oidc bridge

Author: rcholic

.env.example

@@ -24,3 +24,14 @@ ENTRA_OBO_COMPAT_CHECK_ENABLED=0
 ENTRA_SUPPORTS_OBO=0
 # Optional; required only when running true Entra OBO exchange path.
 ENTRA_USER_ASSERTION=
+
+# Generic OIDC token exchange compatibility checks (examples/tests)
+OIDC_ISSUER=https://<oidc-provider>/oauth2/default
+OIDC_CLIENT_ID=<your-oidc-client-id>
+OIDC_CLIENT_SECRET=<your-oidc-client-secret>
+OIDC_AUDIENCE=api://predicate-authority
+OIDC_SCOPE=authority:check
+OIDC_COMPAT_CHECK_ENABLED=0
+OIDC_SUPPORTS_TOKEN_EXCHANGE=0
+# Optional; required only when testing true token exchange.
+OIDC_SUBJECT_TOKEN=

README.md

@@ -142,6 +142,18 @@ python examples/delegation/entra_obo_compat_demo.py \
   --scope "$ENTRA_SCOPE"
 ```
 
+### OIDC quick command (compatibility check)
+
+```bash
+set -a && source .env && set +a
+python examples/delegation/oidc_compat_demo.py \
+  --issuer "$OIDC_ISSUER" \
+  --client-id "$OIDC_CLIENT_ID" \
+  --client-secret "$OIDC_CLIENT_SECRET" \
+  --audience "$OIDC_AUDIENCE" \
+  --scope "${OIDC_SCOPE:-authority:check}"
+```
+
 ### Local IdP quick command
 
 ```bash

docs/authorityd-operations.md

@@ -267,6 +267,50 @@ python examples/delegation/entra_obo_compat_demo.py \
   --supports-obo
 ```
 
+### Generic OIDC token exchange compatibility (capability-gated)
+
+```bash
+export OIDC_COMPAT_CHECK_ENABLED=1
+export OIDC_ISSUER="https://<oidc-provider>/oauth2/default"
+export OIDC_CLIENT_ID="<oidc-client-id>"
+export OIDC_CLIENT_SECRET="<oidc-client-secret>"
+export OIDC_AUDIENCE="api://predicate-authority"
+export OIDC_SCOPE="authority:check"
+
+# Provider does NOT support token exchange:
+export OIDC_SUPPORTS_TOKEN_EXCHANGE=false
+python3 -m pytest tests/test_oidc_compatibility.py -k "live_check_when_enabled"
+
+# Provider supports token exchange:
+export OIDC_SUPPORTS_TOKEN_EXCHANGE=true
+export OIDC_SUBJECT_TOKEN="<subject-access-token>"
+python3 -m pytest tests/test_oidc_compatibility.py -k "live_check_when_enabled"
+```
+
+Run demo script:
+
+```bash
+python examples/delegation/oidc_compat_demo.py \
+  --issuer "$OIDC_ISSUER" \
+  --client-id "$OIDC_CLIENT_ID" \
+  --client-secret "$OIDC_CLIENT_SECRET" \
+  --audience "$OIDC_AUDIENCE" \
+  --scope "${OIDC_SCOPE:-authority:check}"
+```
+
+If token exchange is supported and subject token is available:
+
+```bash
+python examples/delegation/oidc_compat_demo.py \
+  --issuer "$OIDC_ISSUER" \
+  --client-id "$OIDC_CLIENT_ID" \
+  --client-secret "$OIDC_CLIENT_SECRET" \
+  --audience "$OIDC_AUDIENCE" \
+  --scope "${OIDC_SCOPE:-authority:check}" \
+  --subject-token "$OIDC_SUBJECT_TOKEN" \
+  --supports-token-exchange
+```
+
 ### Secret storage policy (Okta credentials)
 
 - never commit Okta client secrets/API tokens/private keys to repo files,

docs/predicate-authority-user-manual.md

@@ -329,6 +329,59 @@ Expected delegation path output:
 
 ---
 
+## Generic OIDC token exchange compatibility (capability-gated)
+
+Use this when integrating with a non-Okta, non-Entra OIDC provider and validating token-exchange readiness.
+
+### 1) Set environment variables
+
+```bash
+export OIDC_ISSUER="https://<oidc-provider>/oauth2/default"
+export OIDC_CLIENT_ID="<oidc-client-id>"
+export OIDC_CLIENT_SECRET="<oidc-client-secret>"
+export OIDC_AUDIENCE="api://predicate-authority"
+export OIDC_SCOPE="authority:check"
+```
+
+### 2) Run compatibility test
+
+```bash
+# token exchange not supported or intentionally disabled:
+export OIDC_COMPAT_CHECK_ENABLED=1
+export OIDC_SUPPORTS_TOKEN_EXCHANGE=false
+python -m pytest tests/test_oidc_compatibility.py -k "live_check_when_enabled"
+
+# token exchange supported:
+export OIDC_COMPAT_CHECK_ENABLED=1
+export OIDC_SUPPORTS_TOKEN_EXCHANGE=true
+export OIDC_SUBJECT_TOKEN="<subject-access-token>"
+python -m pytest tests/test_oidc_compatibility.py -k "live_check_when_enabled"
+```
+
+### 3) Run demo script in `examples/`
+
+```bash
+python examples/delegation/oidc_compat_demo.py \
+  --issuer "$OIDC_ISSUER" \
+  --client-id "$OIDC_CLIENT_ID" \
+  --client-secret "$OIDC_CLIENT_SECRET" \
+  --audience "$OIDC_AUDIENCE" \
+  --scope "${OIDC_SCOPE:-authority:check}"
+```
+
+If token exchange is supported and subject token is available, add:
+
+```bash
+--subject-token "$OIDC_SUBJECT_TOKEN" --supports-token-exchange
+```
+
+Expected delegation path output:
+
+- `idp_token_exchange` (if exchange succeeds), or
+- `authority_mandate_delegation` (fallback).
+
+---
+
 ## Local identity registry + flush queue
 
 Enable ephemeral task identity registry and local ledger queue:

examples/README.md

@@ -48,3 +48,9 @@ For Okta OBO/token-exchange compatibility setup and troubleshooting, see:
 For Entra OBO compatibility setup and troubleshooting, see:
 
 - `examples/README_Entra.md`
+
+## OIDC compatibility example notes
+
+For generic OIDC token-exchange compatibility setup and fallback behavior, see:
+
+- `examples/README_OIDC.md`

examples/README_OIDC.md

@@ -0,0 +1,48 @@
+# OIDC Example Notes
+
+This note covers running the generic OIDC token-exchange compatibility demo.
+
+## Prerequisites
+
+- Populate `AgentIdentity/.env` with:
+  - `OIDC_ISSUER`
+  - `OIDC_CLIENT_ID`
+  - `OIDC_CLIENT_SECRET`
+  - `OIDC_AUDIENCE`
+  - `OIDC_SCOPE` (default `authority:check`)
+- Load env vars:
+
+```bash
+set -a
+source .env
+set +a
+```
+
+## Run OIDC compatibility demo
+
+```bash
+python examples/delegation/oidc_compat_demo.py \
+  --issuer "$OIDC_ISSUER" \
+  --client-id "$OIDC_CLIENT_ID" \
+  --client-secret "$OIDC_CLIENT_SECRET" \
+  --audience "$OIDC_AUDIENCE" \
+  --scope "${OIDC_SCOPE:-authority:check}"
+```
+
+If provider supports token exchange and you have a subject token:
+
+```bash
+python examples/delegation/oidc_compat_demo.py \
+  --issuer "$OIDC_ISSUER" \
+  --client-id "$OIDC_CLIENT_ID" \
+  --client-secret "$OIDC_CLIENT_SECRET" \
+  --audience "$OIDC_AUDIENCE" \
+  --scope "${OIDC_SCOPE:-authority:check}" \
+  --subject-token "$OIDC_SUBJECT_TOKEN" \
+  --supports-token-exchange
+```
+
+## Compatibility behavior
+
+- token exchange success -> `delegation_path: idp_token_exchange`
+- token exchange unavailable or unsupported -> `delegation_path: authority_mandate_delegation`

examples/delegation/oidc_compat_demo.py

@@ -0,0 +1,93 @@
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import sys
+from pathlib import Path
+
+
+def _ensure_repo_root_on_syspath() -> None:
+    repo_root = Path(__file__).resolve().parents[2]
+    root = str(repo_root)
+    if root not in sys.path:
+        sys.path.insert(0, root)
+
+
+def run(
+    issuer: str,
+    client_id: str,
+    client_secret: str,
+    audience: str,
+    scope: str,
+    supports_token_exchange: bool,
+    subject_token: str | None,
+    timeout_s: float,
+) -> dict[str, object]:
+    _ensure_repo_root_on_syspath()
+    from predicate_authority import (  # pylint: disable=import-error
+        OidcCompatibilityConfig,
+        OidcProviderCapabilities,
+        run_oidc_token_exchange_compatibility_check,
+    )
+
+    result = run_oidc_token_exchange_compatibility_check(
+        config=OidcCompatibilityConfig(
+            issuer=issuer,
+            client_id=client_id,
+            client_secret=client_secret,
+            audience=audience,
+            scope=scope,
+        ),
+        capabilities=OidcProviderCapabilities(supports_token_exchange=supports_token_exchange),
+        subject_token=subject_token,
+        timeout_s=timeout_s,
+    )
+    result["delegation_path"] = (
+        "idp_token_exchange"
+        if bool(result.get("token_exchange_ok", False))
+        else "authority_mandate_delegation"
+    )
+    return result
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="OIDC token exchange compatibility demo.")
+    parser.add_argument("--issuer", default=os.getenv("OIDC_ISSUER"))
+    parser.add_argument("--client-id", default=os.getenv("OIDC_CLIENT_ID"))
+    parser.add_argument("--client-secret", default=os.getenv("OIDC_CLIENT_SECRET"))
+    parser.add_argument("--audience", default=os.getenv("OIDC_AUDIENCE"))
+    parser.add_argument("--scope", default=os.getenv("OIDC_SCOPE", "authority:check"))
+    parser.add_argument("--subject-token", default=os.getenv("OIDC_SUBJECT_TOKEN"))
+    parser.add_argument("--supports-token-exchange", action="store_true")
+    parser.add_argument("--timeout-s", type=float, default=5.0)
+    args = parser.parse_args()
+
+    missing = [
+        name
+        for name, value in (
+            ("issuer", args.issuer),
+            ("client_id", args.client_id),
+            ("client_secret", args.client_secret),
+            ("audience", args.audience),
+        )
+        if value is None or str(value).strip() == ""
+    ]
+    if missing:
+        raise SystemExit(f"Missing required arguments/env vars: {', '.join(missing)}")
+
+    payload = run(
+        issuer=str(args.issuer),
+        client_id=str(args.client_id),
+        client_secret=str(args.client_secret),
+        audience=str(args.audience),
+        scope=str(args.scope),
+        supports_token_exchange=bool(args.supports_token_exchange),
+        subject_token=(str(args.subject_token) if args.subject_token is not None else None),
+        timeout_s=float(args.timeout_s),
+    )
+    print(json.dumps(payload, indent=2, sort_keys=True))
+
+
+if __name__ == "__main__":
+    main()

predicate_authority/README.md

@@ -72,6 +72,30 @@ python examples/delegation/entra_obo_compat_demo.py \
   --scope "${ENTRA_SCOPE:-api://predicate-authority/.default}"
 ```
 
+## OIDC compatibility demo (capability-gated token exchange)
+
+```bash
+python examples/delegation/oidc_compat_demo.py \
+  --issuer "$OIDC_ISSUER" \
+  --client-id "$OIDC_CLIENT_ID" \
+  --client-secret "$OIDC_CLIENT_SECRET" \
+  --audience "$OIDC_AUDIENCE" \
+  --scope "${OIDC_SCOPE:-authority:check}"
+```
+
+If your provider supports token exchange and you have a subject token:
+
+```bash
+python examples/delegation/oidc_compat_demo.py \
+  --issuer "$OIDC_ISSUER" \
+  --client-id "$OIDC_CLIENT_ID" \
+  --client-secret "$OIDC_CLIENT_SECRET" \
+  --audience "$OIDC_AUDIENCE" \
+  --scope "${OIDC_SCOPE:-authority:check}" \
+  --subject-token "$OIDC_SUBJECT_TOKEN" \
+  --supports-token-exchange
+```
+
 ## Local IdP quick example
 
 ```python

predicate_authority/__init__.py

@@ -39,6 +39,12 @@
     TaskIdentityRecord,
 )
 from predicate_authority.mandate import LocalMandateSigner
+from predicate_authority.oidc_compat import (
+    OidcCompatibilityConfig,
+    OidcCompatibilityError,
+    OidcProviderCapabilities,
+    run_oidc_token_exchange_compatibility_check,
+)
 from predicate_authority.okta_compat import (
     OktaCompatibilityConfig,
     OktaCompatibilityError,
@@ -98,6 +104,9 @@
     "OktaCompatibilityConfig",
     "OktaCompatibilityError",
     "OktaTenantCapabilities",
+    "OidcCompatibilityConfig",
+    "OidcCompatibilityError",
+    "OidcProviderCapabilities",
     "PolicyEngine",
     "PolicyFileSource",
     "PolicyMatchResult",
@@ -114,6 +123,7 @@
     "TokenValidationError",
     "UsageCreditRecord",
     "parse_bool",
-    "run_okta_obo_compatibility_check",
     "run_entra_obo_compatibility_check",
+    "run_okta_obo_compatibility_check",
+    "run_oidc_token_exchange_compatibility_check",
 ]