We developed a tool for exploring OIDC federation. The tool can build trustchains, resolve a leaf entity's metadata along a trustchain, discover all entities in a federation, as well as simply fetch and verify entity statements.

The tool ofcli is implemented in Python and is aimed to be used from the commandline:


ofcli help
$ ofcli --help                                                  
Usage: ofcli [OPTIONS] COMMAND [ARGS]...

  Tool for exploring an OIDC federation.

Options:
  --insecure         Disable TLS certificate verification.
  --log-level LEVEL  Either CRITICAL, ERROR, WARNING, INFO or DEBUG. Default
                     value: ERROR.  [env var: LOG]
  --debug            Sets the log level to DEBUG.
  --version          Print program version and exit.
  --help             Show this message and exit.

Commands:
  discovery    Discover all OPs in the federation available to a given RP. If
               no trust anchor is specified, all possible trust anchors will
               be used.
  entity       Commands for working with an entity in an OIDC federation.
  fetch        Fetch an entity statement
  list         List all subordinate entities.
  resolve      Resolve metadata and Trust Marks for an entity, given a trust
               anchor and entity type.
  subtree      Discover federation subtree using given entity as root.
  trustchains  Builds all trustchains for a given entity and prints them.

A notable feature is the fact that the tool can export the discovered federation subtrees or trustchain to a graph described in the DOT language, a standard for defining graphs, which can then be imported, processed, and visualised with your tool of choice.

ofcli subtree output
$ ofcli subtree https://swamid.fedservice.lh --export swamid-fed                                 
- https://swamid.fedservice.lh (federation_entity)
  - https://umu.fedservice.lh (federation_entity)
    - https://op.fedservice.lh (openid_provider)
  - https://lu.fedservice.lh (federation_entity)
    - https://auto.fedservice.lh (openid_relying_party)

Output: swamid-fed.dot

Simple visualisation:

We also implemented a REST API, which can be used in the future to, e.g. create a graphical tool. The API is available for testing at https://ofapi.testbed.oidcfed.incubator.geant.org/.

The source code is available on Github (https://github.com/dianagudu/ofcli) and licensed under MIT.


  • No labels