6 @@ module OmniauthOpenidFederation
 
         payload = build_payload
 
-        # Build JWT header
         # Per OpenID Federation 1.0 Section 3.1: typ MUST be "entity-statement+jwt"
         header = {
           alg: "RS256",
@@ -102,13 +102,13 @@ module OmniauthOpenidFederation
       private
 
       def validate_parameters
-        raise ConfigurationError, "Issuer is required" if @issuer.nil? || @issuer.empty?
-        raise ConfigurationError, "Subject is required" if @subject.nil? || @subject.empty?
+        raise ConfigurationError, "Issuer is required" if StringHelpers.blank?(@issuer)
+        raise ConfigurationError, "Subject is required" if StringHelpers.blank?(@subject)
         raise ConfigurationError, "Private key is required" if @private_key.nil?
-        raise ConfigurationError, "JWKS is required" if @jwks.nil? || @jwks.empty?
-        raise ConfigurationError, "Metadata is required" if @metadata.nil? || @metadata.empty?
-        raise ConfigurationError, "JWKS must contain at least one key" if @jwks["keys"].nil? || @jwks["keys"].empty?
-        raise ConfigurationError, "Key ID (kid) is required" if @kid.nil? || @kid.empty?
+        raise ConfigurationError, "JWKS is required" if StringHelpers.blank?(@jwks)
+        raise ConfigurationError, "Metadata is required" if StringHelpers.blank?(@metadata)
+        raise ConfigurationError, "JWKS must contain at least one key" if StringHelpers.blank?(@jwks["keys"])
+        raise ConfigurationError, "Key ID (kid) is required" if StringHelpers.blank?(@kid)
       end
 
       def build_payload
@@ -125,7 +125,6 @@ module OmniauthOpenidFederation
           metadata: @metadata
         }
 
-        # Entity Configuration specific claims
         if is_entity_configuration
           payload[:authority_hints] = @authority_hints if @authority_hints
           payload[:trust_marks] = @trust_marks if @trust_marks
@@ -133,7 +132,6 @@ module OmniauthOpenidFederation
           payload[:trust_mark_owners] = @trust_mark_owners if @trust_mark_owners
         end
 
-        # Subordinate Statement specific claims
         if is_subordinate_statement
           payload[:metadata_policy] = @metadata_policy if @metadata_policy
           payload[:metadata_policy_crit] = @metadata_policy_crit if @metadata_policy_crit
@@ -141,21 +139,17 @@ module OmniauthOpenidFederation
           payload[:source_endpoint] = @source_endpoint if @source_endpoint
         end
 
-        # Common optional claims
         payload[:crit] = @crit if @crit
 
         payload
       end
 
       def normalize_jwks(jwks)
-        # Ensure JWKS is a hash with "keys" array
         if jwks.is_a?(Hash)
-          # If it has :keys or "keys", use as-is
           if jwks.key?(:keys) || jwks.key?("keys")
             keys = jwks[:keys] || jwks["keys"]
             {"keys" => normalize_keys(keys)}
           else
-            # If it's just a hash, wrap it
             {"keys" => [jwks]}
           end
         elsif jwks.is_a?(Array)
@@ -168,7 +162,6 @@ module OmniauthOpenidFederation
       def normalize_keys(keys)
         keys.map do |key|
           if key.is_a?(Hash)
-            # Convert symbol keys to string keys
             key.transform_keys(&:to_s)
           else
             key

data/lib/omniauth_openid_federation/federation/entity_statement_helper.rb

@@ -17,18 +17,47 @@ module OmniauthOpenidFederation
       # @raise [ValidationError] If parsing fails
       def self.parse_for_signed_jwks(entity_statement_path)
         # Determine allowed directories for file path validation
-        config = Configuration.config
-        allowed_dirs = if defined?(Rails) && Rails.root
-          [Rails.root.join("config").to_s]
-        elsif config.root_path
-          [File.join(config.root_path, "config")]
-        end
+        # If path is absolute and exists, allow it (for temp files in tests)
+        # For absolute paths that don't exist, validate path traversal but allow outside allowed_dirs
+        # For relative paths, validate against allowed directories
+        path_str = entity_statement_path.to_s
+        is_absolute = path_str.start_with?("/", "~")
+
+        if is_absolute && File.exist?(entity_statement_path)
+          validated_path = entity_statement_path
+        elsif is_absolute
+          # Absolute path - validate path traversal but allow outside allowed_dirs
+          begin
+            validated_path = Utils.validate_file_path!(
+              entity_statement_path,
+              allowed_dirs: nil  # Allow absolute paths outside config directory
+            )
+          rescue SecurityError => e
+            OmniauthOpenidFederation::Logger.warn("[EntityStatementHelper] Security error: #{e.message}")
+            return nil
+          end
+        else
+          # Relative path - must be in allowed directories
+          config = Configuration.config
+          allowed_dirs = if defined?(Rails) && Rails.root
+            [Rails.root.join("config").to_s]
+          elsif config.root_path
+            [File.join(config.root_path, "config")]
+          end
 
-        # Validate file path to prevent path traversal
-        validated_path = Utils.validate_file_path!(
-          entity_statement_path,
-          allowed_dirs: allowed_dirs
-        )
+          begin
+            # Validate file path to prevent path traversal
+            validated_path = Utils.validate_file_path!(
+              entity_statement_path,
+              allowed_dirs: allowed_dirs
+            )
+          rescue SecurityError => e
+            # For relative paths with path traversal, raise SecurityError instead of returning nil
+            # This is a security violation that should be explicitly handled
+            OmniauthOpenidFederation::Logger.warn("[EntityStatementHelper] Security error: #{e.message}")
+            raise SecurityError, e.message
+          end
+        end
 
         unless File.exist?(validated_path)
           sanitized_path = Utils.sanitize_path(validated_path)