OIDC mock server

A mock implementation of an OIDC server that authenticate users using the Authorization Code Flow. The mandatory presence of some optional parameters and the Form Post Response Mode are opinionated. The renaming of some required standard fields follows Okta specifications. Only the required fields of the Authentication and the Identity tokens are included in the responses.

References

• The OAuth 2.0 Authorization Framework
• OpenID Connect Core 1.0
• Proof Key for Code Exchange by OAuth Public Clients
• Form Post Response mode
• OAuth 2.0 Threat Model and Security Considerations
• Json Web Token

Implementation differences from RFC

• The errors are unstructured human-readable strings, useful for debugging purposes

Okta implementation

• Tokens
• Authorization endpoint
• Token endpoint
• Userinfo endpoint

Extensions

• Okta uses a custom groups scope

Usage

The simplest way is to use the provided Dockerfile:

services:
  idp:
    image: ghcr.io/dartheian/oidcms:latest
    ports:
      - 4000:4000

The script directory contains some shell scripts that show the interactions with the server. To run them you need httpie installed in your path and overwrite any value in the scripts that does not match the default ones provided by the container.

cargo run
./script/health.sh
./script/authenticate.sh
./script/token.sh <code value from previous response>
./script/userinfo.sh <access token value from previous response>

Configuration

The configuration is loaded from the environment and can be overwritten using docker compose (e.g. using the environment or the env_file attributes)

services:
  idp:
    image: ghcr.io/dartheian/oidcms:latest
    environment:
      - PORT=5000
    expose:
      - 5000

Server

• AUDIENCE: The audience (aud) claim value to put in the tokens (defaults to api.example.com)
• CLIENT_SECRET: The client secret to access protected endpoints such as /token (defaults to 6W7XvLCrs4ByKn7Ucwh8ygeeXRhdGFdVOTp75eOc)
• EXPIRATION: The expiration time of the tokens expressed in seconds (defaults to 60)
• HOST: The host of the oidcms server (defaults to 0.0.0.0)
• ISSUER: The issuer (iss) claim value to put in the tokens (defaults to https://login.helloprima.com)
• PORT: The port of the oidcms server (defaults to 4000)
• RNG_SEED: The seed of the pseudorandom number generator (defaults to 0)
• SECRET: The secret key used to sign the tokens (defaults to c2VjcmV0)

User info

• USER__ADDRESS__COUNTRY: defaults to US
• USER__ADDRESS__LOCALITY: defaults to Los Angeles
• USER__ADDRESS__POSTAL_CODE: defaults to 90210
• USER__ADDRESS__REGION: defaults to CA
• USER__ADDRESS__STREET_ADDRESS: defaults to 123 Hollywood Blvd.
• USER__EMAIL_VERIFIED: defaults to true
• USER__EMAIL: defaults to [email protected]
• USER__FAMILY_NAME: defaults to Doe
• USER__GIVEN_NAME: defaults to John
• USER__LOCALE: defaults to en-US
• USER__MIDDLE_NAME: defaults to James
• USER__NAME: defaults to John Doe
• USER__NICKNAME: defaults to Jimmy
• USER__PHONE_NUMBER: defaults to +1 (425) 555-1212
• USER__PROFILE: defaults to https://example.com/john.doe
• USER__UPDATED_AT: defaults to 946681200 (Thu Jul 21 2011 20:42:50 GMT+0000)
• USER__ZONEINFO: defaults to America/Los_Angeles

TODO

• Implement error responses as per RFCs
• Logs