SPID/CIE OIDC Federation is a suite of Django applications designed to make it easy to build an Openid Connect Federation, each of these can be installed separately within a django project. These are the following:
Application | Description |
---|---|
spid_cie_oidc.accounts | Customizable application that extends the django User model. |
spid_cie_oidc.entity | OpenID Connect Federation django app that implements OIDC Federation 1.0 Entity Statements, metadata discovery, Trust Chain, Trust Marks and Metadata policy. Technical specifications: OIDC Federation Entity |
spid_cie_oidc.authority | OpenID Connect Federation API and models for OIDC Federation Trust Chain/Intermediate, Technical specifications and tutorial. |
spid_cie_oidc.onboarding | OpenID Connect Federation onboarding demo service and tools |
__spid_cie_oidc.relying_party__ | OpenID Connect Relying Party and test suite for OIDC Providers |
spid_cie_oidc.provider | OpenID Connect Provider and test suite for OIDC Relying Parties |
An onboarded Relying Party with a succesful authentication.
All the Django apps are available in the folder spid_cie_oidc/
.
The examples projects are available in the folder examples/
.
There is a substantial difference between an app and a project. The app is installed using a common python package manager, such as poetry or pip, and can be used, inherited, and integrated into other projects.
A project is a service configuration that integrates one or more applications. In this repository we have three example projects:
Federation Authority loads all the applications for development needs, acting as both authority, SPID RP and SPID OP.
This allows us to make a demo by starting a single service. See admin page http://127.0.0.1:8000/admin/
and user login page http://127.0.0.1:8000/oidc/rp/landing/
.
Then we have also another Relying Party, as indipendent project, and another Provider configured with the CIE profile. Relying party and Provider are examples that only integrate spid_cie_oidc.entity and spid_cie_oidc.provider or __.relying_party__ as applications.
Read the setup documentation to get started.
docker pull ghcr.io/italia/spid-cie-oidc-django:latest
Install Docker using the packages distributed from the official website and the following tools.
sudo pip install docker-compose
Please do your customizations in each settingslocal.py files and/or in the example dumps json file.
Change hostnames from 127.0.0.1 to which one configured in the compose file, in the settingslocal.py files and in the dumps/example.json files. In our example we rename:
We can do that with the following steps:
bash docker-prepare.sh
examples-docker/
if needed (not necessary for a quick demo)Run the stack
sudo docker-compose up
Configure a proper DNS resolution for trust-anchor.org. In GNU/Linux we can configure it in /etc/hosts
:
127.0.0.1 localhost trust-anchor.org relying-party.org cie-provider.org wallet.trust-anchor.org
Point your web browser to http://relying-party.org:8001/oidc/rp/landing
and do your first oidc authentication.
The demo proposes a small federation composed by the following entities:
http://127.0.0.1:8000/
. It has also an embedded Spid provider and a embedded Relying Party available at /oidc/rp/landing
.http://127.0.0.1:8001/
http://127.0.0.1:8002/
In the docker example we have only the Federation Authority with an embedded SPID OP and a RP.
Examples Users and Passwords:
Each application has an exportable OAS3 available at /rest/schema.json
with a browsable reDoc UI at /rest/api/docs
.
The reDoc OAS3 browsable page.
The OnBoarding app comes with the following collection of tools:
OIDC tools facilitates the lives of developers and service operators, here a simple interface to decode and verify a JWT.
To explore a federation on the commandline, use the ofcli tool. It can be used to export federation metadata to json files for further analysis.
Your contribution is welcome, no question is useless and no answer is obvious, we need you.
Please open an issue if you've discoveerd a bug or if you want to ask some features.
Please open your Pull Requests on the dev branch. Please consider the following branches:
Backup and share your demo data
# backup your data (upgrade example data), -e excludes.
./manage.py dumpdata -e admin -e spid_cie_oidc_relying_party -e spid_cie_oidc_provider -e spid_cie_oidc_relying_party_test -e auth -e contenttypes -e sessions --indent 2 > dumps/example.json
In this project we adopt Semver and Conventional commits specifications.
All the operation related to JWT signature and encryption are built on top of IdentityPython cryptojwt
This project proposes an implementation of the italian OIDC Federation profile with automatic_client_registration and the adoption of the trust marks as mandatory.
If you're looking for a fully compliant implementation of OIDC Federation 1.0, with a full support of explicit client registration, please look at idpy's fedservice.
This software is released under the Apache 2 License by:
In this project we use the metadata policy code written by Roland Hedberg and licensed under the same Apache 2 license.