A lightweight, configurable Identity Provider for development and testing
Project description
NanoIDP
A lightweight, configurable Identity Provider for development and testing.
Supports OAuth2/OIDC and SAML 2.0 protocols with a full-featured web UI for configuration.
Design principles, non-goals and medium-term direction live in VISION.md.
Features
- OAuth2 / OIDC - OAuth2/OIDC support for development and integration testing: Authorization Code, Password, Client Credentials, Refresh Token, and Device Authorization grants
- PKCE Support - Proof Key for Code Exchange (RFC 7636) with S256 and plain methods
- Security Profiles -
stricter-dev(runtime hardening) andoauth21(draft OAuth 2.1 protocol strictness: PKCE-only S256, rotation, no password grant, registered redirect URIs) - Token Management - Introspection (RFC 7662) and Revocation (RFC 7009) endpoints
- OIDC Logout - End Session endpoint for RP-initiated logout
- Device Flow - Device Authorization Grant (RFC 8628) for CLI/IoT applications
- SAML 2.0 - SSO and AttributeQuery endpoints with configurable signed assertions and opt-in verification of signed AuthnRequests
- MCP Server - Model Context Protocol integration for Claude Code
- Web UI - Full configuration interface for users, clients, settings, and more
- YAML Configuration - File-based configuration, no database required
- Attribute-based Access Control - Flexible authority prefixes and claims mapping
- Audit Logging - Track all authentication events
- Docker Support - Ready to deploy with Docker/Docker Compose
Quick Start
pip install nanoidp
python -m nanoidp init # create ./config (users, settings, keys)
python -m nanoidp # serve on http://localhost:8000
Get a first token:
curl -X POST 'http://localhost:8000/token' \
-u 'demo-client:demo-secret' \
-d 'grant_type=password&username=admin&password=admin&scope=openid'
The admin UI runs at http://localhost:8000. Prefer Docker?
docker run --rm -p 8000:8000 \
-v $(pwd)/config:/app/config \
ghcr.io/cdelmonte-zg/nanoidp:latest
Full walkthrough (wizard, custom config paths, docker-compose): Install and Quickstart.
Documentation
The full documentation lives at https://cdelmonte-zg.github.io/nanoidp/:
- Requesting tokens — curl examples for every grant, introspection, revocation
- MCP with Claude Code — drive NanoIDP from an agent
- Security guide — profiles, key management, MCP hardening
- Configuration —
users.yaml,settings.yaml, logging - Endpoints — OAuth2/OIDC, SAML, REST API
- Tokens and claims — token structure and
audsemantics - SAML options — bindings, strict mode, signing, canonicalization
- MCP server — all tools and Claude Code/Desktop setup
Security
NanoIDP is a development/testing tool and must NOT be used in
production. Defaults favor convenience (plaintext passwords in config,
permissive CORS, open redirects); hardening is opt-in via the
stricter-dev (runtime) and oauth21 (draft OAuth 2.1 protocol
strictness) profiles and explicit settings. The
Security guide
draws the line precisely.
Development
pip install -e ".[dev]"
pytest
See CONTRIBUTING.md for the development setup, the end-to-end test agent, code quality tooling, and the release process.
License
MIT License - see LICENSE for details.
❤️ Support NanoIDP
NanoIDP is maintained as an open-source project.
If it helps you test OAuth2, OpenID Connect, or SAML flows, you can support its development here:
- 💖 GitHub Sponsors: https://github.com/sponsors/cdelmonte-zg
- ☕ Buy Me a Coffee: https://buymeacoffee.com/nanoidp
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file nanoidp-2.3.0.tar.gz.
File metadata
- Download URL: nanoidp-2.3.0.tar.gz
- Upload date:
- Size: 94.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d64d8c06113b7a7be58e4d997767e990f94d015a85b2b3aec4ef34600a45bff6
|
|
| MD5 |
9ed27920d444567d0c01655c0c837e15
|
|
| BLAKE2b-256 |
728d3f70cb2e799911ae0b127e003586cada26b047e2ad77946e122723035270
|
Provenance
The following attestation bundles were made for nanoidp-2.3.0.tar.gz:
Publisher:
publish.yml on cdelmonte-zg/nanoidp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
nanoidp-2.3.0.tar.gz -
Subject digest:
d64d8c06113b7a7be58e4d997767e990f94d015a85b2b3aec4ef34600a45bff6 - Sigstore transparency entry: 2104081404
- Sigstore integration time:
-
Permalink:
cdelmonte-zg/nanoidp@2dd17aac880452c2fcb1bdf669a98179e8df065b -
Branch / Tag:
refs/tags/v2.3.0 - Owner: https://github.com/cdelmonte-zg
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2dd17aac880452c2fcb1bdf669a98179e8df065b -
Trigger Event:
push
-
Statement type:
File details
Details for the file nanoidp-2.3.0-py3-none-any.whl.
File metadata
- Download URL: nanoidp-2.3.0-py3-none-any.whl
- Upload date:
- Size: 118.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9188b5196f0494f43be5cae7bc11798a37f15e6d87f59476243f8d6c84d8bfa2
|
|
| MD5 |
ce9b5aa3e996575cd2f9d452c4c4092a
|
|
| BLAKE2b-256 |
49681f616592b43294d0a48fd89a6878299371962affa9b0b59a1a25fdf42330
|
Provenance
The following attestation bundles were made for nanoidp-2.3.0-py3-none-any.whl:
Publisher:
publish.yml on cdelmonte-zg/nanoidp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
nanoidp-2.3.0-py3-none-any.whl -
Subject digest:
9188b5196f0494f43be5cae7bc11798a37f15e6d87f59476243f8d6c84d8bfa2 - Sigstore transparency entry: 2104081633
- Sigstore integration time:
-
Permalink:
cdelmonte-zg/nanoidp@2dd17aac880452c2fcb1bdf669a98179e8df065b -
Branch / Tag:
refs/tags/v2.3.0 - Owner: https://github.com/cdelmonte-zg
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2dd17aac880452c2fcb1bdf669a98179e8df065b -
Trigger Event:
push
-
Statement type: