Custom and flexible OAuth/OIDC SP and IdP implementations

During my master’s thesis, I created custom OpenID Connect Service Provider (SP) and Identity Provider (IdP) implementations for research and Proof-of-Concept purposes. Both implementations use NodeJS. This post outlines their capabilities and how they can be extended.

The implementations are open-source and can be found on GitHub:

• Custom IdP
• Custom SP

Please note that these tools are not intended as reference implementations for good and safe SP or IdP implementations! They are intentionally insecure in some regards.

I solely aimed at creating implementations that can be configured against real-world services and are flexible to extend. For instance, the IdP implementation includes a custom JWT generation routine that enables you to fiddle around with nearly every aspect of the generation of such a token.

Setup and Requirements

The setup is very simple. Essentially, you only need to have NodeJS available on your device and you are ready to go.

The malicious Service Provider can be launched as follows:

$ node sp.js 
[+] Example SP listening for HTTPS on Port 4001 :-)
[+] Example SP listening for HTTP  on Port 4000 :-)

And that’s it. Likewise, the malicious IdP can be launched as follows:

$ node idp.js 

Configuration and Modification

But the fun part starts just now. Just read through the idp.js and sp.js files and modify the scripts according to your requirements. For instance, the basic endpoints configuration for the IdP can be adjusted here:

// Constants
// Security feature: If the IdP is exposed to the internet, third parties can gather sensitive information on endpoints => introduce secret path prefix TODO: generate new prefix using SHA256(secret)
const path_prefix = "";
const host = "https://poc.local:3001";
//// endpoints - add "127.0.0.1 poc.local" to your /etc/hosts file!
const authEndpoint = `${host}${path_prefix}/auth`;
const tokenEndpoint = `${host}${path_prefix}/token`;
const userinfoEndpoint = `${host}${path_prefix}/userinfo`;
const jwksEndpoint = `${host}${path_prefix}/jwks`;
const registrationEndpoint = `${host}${path_prefix}/register`;
const configurationEndpoint = `${host}${path_prefix}/.well-known/openid-configuration`;

If you have any comments or questions, please eel freef to reach out via Mastodon, Twitter or LinkedIn. 🙂

• OAuth
• OIDC
• Tools