The complete OpenID Federation 1.0 implementation for JavaScript — runtime-agnostic, spec-compliant, built on Web API standards. Trust chain resolution and validation, metadata policy enforcement, trust marks, constraint checking, and automatic and explicit client registration — split across four focused packages built on Web API primitives (Request → Response), running anywhere JavaScript runs: Node.js, Deno, Bun, and beyond. All persistent state is behind pluggable storage interfaces, keeping database and HSM integrations entirely outside the core packages. The only runtime dependencies are jose and zod. Two operational utilities — a CLI and a browser-based explorer — complete the toolchain.
Tip
Try it live. fed.oidfed.com is @oidfed's own reference deployment — OpenID Federation 1.0 topologies (single-anchor, hierarchical, multi-anchor, cross-federation, constrained, policy-operators) running on the packages in this repo. Open any trust chain in one click via explore.oidfed.com or hit it directly with @oidfed/cli. Source: Dahkenangnon/fed-oidfed-com.
Important
Spec: Full OpenID Federation 1.0 implementation ·
Crypto: All JOSE operations delegated to jose ·
Status: prerelease — API may change before the upcoming stable 1.0.0 release.
Trust Anchor ← @oidfed/authority
╱ ╲
Intermediate Intermediate ← @oidfed/authority
│ │
OpenID Provider OpenID Provider ← @oidfed/authority + @oidfed/oidc
│ │
Relying Party Relying Party ← @oidfed/leaf + @oidfed/oidc
@oidfed/core underlies every node in the graph
| Package | Role | Install when building a… | Docs |
|---|---|---|---|
@oidfed/core |
Federation primitives — entity statements, trust chain resolution, metadata policy, and cryptographic verification. The foundational layer of the complete OpenID Federation 1.0 implementation | Any federation participant | docs/packages/core.md |
@oidfed/authority |
Trust Anchor and Intermediate Authority operations — subordinate management, statement issuance, federation endpoint serving, and policy enforcement | Trust Anchor or Intermediate Authority | docs/packages/authority.md |
@oidfed/leaf |
Leaf Entity toolkit — Entity Configuration serving, authority discovery, and trust chain participation for any entity at the edge of an OpenID Federation | Relying Party | docs/packages/leaf.md |
@oidfed/oidc |
OpenID Connect and OAuth 2.0 federation flows — automatic and explicit client registration, Request Object validation, and RP/OP metadata processing as defined in OpenID Federation 1.0 | OP or RP | docs/packages/oidc.md |
For integration examples, see the Wiring Guide. For production storage backends (PostgreSQL, MongoDB, Redis) and HSM key stores, see the Storage Guide. To run a full multi-topology federation locally with wildcard DNS and TLS, see the Dev Guide and E2E Test infrastructure.
The repository also ships a CLI (@oidfed/cli), a live federation explorer at explore.oidfed.com, an interactive course at learn.oidfed.com, and a few internal packages that support the workspace — browse the source or the docs/ directory to learn more.
OpenID Federation 1.0 has been factored into two final successor specifications (1.1 protocol-independent + 1.1 for OpenID Connect) that together cover exactly the same functionality as 1.0. Several active extensions build on top of 1.0/1.1 — wallets, large-federation discovery, ACME certificate issuance, and more. The table below tracks every Federation-family specification we are aware of, with this monorepo's implementation status alongside.
| Specification | Spec status | This monorepo | Scope |
|---|---|---|---|
| OpenID Federation 1.0 | Final ✓ (2026-02-17) | Implemented | Foundational protocol: Entity Statements, Trust Chains, Metadata, Policies, Trust Marks, Federation Endpoints, OpenID Connect client registration. |
| OpenID Federation 1.1 | Final ✓ (2026-05-06) | Implemented (by virtue of 1.0) | Protocol-independent layer — the 1.0 functionality factored apart with no behavioural changes. |
| OpenID Federation for OpenID Connect 1.1 | Final ✓ (2026-05-06) | Implemented (by virtue of 1.0) | Protocol-specific layer — OAuth 2.0 / OpenID Connect entity types, automatic + explicit client registration. |
| OpenID Federation Extended Subordinate Listing 1.0 | Draft 02 | Implemented (tracks draft-02) | Paginated subordinate listing with audit timestamps and bulk per-entity claim retrieval for large-scale federations. See docs/packages/authority.md. |
| OpenID Federation Entity Collection 1.0 | Draft 00 | Not yet implemented | Sub-federation entity discovery endpoint with hierarchical filtering, pagination, and UI-oriented metadata for login pickers and admin tools. |
| OpenID Federation for Wallet Architectures 1.0 | Draft 05 | Not yet implemented | Trust-establishment profile for digital-wallet ecosystems — Wallet Provider / Wallet Relying Party metadata, policy templates, trust mark guidance. |
| Automatic Certificate Management Environment (ACME) with OpenID Federation 1.0 | IETF Internet-Draft (draft-ietf-acme-openid-federation-00) | Not yet implemented | New Federation Entity Types for ACME Requestor / Issuer roles, enabling automated X.509 issuance over federation discovery. |
Note
OpenID Federation 1.1 + OpenID Federation for OpenID Connect 1.1 are a clean split of 1.0 — no functionality was added or removed, only factored apart. A complete 1.0 implementation is therefore a complete 1.1 implementation by definition. Extended Subordinate Listing is implemented end-to-end (server endpoint, federation-api client, CLI list-extended command) and tracks draft-02 verbatim — see docs/packages/authority.md. Entity Collection, Wallet Architectures, and ACME-with-Federation are tracked but not yet implemented; contributions welcome — see CONTRIBUTING.md.
For real-world integration examples see the Wiring Guide, the dev federation server, and the E2E test infrastructure.
Running a federation involves responsibilities beyond what this library enforces. Operators MUST read and address:
- §18 — Security Considerations: DoS prevention for the resolve, fetch, and registration endpoints;
authority_hintsdepth limits; Trust Mark filtering; reverse-proxy end-to-end signing. - §19 — Privacy Considerations: Entity Statements are org-level infrastructure — keep personal data minimal; mitigate Trust Mark Status and Fetch endpoint tracking via short-lived tokens and static Trust Chains.
- §17 — Implementation Considerations: Multi-path topology ambiguity; Trust Mark policy design; resolver and Trust Anchor co-location.
This library provides the protocol mechanisms; policy, rate limiting, key management, HSM integration, and operational hardening are the operator's responsibility.
To report a vulnerability, email dah.kenangnon@gmail.com — see SECURITY.md for the full disclosure policy.
@oidfed is dual-licensed by component:
- Libraries —
@oidfed/core,@oidfed/authority,@oidfed/leaf,@oidfed/oidc,@oidfed/cli— released under Apache License 2.0. - Apps & internal UI —
@oidfed/explorer,@oidfed/home,@oidfed/learn,@oidfed/ui— released under MIT. See each component's ownLICENSE(e.g.apps/home/LICENSE).
The repository root is governed by the Apache 2.0 LICENSE file. Apps and internal packages override this with their own MIT LICENSE file. Refer to the LICENSE in the nearest parent directory of any file to determine its license.
Copyright © 2026-Present Justin Dah-kenangnon.