⚠️ This project is a WiP, please wait for the first stable release v0.6.0.
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
SPID/CIE OIDC Federation is a suite of Django applications designed to make it easy to build an Openid Connect Federation, each of these can be installed separately within a django project:
- spid_cie_oidc.accounts: customizable app that extended the Django User model.
- spid_cie_oidc.entity: OIDC Federation django app, with models and API that implements OIDC Federation 1.0 Entity Statements, metadata discovery, Trust Chain, Trust Marks and Metadata policy.
- spid_cie_oidc.authority: OIDC Federation API and models for Trust Anchors and Intermediaries.
- spid_cie_oidc.onboarding: OIDC Federation OnBoarding demo application.
- spid_cie_oidc.relying_party: OIDC Relying Party and test suite for OIDC Providers.
- spid_cie_oidc.provider: OIDC Provider and test suite for OIDC Relying Parties.
All the Django apps are available in the folder spid_cie_oidc/.
The examples projects are available in the folder examples/.
There is a substantial difference between an app and a project. The app is installed using a common python package manager, such as poetry or pip, and can be used, inherited, and integrated into other projects.
A project is a service configuration that integrates one or more applications. In this repository we have three example projects for demo purpose.
The Technical specifications of these SDKs are available here:
- OIDC Federation Entity
- OIDC Federation Authority/Intermediary
- OIDC Federation Onboarding service DEMO
- Openid Connect Provider
- Openid Connect Relying Party
- SPID and CIE OpenID Connect Provider
- SPID and CIE OpenID Connect Relying Party
- OIDC Federation onboarding demo service
- OIDC Federation 1.0
- Trust Anchor
- Intermediary
- automatic client registration
- trust marks
- trust chain storage and discovery
- Entity statement resolve endpoint
- Fetch statement endpoing
- List entities endpoint
- Federation CLI
- Multitenancy, a single service can configure many entities like RPs, OP, Trust Anchors and intermediaries
- gettext compliant (i18n)
- Bootstrap Italia Design templates
The Database storage engine can be one of which supported by Django, the example project comes with sqlite3. We can install this SDK in two ways:
- django application in a preexisting Django project
- demo projects for example purpose
Install spid-cie-oidc as python package and use it in your django project
pip install spid-cie-oidc
# then include `spid_cie_oidc.{app_name}` in your project settings.INSTALLED_APPS
Install enviroment and dependencies
apt install python3-dev python3-pip git
python3 -m pip install --upgrade pip
sudo pip install virtualenv
Activate the environment. It's optional and up to you if you want to install in a separate env or system wide
virtualenv -p python3 env
source env/bin/activate
Setup the example projects
git clone https://github.com/peppelinux/spid-cie-oidc-django
cd spid-cie-oidc
pip install -e .
# Install Django Bootstrap italia template
pip install design-django-theme
In examples/ folder you have three demostrations projects:
- federation_authority
- relying_party
- provider
for each project you have to create the db and load the example data, as follows:
cd examples/$project_name
cp $project_name/settingslocal.py.example $project_name/settingslocal.py
# then customize (optional) $project_name/settingslocal.py
# add OIDCFED_FEDERATION_TRUST_ANCHORS = ["http://127.0.0.1:8000"]
./manage.py migrate
# load the demo configuration
./manage.py loaddata dumps/example.json
# create a super user
./manage.py createsuperuser
# run the web server
./manage.py runserver
Point your web browser to http://localhost:8000/admin to enter in the management interface.
TODO: Not available until v0.6.0 release
The demo propose a small federation composed by the following entities:
- Federation Authority, acts as trust anchor and onboarding system. It's available at
http://localhost:8000 - OpenID Relying Party, available at
http://localhost:8001 - OpenID Provider, available at
http://localhost:8002
Your contribution is welcome, no question is useless and no answer is obvious, we need you.
Please open an issue if you've discoveerd a bug or if you want to ask some features.
Please open your Pull Requests on the dev branch. Please consider the following branches:
- main: where we merge the code before tag a new stable release.
- dev: where we push our code during development.
- other-custom-name: where a new feature/contribution/bugfix will be handled, revisioned and then merged to dev branch.
Backup and share your demo data
# backup your data (upgrade example data), -e excludes.
./manage.py dumpdata -e spid_cie_oidc_accounts -e admin -e auth -e contenttypes -e sessions > dumps/example.json
In this project we adopt Semver and Conventional commits specifications.
This software is released under the Apache 2 License by:
- Giuseppe De Marco giuseppe.demarco@teamdigitale.governo.it.
In this project we use the metadata policy code written by Roland Hedberg and licensed under the same Apache 2 license.
All the operation related to JWT signature and encryption, and part of OIDC messages operations, are built on top of IdentityPython:
This project proposes an implementation of the italian OIDC Federation profile with automatic_client_registration and the adoption of the trust marks as mandatory.
If you're looking for a fully compliant implementation of OIDC Federation 1.0, with a full support of explicit client registration, please look at idpy's fedservice.