SSO · Capability

SSO Identity Federation

Workflow capability for Single Sign-On identity federation using OpenID Connect (OIDC). Enables applications to integrate SSO authentication flows including authorization code exchange, user profile retrieval, provider discovery, and JWKS key management. Designed for developers and platform engineers implementing federated identity across enterprise applications.

Run with Naftiko SSOIdentity FederationOIDCAuthenticationOAuthSecurity

What You Can Do

POST
Exchange token — Exchange an authorization code or refresh token for access and ID tokens
/v1/token
GET
Get user info — Get the authenticated user's identity claims from the UserInfo endpoint
/v1/userinfo
GET
Get jwks — Get public keys for verifying ID token signatures
/v1/jwks
GET
Get discovery — Get OpenID Provider configuration metadata
/v1/discovery

MCP Tools

exchange-authorization-code

Exchange an OIDC/OAuth 2.0 authorization code for access token, ID token, and refresh token

get-authenticated-user-profile

Retrieve the authenticated user's identity claims (name, email, sub, etc.) from the OIDC UserInfo endpoint

read-only idempotent
get-provider-signing-keys

Retrieve the OpenID Provider's JSON Web Key Set (JWKS) for verifying ID token signatures

read-only idempotent
discover-oidc-provider-configuration

Retrieve OpenID Provider configuration metadata including endpoints, supported features, and algorithms

read-only idempotent

APIs Used

oidc-authentication

Capability Spec

identity-federation.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "SSO Identity Federation"
  description: >-
    Workflow capability for Single Sign-On identity federation using OpenID
    Connect (OIDC). Enables applications to integrate SSO authentication flows
    including authorization code exchange, user profile retrieval, provider
    discovery, and JWKS key management. Designed for developers and platform
    engineers implementing federated identity across enterprise applications.
  tags:
    - SSO
    - Identity Federation
    - OIDC
    - Authentication
    - OAuth
    - Security
  created: "2026-05-02"
  modified: "2026-05-02"

binds:
  - namespace: env
    keys:
      OIDC_CLIENT_ID: OIDC_CLIENT_ID
      OIDC_CLIENT_SECRET: OIDC_CLIENT_SECRET
      OIDC_ACCESS_TOKEN: OIDC_ACCESS_TOKEN

capability:
  consumes:
    - import: oidc-authentication
      location: ./shared/oidc-authentication.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: identity-federation-api
      description: "Unified REST API for SSO identity federation workflows."
      resources:
        - path: /v1/token
          name: token
          description: "Token exchange and refresh"
          operations:
            - method: POST
              name: exchange-token
              description: "Exchange an authorization code or refresh token for access and ID tokens"
              call: "oidc-authentication.exchange-token"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/userinfo
          name: userinfo
          description: "Authenticated user profile claims"
          operations:
            - method: GET
              name: get-user-info
              description: "Get the authenticated user's identity claims from the UserInfo endpoint"
              call: "oidc-authentication.get-user-info"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/jwks
          name: jwks
          description: "JSON Web Key Set for signature verification"
          operations:
            - method: GET
              name: get-jwks
              description: "Get public keys for verifying ID token signatures"
              call: "oidc-authentication.get-jwks"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/discovery
          name: discovery
          description: "OpenID Provider configuration discovery"
          operations:
            - method: GET
              name: get-discovery
              description: "Get OpenID Provider configuration metadata"
              call: "oidc-authentication.get-oidc-discovery"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: identity-federation-mcp
      transport: http
      description: "MCP server for AI-assisted SSO identity federation and token management."
      tools:
        - name: exchange-authorization-code
          description: "Exchange an OIDC/OAuth 2.0 authorization code for access token, ID token, and refresh token"
          hints:
            readOnly: false
            destructive: false
            idempotent: false
          call: "oidc-authentication.exchange-token"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-authenticated-user-profile
          description: "Retrieve the authenticated user's identity claims (name, email, sub, etc.) from the OIDC UserInfo endpoint"
          hints:
            readOnly: true
            idempotent: true
          call: "oidc-authentication.get-user-info"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-provider-signing-keys
          description: "Retrieve the OpenID Provider's JSON Web Key Set (JWKS) for verifying ID token signatures"
          hints:
            readOnly: true
            idempotent: true
          call: "oidc-authentication.get-jwks"
          outputParameters:
            - type: object
              mapping: "$."

        - name: discover-oidc-provider-configuration
          description: "Retrieve OpenID Provider configuration metadata including endpoints, supported features, and algorithms"
          hints:
            readOnly: true
            idempotent: true
          call: "oidc-authentication.get-oidc-discovery"
          outputParameters:
            - type: object
              mapping: "$."