github.com/therootcompany/sso-dev
A real, working OpenID Connect Configuration for Development
(host statically on GitHub Pages, or wherever)
Add any of these issuers to your web app's OpenID issuer whitelist:
- https://sso-dev.therootcompany.com/ (primary, ecdsa)
- https://sso-dev.therootcompany.com/dev/ (same as primary, but using subpath)
- https://sso-dev.therootcompany.com/staging/ (a different set of keys)
- https://sso-dev.therootcompany.com/ec/ (both ecdsa keys)
- https://sso-dev.therootcompany.com/rsa/ (both rsa keys)
Then sign a token (with the corresponding key) and run with it:
keypairs sign --exp 1h ./key.ec.jwk.json \
'{
"issuer": "https://sso-dev.therootcompany.com"
"sub": "[email protected]"
}' \
> token.jwt \
2> sig.jws
curl https://example.com/api/profile \
-H "Authorization: Bearer $(cat ./token.jwt)"From the root of https://sso-dev.therootcompany.com
(also https://therootcompany.github.io/sso-dev/)
.
├── key.ec.jwk.json
├── key.rsa.jwk.json
├── .well-known/
│ ├── jwks.json
│ └── openid-configuration
│
├── staging/
│ ├── key.ec.jwk.json
│ ├── key.rsa.jwk.json
│ │
│ └── .well-known/
│ ├── jwks.json
│ └── openid-configuration
│
├── dev/
│ └── .well-known/
│ ├── jwks.json
│ └── openid-configuration
├── ec/
│ └── .well-known/
│ ├── jwks.json
│ └── openid-configuration
└── rsa/
└── .well-known/
├── jwks.json
└── openid-configuration
If you'd like to have your own test domain:
- DO NOT PUBLISH production keys
- Set a CNAME record
<your-org>.github.iofor<subdomain>.<your-org>.com - Set the
./CNAMEfile to<subdomain>.<your-org>.com - Install
keypairs
(because it's easy and cross-platform)curl -sS https://webi.sh/keypairs | sh source ~/.config/envman/PATH.env
- Replace the originals with your own keys
(useskeypairsin the script)rm -rf *.jwk.json ./ec/ ./rsa/ ./dev/ ./staging/ ./bin/generate-keys https://sso-dev.therootcompany.com - Host on GitHub Pages (or wherever)
Settings => Pages => Branch: main
Source: https://github.com/therootcompany/sso-dev
Public Domain via CC0-1.0