This repository is a research implementation of a real-time security event delivery infrastructure using the Shared Signals Framework (SSF) standardized by the OpenID Foundation. It provides a complete verification environment including an OIDC Provider and Client, with interoperability evaluation through SSF Conformance Tests and performance measurements.

Current identity federation has structural challenges. In existing protocols such as OpenID Connect, the coordination between IdP and RP is limited to authentication time only. After authentication is complete, even if a security issue occurs on the IdP side (logout, account deactivation, etc.), there is no mechanism to notify the RP. As a result, sessions for users invalidated at the IdP continue to persist on the RP side.

This research implements SSF specification-compliant Transmitter/Receiver to verify the following:

1. Interoperability: Specification compliance verification through the OpenID SSF Conformance Test Suite
2. Use Case Demonstration: Immediate propagation of single logout, token claim changes, and account deactivation
3. Performance Evaluation: Latency and throughput measurement of Push/Poll delivery

• Real-time event notification via Push-based delivery (RFC 8935)
• Poll-based delivery support (RFC 8936)
• RISC/CAEP event type support
• Retry mechanism with exponential backoff
• Authentication via Client Credentials Grant (RFC 6749)

• Signature verification with automatic JWKS retrieval and caching
• JTI duplicate detection (replay attack prevention)
• Flexible processing through event handlers
• Automatic session invalidation

• Poll-based SET retrieval (RFC 8936)
• Periodic polling for event retrieval
• Reliable event processing through ACK management
• Event handling equivalent to Push delivery

• OIDC Provider based on ory/fosite
• Authorization code flow + PKCE
• Admin console (user and client management)

For a visual overview of all system screens including the IdP Portal, RP, and RP2 interfaces, see SYSTEM.md.

ssf/
├── idp/                        # Identity Provider (OIDC Provider + SSF Transmitter)
│   ├── cmd/main.go             # Entry point
│   ├── internal/
│   │   ├── handler/            # HTTP handlers
│   │   │   ├── authorize.go    # Authorization endpoint
│   │   │   ├── token.go        # Token endpoint
│   │   │   ├── ssf_api.go      # SSF Transmitter API (RFC 8935/8936)
│   │   │   └── ...
│   │   ├── portal/handler/     # Portal (admin console)
│   │   ├── middleware/         # Middleware (setup check, etc.)
│   │   ├── provider/           # OIDC Provider implementation (ory/fosite)
│   │   ├── user/               # User service
│   │   └── storage/postgres/   # PostgreSQL storage (sqlc)
│   ├── db/postgres/            # DB schema and migrations
│   └── templates/              # HTML templates
│
├── rp/                         # Relying Party (OIDC Client + SSF Receiver - Push Delivery)
│   ├── cmd/main.go             # Entry point
│   ├── internal/
│   │   ├── config/             # Configuration
│   │   ├── handler/
│   │   │   ├── ssf.go          # SSF Receiver API (Push reception)
│   │   │   └── ...
│   │   ├── service/            # OIDC/Session/PKCE/SSF
│   │   └── storage/postgres/   # PostgreSQL storage (sqlc)
│   ├── db/postgres/            # DB schema and migrations
│   └── templates/
│
├── rp2/                        # Relying Party 2 (OIDC Client + SSF Receiver - Poll Delivery)
│   ├── cmd/main.go             # Entry point
│   ├── internal/
│   │   ├── config/             # Configuration
│   │   ├── handler/            # HTTP handlers (no SSF endpoint)
│   │   ├── service/
│   │   │   ├── ssf_client.go   # SSF Stream management
│   │   │   └── ssf_poller.go   # Poll-based SET retrieval (RFC 8936)
│   │   └── storage/postgres/   # PostgreSQL storage (sqlc)
│   ├── db/postgres/            # DB schema and migrations
│   └── templates/
│
├── pkg/ssf/                    # Shared SSF implementation (core of the research)
│   ├── transmitter.go          # SET transmission (Push/Poll delivery)
│   ├── receiver.go             # SET reception and signature verification
│   └── set.go                  # Security Event Token definitions
│
├── docs/                       # Documentation
│   ├── architecture/           # Architecture documentation
│   ├── openid-certificate/     # SSF Conformance Test logs
│   │   ├── ssf-transmitter-push-based-test-logs/  # Push delivery test results
│   │   └── ssf-transmitter-poll-based-test-logs/  # Poll delivery test results
│   ├── research/               # Research papers (LaTeX)
│   └── tasks/                  # Development task specifications
│
├── benchmark/                  # Performance evaluation tools
│   ├── cmd/
│   │   ├── driver/             # Benchmark driver
│   │   └── receiver/           # Mock SET receiver
│   ├── internal/
│   │   ├── driver/             # Setup, emission, analysis
│   │   └── receiver/           # Push reception handler
│   └── docker-compose.yml      # Docker environment
│
├── docker/                     # Dockerfiles
│   ├── idp/                    # IdP container
│   ├── rp/                     # RP container
│   ├── rp2/                    # RP2 container
│   ├── migration/              # DB migration job
│   └── postgres/               # PostgreSQL initialization scripts
│
├── terraform/dev/gcp/          # GCP infrastructure (Terraform)
├── scripts/                    # Utility scripts
│   └── db-tunnel.sh            # Cloud SQL connection tunnel
├── .github/workflows/          # GitHub Actions
├── Makefile                    # Build and run commands
├── compose.yaml                # PostgreSQL (development environment)
├── atlas.hcl                   # Atlas migration configuration
└── sqlc.yaml                   # sqlc code generation configuration

1. Interoperability Evaluation: SSF Conformance Test Suite
2. Performance Evaluation: Latency and scalability measurement

See docs/openid-certificate/README.md for details.

Executed the OpenID Foundation's SSF Transmitter Conformance Test Suite and achieved all tests passed.

Test logs are saved in the docs/openid-certificate/ directory. See docs/openid-certificate/README.md for details.

A benchmark infrastructure has been implemented to evaluate SSF scalability.

See benchmark/README.md for details.

• Go 1.25 or later
• Docker / Docker Compose

# 1. Install dependencies
go mod tidy

# 2. Start PostgreSQL
docker compose up -d

# 3. Run database migrations
make db-migrate-apply

# 4. Start all servers simultaneously
make run

# 5. Access the following URL in your browser
# http://localhost:8081

make build

# Start PostgreSQL
docker compose up -d

# Apply migrations
make db-migrate-apply

# Generate migrations from schema changes
make db-migrate

# Regenerate Go code with SQLC
make sqlc-gen

# Complete setup (migrate + generate)
make db-setup

# Build
make bench-build

# Push delivery benchmark
make bench-receiver       # Start Mock Receiver (terminal 1)
make bench-setup RPS=5 USERS=100 MODE=push  # Setup
make bench-emit CONCURRENCY=10              # Emit events
make bench-analyze                          # Analyze results

# Poll delivery benchmark
make bench-setup RPS=5 USERS=100 MODE=poll  # Setup
make bench-poll POLL_TIMEOUT=120s           # Start polling (terminal 1)
make bench-emit CONCURRENCY=10              # Emit events (terminal 2)

# Cleanup
make bench-clean

Note: RP2 uses Poll-based delivery, so there is no SSF reception endpoint. A background Poller periodically retrieves SETs from the Transmitter.

The following test clients are configured by default:

• Client ID: test-client
• Client Secret: test-secret
• Redirect URI: http://localhost:8081/callback
• Supported Scopes: openid, profile, email

1. Start PostgreSQL: docker compose up -d
2. Apply migrations: make db-migrate-apply
3. Start servers: make run
4. Access http://localhost:8081 in your browser
5. Click the "Login with OIDC" button
6. On first access, create an Owner account at /setup on the IdP
7. After login, you will be automatically redirected back to the RP with user information displayed
8. Use management features in the IdP Portal (http://localhost:8080/portal)

• This repository is a research-purpose implementation
• Not intended for production use
• Aimed at verifying and evaluating SSF specifications

• ory/fosite - OAuth 2.0 / OpenID Connect framework
• gorilla/mux - HTTP routing
• pgx - PostgreSQL driver
• sqlc - SQL to Go code generator
• Atlas - Database schema migration
• Go standard library - Cryptography, JSON Web Token, templates

• HTML5 + CSS3 - Responsive Web UI
• Go html/template - Server-side rendering

• BCrypt - Client secret hashing
• HTTPOnly Cookies - Secure session management
• CSRF Protection - State parameter validation
• Base64URL - JWT token handling
• RSA signatures - Integrity guarantee for SETs (Security Event Tokens)
• Automatic session invalidation - Immediate response upon security event reception

• RFC 6749 - The OAuth 2.0 Authorization Framework
• RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
• RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)

• OpenID Connect Core 1.0
• OpenID Connect Discovery 1.0
• OpenID Connect Session Management 1.0

• RFC 7519 - JSON Web Token (JWT)
• RFC 7515 - JSON Web Signature (JWS)
• RFC 7517 - JSON Web Key (JWK)

• OpenID Foundation Official Website
• Specifications List

• OpenID Shared Signals Framework Specification 1.0
• RFC 8935 - Push-Based Security Event Token (SET) Delivery Using HTTP
• RFC 8936 - Poll-Based Security Event Token (SET) Delivery Using HTTP
• RFC 8417 - Security Event Token (SET)
• OpenID RISC Profile Specification 1.0
• OpenID CAEP (Continuous Access Evaluation Profile) 1.0

This project is licensed under the MIT License - see the LICENSE file for details.

This project uses the following open source libraries: