Guest OIDC IdP

A stateless OpenID Connect provider that issues real tokens to anonymous guests — no signup.

graduatedIdentity & securityMIT
Overview
~174
unit tests
~90
e2e tests
8+
RFCs implemented

Sometimes you need identity before you have users: demos, trials, kiosk flows, agent sandboxes. Guest OIDC IdP issues real, verifiable OIDC tokens to anonymous "guest" identities instantly — no registration — while keeping the full protocol surface intact: authorization-code with PKCE, refresh rotation, revocation, introspection, discovery, JWKS, RP-initiated logout.

Guests are UUIDv7 subjects with optional HMAC-derived stability, so a returning visitor can keep an identity without ever creating an account. Tokens are ES256-signed with HKDF purpose-derived keys; codes are opaque; cookies are HMAC-signed with constant-time comparison.

It is stateless by design — in-memory storage for development, Redis for production — ships as a non-root container, and pairs with the lab's use-identity React library on the frontend side.

Related projects