OpenPubkey adds user generated cryptographic signatures to OpenID Connect (OIDC) to enable users to sign messages or artifacts under their OpenID identity. Verifiers can check that these signatures are valid and associated with the signing OpenID identity. OpenPubkey does not add any new trusted parties beyond what is required for OpenID Connect and is fully compatible with existing OpenID Providers (Google, Azure/Microsoft, Okta, OneLogin, Keycloak) without any changes to the OpenID Provider.

This repo contains the current reference implementation of OpenPubkey. The reference implementation is a work in progress.

• Signing example
• Common OpenPubkey client struct constructor that supports:
  • Github OpenID Provider (OP) with CIC in aud claim
  • Azure OpenID Provider (OP)
  • Google OpenID Provider (OP)
• GQ Signature Support
  • GQ signer and verifier
  • GQ JWS Support
• MFA Cosigner
  • MFA Cosigner example
  • Webauthn support

• OpenPubkey: Augmenting OpenID Connect with User held Signing Keys

• BastionZero’s OpenPubkey: A new approach to cryptographic signatures

• Reducing Trust in Automated Certificate Authorities via Proofs-of-Authentication

• Guillou and Quisquater, A “Paradoxical” Indentity-Based Signature Scheme Resulting from Zero-Knowledge, Crypto 1988

• OpenID Connect Core 1.0 incorporating errata set 1