github.com/therootcompany/sso-dev

A real, working OpenID Connect Configuration for Development
(host statically on GitHub Pages, or wherever)

Add any of these issuers to your web app's OpenID issuer whitelist:

• https://sso-dev.therootcompany.com/ (primary, ecdsa)
• https://sso-dev.therootcompany.com/dev/ (same as primary, but using subpath)
• https://sso-dev.therootcompany.com/staging/ (a different set of keys)
• https://sso-dev.therootcompany.com/ec/ (both ecdsa keys)
• https://sso-dev.therootcompany.com/rsa/ (both rsa keys)

Then sign a token (with the corresponding key) and run with it:

b_auth_time="$(date '+%s')"
b_standard_claims='{
    "amr": ["pwd"],
    "aud": "https://beta.therootcompany.com",
    "auth_time": '"${b_auth_time}"',
    "email": "me@example.com",
    "email_verified": false,
    "iss": "https://sso-dev.therootcompany.com",
    "locale": "en-US",
    "sub": "xxxxxxxxxxxx",
    "zoneinfo": "America/Denver"
}'

keypairs sign --exp 1h ./key.ec.jwk.json \
    "${b_standard_claims}" \
    > token.jwt \
    2> sig.jws

curl https://example.com/api/profile \
    -H "Authorization: Bearer $(cat ./token.jwt)"

From the root of https://sso-dev.therootcompany.com
(also https://therootcompany.github.io/sso-dev/)

.
├── key.ec.jwk.json
├── key.rsa.jwk.json
├── .well-known/
│   ├── jwks.json
│   └── openid-configuration
│
├── staging/
│   ├── key.ec.jwk.json
│   ├── key.rsa.jwk.json
│   │
│   └── .well-known/
│       ├── jwks.json
│       └── openid-configuration
│
├── dev/
│   └── .well-known/
│       ├── jwks.json
│       └── openid-configuration
├── ec/
│   └── .well-known/
│       ├── jwks.json
│       └── openid-configuration
└── rsa/
    └── .well-known/
        ├── jwks.json
        └── openid-configuration

If you'd like to have your own test domain:

1. DO NOT PUBLISH production keys
2. Set a CNAME record
   <your-org>.github.io for <subdomain>.<your-org>.com
3. Set the ./CNAME file to <subdomain>.<your-org>.com
4. Install keypairs
   (because it's easy and cross-platform)

   curl -sS https://webi.sh/keypairs | sh
   source ~/.config/envman/PATH.env

5. Replace the originals with your own keys
   (uses keypairs in the script)

   rm -rf *.jwk.json ./ec/ ./rsa/ ./dev/ ./staging/
   ./bin/generate-keys https://sso-dev.therootcompany.com

6. Host on GitHub Pages (or wherever)
   Settings => Pages => Branch: main

Source: https://github.com/therootcompany/sso-dev

Public Domain via CC0-1.0