OIDC-SPID/CIE-Validator offers a streamlined version of MIG [1] for Relying Parties (RPs) to perform preliminary verification of compliance with the SPID/CIE OIDC Specification. This includes a total of 252 tests for both the Entity Configuration (EC) response and the Authorization (AR) request. These tests verify the presence, type, expected values, unacceptable values, and the validity of the signature across all mandatory, conditional, and optional parameters, as specified in the SPID/CIE OIDC Specification.
OIDC-SPID/CIE-Validator uses JSON Schemas to validate the JWT in both the EC response and request in the AR. Additionally, OIDC-SPID/CIE-Validator verifies the correctness of parameters in the EC response and AR request through script-based validation.
The required inputs are the Entity Configuration endpoint URL (URL_EC) and the URL for generating the AR request (URL_AR).
OIDC-SPID/CIE-Validator outputs results in two modes:
- In verbose mode, it provides detailed feedback on both passed and failed tests, including explanations or suggested mitigations for failures.
- In non-verbose mode, it only reports failed tests, along with the reasons and potential solutions.
OIDC-SPID/CIE-Validator
├── run.sh
├── swagger
│ ├── openapi_cie.yaml
│ ├── openapi_spid.yaml
├── schemas
│ ├── ARR_body.json
│ ├── ARR_body_SPID.json
│ ├── ARR_header.json
│ ├── EC_body.json
│ ├── EC_body_SPID.json
│ ├── EC_header.json
│ ├── TM_body.json
│ └── TM_header.json
└── tool
├── mig_validator.py
└── style_table.pyThe tool supports the OpenAPI Specification (Swagger) to simplify API validation and ensure SPID/CIE OIDC compliance. Key features include:
- Define OIDC-SPID/CIE in a Standardized Format: The tool uses the OpenAPI Specification (OAS) v3.1.0 for API documentation and validation.
- Custom Extensions: Handles SPID/CIE-specific rules using x-comparison-parameter, x-signature, and similar fields for advanced validation.
- Provided API Spec: The repository includes Swagger YAML files in swagger directory for both CIE and SPID.
The schemas folder contains the JSON Schemas used to validate various JWT components. Each schema is named according to the specific JWT it validates:
- Entity Configuration (EC),
- JWT Request of the Authentication Request (ARR),
- Trust Mark (TM) inside the EC.
The schemas are further divided into two sections: header and body, ensuring validation for both parts of the JWT.
The tool folder provides:
- mig_validator, a script that perform the comparison
- style_table, a script used to style the output
- Python: 3.10 or higher
OIDC-SPID/CIE-Validator is based on python and can be executed via the following methods:
Details
Details
Run the bash script: sh validator.sh
This will create a virtual environment, activates it and installs dependencies, and starts the tool.
Details
- Create a virtual environment:
python3 -m venv .venv - Activate the virtual environment:
source .venv/bin/activate - Install dependencies:
pip install -r requirements.txt - Run the tool:
python3 tool/mig_validator.py
Details
- Create a virtual environment:
python3 -m venv .venv - Activate the virtual environment. Activating the environment differs between shells:
- In CMD:
.venv\Scripts\activate.bat - In PowerShell:
.venv\Scripts\Activate.ps1
- In CMD:
- Install dependencies:
pip install -r requirements.txt - Run the tool:
python3 tool/mig_validator.py
OIDC-SPID/CIE-Validator will require two inputs:
- EID: the entity id to add .well-known/openid-federation
- URL_AR: the URL to generate the Authorization Request. It can be a direct link or the one generated by the javascript button
These inputs can be provided via command-line arguments (using --eid <URL_EC> or --ar <URL_AR>) or through interactive prompts.
There are also optional arguments:
--v, to receive a verbose output--f <filename>or--filename <filename>, if you want to add a file as input, e.g., to run the tool on multiple RPs. It contains the list of URLs, where URL_EC is in the first line and URL_AR in the second. See the sample file. To improve readability, blank lines between URLs are allowed. These blank lines will be ignored during processing.--spid, to execute SPID compliance instead of the CIE on default
Example command: sh run.sh --eid "https://testing_rp.fbk/" --ar "https://testing_rp.fbk/request"
Everything in this repository is licensed under the Apache 2.0 license
Copyright 2024, Fondazione Bruno Kessler
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Designed and developed within Security & Trust Research Unit at Fondazione Bruno Kessler (Italy) in cooperation with Istituto Poligrafico e Zecca dello Stato (Italy).