⚠️ This project is a WiP, the first stable release for production use will be the v0.6.0.
SPID/CIE OIDC Federation is a suite of Django applications designed to make it easy to build an Openid Connect Federation, each of these can be installed separately within a django project. These are the following:
| Application | Description |
|---|---|
| spid_cie_oidc.accounts | Customizable application that extends the django User model. |
| spid_cie_oidc.entity | Openid Connect Federation django app that implements OIDC Federation 1.0 Entity Statements, metadata discovery, Trust Chain, Trust Marks and Metadata policy. Technical specifications: OIDC Federation Entity |
| spid_cie_oidc.authority | Openid Connect Federation API and models for OIDC Federation Authority/Intermediary, Technical specifications and tutorial. |
| spid_cie_oidc.onboarding | Openid Connect Federation onboarding demo service |
| spid_cie_oidc.relying_party | Openid Connect Relying Party and test suite for OIDC Providers |
| spid_cie_oidc.provider | Openid Connect Provider and test suite for OIDC Relying Parties |
An onboarded Relying Party with a succesful authentication.
All the Django apps are available in the folder spid_cie_oidc/.
The examples projects are available in the folder examples/.
There is a substantial difference between an app and a project. The app is installed using a common python package manager, such as poetry or pip, and can be used, inherited, and integrated into other projects.
A project is a service configuration that integrates one or more applications. In this repository we have three example projects:
- federation_authority
- relying_party
- provider
Federation Authority loads all the applications for development needs, acting as both authority, RP and OP. This allows us to make a demo by starting a single service.
relying party and provider are examples that only integrate spid_cie_oidc.entity and spid_cie_oidc.provider or .relying_party.
Read the setup documentation to get started.
TODO: Not available until v0.6.0 release
The demo propose a small federation composed by the following entities:
- Federation Authority, acts as trust anchor and onboarding system. It's available at
http://127.0.0.1:8000/ - OpenID Relying Party, available at
http://127.0.0.1:8001/ - OpenID Provider, available at
http://127.0.0.1:8002/
Examples User, Password:
- admin oidcadmin
Your contribution is welcome, no question is useless and no answer is obvious, we need you.
Please open an issue if you've discoveerd a bug or if you want to ask some features.
Please open your Pull Requests on the dev branch. Please consider the following branches:
- main: where we merge the code before tag a new stable release.
- dev: where we push our code during development.
- other-custom-name: where a new feature/contribution/bugfix will be handled, revisioned and then merged to dev branch.
Backup and share your demo data
# backup your data (upgrade example data), -e excludes.
./manage.py dumpdata -e admin -e spid_cie_oidc_relying_party spid_cie_oidc_provider -e auth -e contenttypes -e sessions > dumps/example.json
In this project we adopt Semver and Conventional commits specifications.
All the operation related to JWT signature and encryption are built on top of IdentityPython cryptojwt
This project proposes an implementation of the italian OIDC Federation profile with automatic_client_registration and the adoption of the trust marks as mandatory.
If you're looking for a fully compliant implementation of OIDC Federation 1.0, with a full support of explicit client registration, please look at idpy's fedservice.
- SPID and CIE OpenID Connect Provider
- SPID and CIE OpenID Connect Relying Party
- OIDC Federation onboarding demo service
- OIDC Federation 1.0
- Trust Anchor and Intermediary
- Automatic client registration
- Entity profiles and Trust marks
- Trust chain storage and discovery
- Entity statement resolve endpoint
- Fetch statement endpoing
- List entities endpoint
- Federation CLI
- RP: build trust chains for all the available OPs
- OP: build trust chains for all the available RPs
- OIDC Federation web tools:
- Create a JWK
- Convert a private jwk to PEM certificate/key
- Convert a public jwk to PEM certificate/key
- Decode a jwt and verify the signature
- Resolve entity statement web UI
- Validating a trust mark web UI
- Multitenancy, a single service can configure many entities like RPs, OP, Trust Anchors and intermediaries
- gettext compliant (i18n)
- Bootstrap Italia Design templates
This software is released under the Apache 2 License by:
- Giuseppe De Marco giuseppe.demarco@teamdigitale.governo.it.
In this project we use the metadata policy code written by Roland Hedberg and licensed under the same Apache 2 license.