This repository holds a work-in-process implementation of
OpenID Federation in the go language with the goal to enable go applications to make
use of OpenID federation.
The implementation mainly focuses on the Relying Party and Intermediate / Trust Anchor side, but not on the OP side. However, building blocks can also be utilized for OPs or other entity types. We provide a basic library as well as a configurable and flexible federation entity to support higher level functionality.
- This repository contains:
- The basic go-oidfed library with the core oidfed functionalities.
- It can be used to build all kind of oidfed capable entities.
- The LightHouse repository at https://github.com/go-oidfed/lighthouse contains:
- Higher level implementation for various federation endpoints
- The LightHouse federation entity. This is a configurable and flexible
federation entity that can be used as a
- Trust Anchor
- Intermediate Authority
- Trust Mark Issuer
- Resolver
- Entity Collector
- Everything at the same time.
- The whoami-rp repository at https://github.com/go-oidfed/whoami-rp contains:
- A simple - but not very useful - example RP.
- The OFFA repository at https://github.com/go-oidfed/offa:
- OFFA stands for Openid Federation Forward Auth
- OFFA can be deployed next to existing services to add oidfed authentication to services that do not natively support it.
- OFFA can be used with Apache, Caddy, NGINX, and Traefik.
The library is not considered stable and some features might be missing. We encourage everybody to give feedback on things that are missing, not working, or weird, also suggestions for improvements and of course we are open for pull requests.
We try to be up-to-date with the latest version of the spec, but this might not always be the case.
Here we try to sum up the current implementation state, (but it's very likely that the list is not complete)
| Feature | Library | Entity |
|---|---|---|
| OpenID Configuration | Yes | Yes |
| Trust Chain Building | Yes | When needed |
| Trust Chain Verification | Yes | Yes |
| Applying Metadata Policies | Yes | Yes |
| Applying Metadata from Superiors | No | No |
| Support for Custom Metadata Policy Operators | Yes | Yes |
| Filter Trust Chains | Yes | Yes |
| Configure Trust Anchors | Yes | Yes |
| Set Authority Hints | N/A | Yes |
| Resolve Endpoint | Yes | |
| IA Fetch Endpoint | Yes | |
| IA Listing Endpoint | Yes | |
| Trust Mark Endpoint | Yes | |
| Trust Marked Entities Endpoint | Yes | |
| Trust Mark Status Endpoint | Yes | |
| Trust Mark Owner Delegation | Yes | Yes |
| Trust Mark JWT Verification | Yes | Yes |
| Trust Mark JWT Verification including Delegation | Yes | Yes |
| Trust Mark Verification through Trust Mark Status Endpoint | No | No |
| JWT Type Verification | Yes | Yes |
| Requests using GET | Yes | |
| Requests using POST | No | |
| Client Authentication | No | |
| Automatic Client Registration | Yes | Yes |
| Authorization Code Flow with Automatic Client Registration using oidc key from jwks | Yes | |
| Authorization Code Flow with Automatic Client Registration using oidc key from jwks_uri | No | |
| Authorization Code Flow with Automatic Client Registration using oidc key from signed_jwks_uri | No | |
| Explicit Client Registration | No | No |
| Constraints | Yes | Yes |
| Federation Historical Keys Endpoint | No | No |
| Automatic Key Rollover | No | |
| Enrollment of Entities | Yes | |
| Configurable Checks for Enrollment | Yes | |
| Custom Checks for Enrollment | Yes | |
| Request Enrollment | Yes | |
| Configurable Checks for Trust Mark Issuance | Yes | |
| Custom Checks for Trust Mark Issuance | Yes | |
| Request to become entitled for a Trust Mark | Yes | |
| Automatically refresh trust marks in Entity Configuration | Yes |
This work was started in and supported by the Geant Trust & Identity Incubator.
