Send in your ideas. Deadline October 1, 2024

node-oidc-provider Wins BlueHats Prize for FOSS maintainers

Filip Skokan, maintainer of the node-oidc-provider project, is awarded the second BlueHats prize of 2024. Filip started the free and open source project in 2015 has maintained it ever since. node-oidc-provider provides an OAuth 2.0 (RFC 6749) Authorization Server with support for OpenID Connect (OIDC) and many other additional standards for the Node.js open-source and cross-platform JavaScript runtime environment.

This second of four BlueHats prizes of € 10 000 each, is an initiative to thank maintainers of critical free software and raise awareness for the need for FOSS end users to invest in maintenance and maintainers. The first BlueHats prize went to dns-masq. Nominations for the remaining two prizes are still open and anyone can submit their favorite free and open source project. The BlueHats prizes are issued by the French public administration in collaboration with NLnet.

About node-oidc-provider

Through the protocols it implements, node-oidc-provider enables single sign-on (SSO), allowing users to access multiple websites with a single login. SSO delegates the responsibility of verifying and securing user interactions to trusted identity providers. This approach is often used to provide users with seamless access to various services using one account from a chosen identity provider. This streamlines the user experience while maintaining robust security standards.

Filip Skokan on receiving the BlueHats prize

In response to hearing he had won, Filip Skokan said: "I am incredibly honored and humbled to receive the BlueHats Prize. This recognition means a lot to me personally, as it validates the years of hard work and dedication I've put into the node-oidc-provider project. When I started this project, my goal was simply to learn. Seeing that node-oidc-provider has been adopted by initiatives like FranceConnect is truly rewarding and it is adoptions like these that reinforce my commitment to continue being involved with open source as well as the standards-developing organizations."

Praise for node-oidc-provider

Raphaël Dubigny from DINUM who nominated node-oidc-provider for the BlueHats prize motivated his choice saying: "The strategy of the software suite of the operator of DINUM relies on AgentConnect. AgentConnect relies on the same technological bases as FranceConnect. FranceConnect relies on the node-oidc-provider library for assuring compatibility with the OpenID Connect standard."

The jury, made up of French public officials from ANSSI (French Cybersecurity Agency) and DINUM (the Interministerial Digital Department), recognised the importance of node-oidc-provider and its role in identity federation. The members of the Free Software Council wish to continue to highlight this type of initiative: discrete projects that are critical to software infrastructures, and maintained by reliable teams over the years.

Standardization and certification

One of the elements that set Filip apart is that he wants to build the code to the point where it conforms to the protocol. During this work he got in contact with the OpenID Certification program. Through the exchanges with the program and the certification process itself he identified issues in his own code, but also in the reference implementation of the test suite. This has contributed to the OpenID Certification program winning the Identity Innovation Award and European Identity and Cloud Award in 2018 and gave Filip the confidence to take part in the standardization processes done by working groups at OIDF and IETF. The learning curve to read (and later also write) these types of documents was steep. Filip is enthusiastic about implementing the specifications as early as possible during the standardization process in order to be able to give much valuable implementer's feedback to the working groups.

The fact that node-oidc-provider is OpenID Certified™ is notable. Many software projects focus on the green path where all goes optimally. Filip likes to make sure that all negative test cases are handled correctly as well and the OpenID Certification program's test suite helps with that. The existence of an exhaustive test suite and a certification program can give users confidence that their software does what it is supposed to do and will not exhibit unexpected behaviors.

Without the certification, France would not have chosen a Free Software solution. Stéphane Herman, CTO of FranceConnect, says: "We chose node-oidc-provider back in late 2018 because the library was listed as a certified OpenID Connect provider."

About his attention for certification Filip said: "In the past, I wrote that "Software's conformance to standards and its certification is not the pinnacle to shoot for. It is the absolute lowest bar." Certification is not usually a free process; it is, at the very least, a time-consuming one. I am happy to say that today, after lobbying the OpenID Foundation's leadership, the OpenID Certification is free of charge for qualifying open source projects. If you maintain an OpenID Connect open source project, either client or provider, get it certified."

About the 2024 BlueHats prizes

The BlueHats prize is een initiative of the French public administration to express gratitude to maintainers of critical free and open source software and raise awareness for the importance of maintenance. The initiative seeks to encourage end users of free and open software to invest in maintenance, addressing the issue of underfunding for this much-needed phase in a software's lifecycle.

BlueHats are are civil servants who promote using and developing Free Software in public administrations. The BlueHats prize is executed by the Free Software unit at DINUM in collaboration with NLnet.