node-oidc-provider wins the second BlueHats Prize

BlueHats prizes are an initiative by the French Interministerial Digital Directorate. They are awarded to maintainers of critical free and open source projects. In 2024 four prizes of € 10 000 each will be given out. We are happy to announce the winner of the second 2024 BlueHats prize is Filip Skokan, maintainer of the node-oidc-provider project. node-oidc-provider provides an OAuth 2.0 (RFC 6749) Authorization Server with support for OpenID Connect (OIDC) and many other additional standards for the Node.js open-source and cross-platform JavaScript runtime environment.

The jury, made up of public officials from ANSSI and DINUM, recognised the importance of node-oidc-provider and its role in identity federation. The members of the Free Software Council wish to continue to highlight this type of initiative: discrete projects that are critical to software infrastructures, and maintained by reliable teams over the years.

In response to hearing he had won, Filip Skokan said:

I am incredibly honored and humbled to receive the BlueHats Prize. This recognition means a lot to me personally, as it validates the years of hard work and dedication I've put into the node-oidc-provider project. When I started this project, my goal was simply to learn. Seeing that node-oidc-provider has been adopted by initiatives like FranceConnect is truly rewarding and it is adoptions like these that reinforce my commitment to continue being involved with open source as well as the standards-developing organizations.

About node-oidc-provider

Through the protocols it implements, node-oidc-provider enables single sign-on (SSO), allowing users to access multiple websites with a single login. SSO delegates the responsibility of verifying and securing user interactions to trusted identity providers. This approach is often used to provide users with seamless access to various services using one account from a chosen identity provider. This streamlines the user experience while maintaining robust security standards.

Filip started node-oidc-provider as his first open source project in 2015 to learn OIDC and OAuth 2.0. He wanted to build the code to the point where it conforms to the protocol. During this work he got in contact with the OpenID Certification program. Through the exchanges with the program and the certification process itself he identified issues in his own code, but also in the reference implementation of the test suite. This has contributed to the OpenID Certification program winning the Identity Innovation Award and European Identity and Cloud Award in 2018 and gave Filip the confidence to take part in the standardization processes done by working groups at OIDF and IETF. The learning curve to read (and later also write) these types of documents was steep. Filip is enthusiastic about implementing the specifications as early as possible during the standardization process in order to be able to give much valuable implementer's feedback to the working groups.

After several years, the dedication and precision with which Filip worked on his project brought him to the attention of Auth0 (now acquired by Okta), which hired him to work on their solutions. Filip continues to maintain his own implementation, which is now a stable project. He also uses it as a playground to validate new extensions being developed for the OAuth 2.0 framework.

Praise for node-oidc-provider

Anyone can nominate free and open source projects for one of the BlueHats prizes (and nominations are still open). node-oidc-provider was nominated by Raphaël Dubigny from DINUM. He motivated his choice by writing:

The strategy of the software suite of the operator of DINUM relies on AgentConnect. AgentConnect relies on the same technological bases as FranceConnect. FranceConnect relies on the node-oidc-provider library for assuring compatibility with the OpenID Connect standard.

The fact that node-oidc-provider is OpenID Certified™ is notable. Many software projects focus on the green path where all goes optimally. Filip likes to make sure that all negative test cases are handled correctly as well and the OpenID Certification program's test suite helps with that. The existence of an exhaustive test suite and a certification program can give users confidence that their software does what it is supposed to do and will not exhibit unexpected behaviors.

Without the certification, France would not have chosen a Free Software solution. Stéphane Herman, CTO of FranceConnect, says: "We chose node-oidc-provider back in late 2018 because the library was listed as a certified OpenID Connect provider."

Note from Filip:

In the past, I wrote that "Software's conformance to standards and its certification is not the pinnacle to shoot for. It is the absolute lowest bar." Certification is not usually a free process; it is, at the very least, a time-consuming one. I am happy to say that today, after lobbying the OpenID Foundation's leadership, the OpenID Certification is free of charge for qualifying open source projects. If you maintain an OpenID Connect open source project, either client or provider, get it certified.

BlueHats prizes for maintainers of critical software

The BlueHats prize aims to place maintainers of critical open source software in the spotlight. It is a well-known problem in the free and open source world: The benefit of having open source software is enormous but there is not enough attention and resources for maintenance and maintainers.

node-oidc-provider is a typical example of this state of affairs. Although it affects countless end users through its use in identity providers such as FranceConnect, it is not immune to this well-known problem. The BlueHats prizes seek to encourage users of free and open software to invest in maintenance, addressing the issue of underfunding for this much-needed phase in a software's lifecycle.

Nominations still open

Two more BlueHats prizes will be awarded in the upcoming months. You can still nominate your favorite project for one of the € 10 000 prizes. The BlueHats prizes are an initiative of the French public administration. The French Free Software Unit (an OSPO) has partnered with NLnet to put four notable projects in the spotlight and award them the BlueHats 2024 prizes.