The go-oidfed library is an implementation of OpenID Federation in the go language with the goal to enable go applications to make use of OpenID federation.
This repository holds a work-in-process implementation of
OpenID Federation in the go language with the goal to enable go applications to make
use of OpenID federation.
The implementation mainly focuses on the Relying Party and Intermediate / Trust Anchor side, but not on the OP side. However, building blocks can also be utilized for OPs or other entity types. We provide a basic library as well as a configurable and flexible federation entity to support higher level functionality.
The library is not considered stable and some features might be missing. We encourage everybody to give feedback on things that are missing, not working, or weird, also suggestions for improvements and of course we are open for pull requests.
We try to be up-to-date with the latest version of the spec, but this might not always be the case.
Here we try to sum up the current implementation state, (but it's very likely that the list is not complete)
| Feature | Library | Entity |
|---|---|---|
| OpenID Configuration | Yes | Yes |
| Trust Chain Building | Yes | When needed |
| Trust Chain Verification | Yes | Yes |
| Applying Metadata Policies | Yes | Yes |
| Applying Metadata from Superiors | No | No |
| Support for Custom Metadata Policy Operators | Yes | Yes |
| Filter Trust Chains | Yes | Yes |
| Configure Trust Anchors | Yes | Yes |
| Set Authority Hints | N/A | Yes |
| Resolve Endpoint | Yes | |
| IA Fetch Endpoint | Yes | |
| IA Listing Endpoint | Yes | |
| Trust Mark Endpoint | Yes | |
| Trust Marked Entities Endpoint | Yes | |
| Trust Mark Status Endpoint | Yes | |
| Trust Mark Owner Delegation | Yes | Yes |
| Trust Mark JWT Verification | Yes | Yes |
| Trust Mark JWT Verification including Delegation | Yes | Yes |
| Trust Mark Verification through Trust Mark Status Endpoint | No | No |
| JWT Type Verification | Yes | Yes |
| Requests using GET | Yes | |
| Requests using POST | No | |
| Client Authentication | No | |
| Automatic Client Registration | Yes | Yes |
| Authorization Code Flow with Automatic Client Registration using oidc key from jwks | Yes | |
| Authorization Code Flow with Automatic Client Registration using oidc key from jwks_uri | No | |
| Authorization Code Flow with Automatic Client Registration using oidc key from signed_jwks_uri | No | |
| Explicit Client Registration | No | No |
| Constraints | Yes | Yes |
| Federation Historical Keys Endpoint | No | No |
| Automatic Key Rollover | No | |
| Enrollment of Entities | Yes | |
| Configurable Checks for Enrollment | Yes | |
| Custom Checks for Enrollment | Yes | |
| Request Enrollment | Yes | |
| Configurable Checks for Trust Mark Issuance | Yes | |
| Custom Checks for Trust Mark Issuance | Yes | |
| Request to become entitled for a Trust Mark | Yes | |
| Automatically refresh trust marks in Entity Configuration | Yes |
This work was started in and supported by the Geant Trust & Identity Incubator.
LightHouse helps to navigate the wild and complex sea of OpenID Federation. LightHouse is a flexible and configurable OpenID Federation Entity, and can be used as a Trust Anchor / Intermediate Authority / Resolver / Trust Mark Issuer or everything at the same time.
OFFA offers easy to use OpenID Federation Authentication and Authorisation for existing services. OFFA can be deployed along existing services and handle all OpenID Federation communication for your services.
