@oidfed/core

Federation primitives for JavaScript — entity statements, trust chain resolution, metadata policy, and cryptographic verification. The foundational layer of the complete OpenID Federation 1.0 implementation.

Status: prerelease — API may change before the upcoming stable 1.0.0 release.

Install

npm install @oidfed/core

Quick Start

import {
  entityId,
  generateSigningKey,
  resolveTrustChains,
  validateTrustChain,
} from "@oidfed/core";
import type { TrustAnchorSet } from "@oidfed/core";

const trustAnchors: TrustAnchorSet = new Map([
  [entityId("https://ta.example.org"), { jwks: { keys: [taKey] } }],
]);

const result = await resolveTrustChains(
  entityId("https://leaf.example.com"),
  trustAnchors,
);

for (const chain of result.chains) {
  const validated = await validateTrustChain(chain.statements, trustAnchors);
  if (validated.valid) {
    console.log(validated.chain.resolvedMetadata);
  }
}

What's Included

• Trust chain resolution, validation, refresh, and selection strategies
• JOSE operations — sign, verify, decode entity statements; key generation
• Metadata policy — merge and apply across trust chains
• Constraint checking — path length, naming constraints, allowed entity types
• Typed Zod schemas for all federation data structures
• Trust mark validation and delegation signing
• Remote-endpoint clients — fetchListSubordinates, fetchExtendedSubordinatesList (paginated, with bulk claim retrieval), fetchResolveResponse, fetchHistoricalKeys, fetchTrustMarkList
• LRU cache, Result type, pluggable storage interfaces
• Fetch-compatible HTTP primitives (Request → Response)

Documentation

Full API reference: docs/packages/core.md

Part of @oidfed

| Package | Role | |---------|------| | @oidfed/core | Federation primitives (this package) | | @oidfed/authority | Trust Anchor & Intermediate operations | | @oidfed/leaf | Leaf Entity toolkit | | @oidfed/oidc | OIDC/OAuth 2.0 federation flows | | @oidfed/cli | CLI for federation debugging |

License

Apache-2.0 — see NOTICE for attribution.