Guest OIDC IdP
A stateless OpenID Connect provider that issues real tokens to anonymous guests — no signup.
- ~174
- unit tests
- ~90
- e2e tests
- 8+
- RFCs implemented
Sometimes you need identity before you have users: demos, trials, kiosk flows, agent sandboxes. Guest OIDC IdP issues real, verifiable OIDC tokens to anonymous "guest" identities instantly — no registration — while keeping the full protocol surface intact: authorization-code with PKCE, refresh rotation, revocation, introspection, discovery, JWKS, RP-initiated logout.
Guests are UUIDv7 subjects with optional HMAC-derived stability, so a returning visitor can keep an identity without ever creating an account. Tokens are ES256-signed with HKDF purpose-derived keys; codes are opaque; cookies are HMAC-signed with constant-time comparison.
It is stateless by design — in-memory storage for development, Redis for production — ships as a non-root container, and pairs with the lab's use-identity React library on the frontend side.