identizer 0.1.0

data/lib/identizer/web/views/docs/oidc.html.erb

@@ -0,0 +1,40 @@
+<p class="muted"><a href="<%= prefix %>/docs">&larr; Docs</a></p>
+<article>
+  <h1>OIDC integration</h1>
+  <p class="lead">Identizer exposes a standard OpenID Connect authorization-code flow with discovery and JWKS.</p>
+
+  <h2>Endpoints</h2>
+  <pre>Issuer        <%= h(config.base_url) %>
+Authorize     <%= h(config.base_url) %>/v1/authorize
+Token         <%= h(config.base_url) %>/v1/token
+Discovery     <%= h(config.base_url) %>/.well-known/openid-configuration
+JWKS          <%= h(config.base_url) %>/.well-known/jwks.json</pre>
+
+  <h2>Supported features</h2>
+  <ul>
+    <li>Authorization-code grant + <strong>PKCE</strong> (S256 / plain)</li>
+    <li><strong>Refresh tokens</strong> (<span class="mono">grant_type=refresh_token</span>, rotated on use)</li>
+    <li><strong>RP-initiated logout</strong> at <span class="mono"><%= h(config.base_url) %>/v1/logout</span>
+        (<span class="mono">post_logout_redirect_uri</span>)</li>
+    <li><span class="mono">nonce</span> bound into the id_token; <span class="mono">scope</span> echoed back</li>
+    <li>Token <strong>introspection</strong> (<span class="mono">/introspect</span>) and <strong>revocation</strong>
+        (<span class="mono">/revoke</span>) — RFC 7662 / 7009</li>
+    <li>Optional client registry (<span class="mono">config.clients</span>) — lenient when empty; enables
+        <span class="mono">redirect_uri</span> allowlisting</li>
+  </ul>
+
+  <h2>Token signing</h2>
+  <p>Default is <strong>HS256</strong> (a shared key) — simplest when your client doesn't verify
+     signatures. Switch to <strong>RS256</strong> in <a href="<%= prefix %>/settings">Settings</a> to have
+     id_tokens signed with an RSA key and verifiable against the published JWKS.</p>
+
+  <h2>Claims</h2>
+  <p>Directory attributes map to standard claims: <span class="mono">mail→email</span>,
+     <span class="mono">givenName→given_name</span>, <span class="mono">sn→family_name</span>,
+     <span class="mono">cn→name</span>, <span class="mono">memberOf→groups</span>. The entry's DN is the
+     <span class="mono">sub</span>.</p>
+
+  <h2>Mounting in Rails (dev only)</h2>
+  <pre>mount Identizer::App.new =&gt; "/idp" if Rails.env.development?</pre>
+  <p>Internal links honour the mount path, so the dashboard works under <span class="mono">/idp</span>.</p>
+</article>

data/lib/identizer/web/views/docs/saml.html.erb

@@ -0,0 +1,52 @@
+<p class="muted"><a href="<%= prefix %>/docs">&larr; Docs</a></p>
+<article>
+  <h1>SAML</h1>
+  <p class="lead">A real SAML 2.0 Identity Provider: it issues <strong>signed</strong> assertions
+     (XML-DSig, RSA-SHA256) that standard SPs verify.</p>
+
+  <h2>Metadata &amp; endpoints</h2>
+  <pre>Metadata URL   <%= h(config.base_url) %>/metadata
+SSO URL        <%= h(config.base_url) %>/saml/sso   (HTTP-Redirect &amp; HTTP-POST)</pre>
+  <p>The metadata embeds the IdP signing certificate, so your SP can validate signatures.</p>
+
+  <p class="muted"><strong>Heads up:</strong> by default any ACS is accepted (dev convenience), so a signed
+     assertion will be POSTed wherever the request says. Set
+     <span class="mono">config.saml_allowed_acs = ["https://your-app/acs"]</span> to lock it down.</p>
+
+  <h2>SP-initiated</h2>
+  <p>Send an <span class="mono">AuthnRequest</span> to the SSO URL (redirect or POST binding). Identizer
+     reads the <span class="mono">AssertionConsumerServiceURL</span> and request <span class="mono">ID</span>,
+     shows the login form, then POSTs a signed Response back to your ACS with <span class="mono">InResponseTo</span>
+     set and your <span class="mono">RelayState</span> preserved.</p>
+
+  <h2>IdP-initiated</h2>
+  <pre><%= h(config.base_url) %>/saml/sso?acs=https://your-app/acs&amp;audience=https://your-app/metadata</pre>
+
+  <h2>Attributes</h2>
+  <p>The directory entry's attributes are sent as SAML <span class="mono">Attribute</span>s
+     (<span class="mono">email, given_name, family_name, groups, ...</span>); the NameID is the email.</p>
+
+  <h2>Encrypted assertions</h2>
+  <p>For SPs that require an <span class="mono">EncryptedAssertion</span>, give Identizer the SP's certificate
+     and turn encryption on — the assertion is signed, then encrypted (AES-256-CBC + RSA-OAEP) under that cert:</p>
+  <pre>Identizer.configure do |c|
+  c.saml_encrypt_assertion = true
+  c.saml_sp_certificate = File.read("sp-cert.pem")
+end</pre>
+
+  <h2>Shibboleth / academic SPs</h2>
+  <p>Shibboleth is a SAML 2.0 implementation, so it integrates like any SAML SP. If the SP expects eduPerson
+     attribute names, map them:</p>
+  <pre>Identizer.configure do |c|
+  c.saml_attribute_names = {
+    "email" => "urn:oid:0.9.2342.19200300.100.1.3",            # mail
+    "eppn"  => "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"              # eduPersonPrincipalName
+  }
+end</pre>
+  <p>Add an <span class="mono">eppn</span> attribute to the directory entry (Custom attributes) and it is sent
+     under that name.</p>
+
+  <h2>Note</h2>
+  <p>Signing requires the <span class="mono">nokogiri</span> gem (a dependency, loaded only when a Response is
+     produced). It is a development IdP — convenient, not hardened.</p>
+</article>

data/lib/identizer/web/views/docs/tls.html.erb

@@ -0,0 +1,29 @@
+<p class="muted"><a href="<%= prefix %>/docs">&larr; Docs</a></p>
+<article>
+  <h1>TLS &amp; mkcert</h1>
+  <p class="lead">Login URLs must be <span class="mono">https</span> — browser popup guards reject plain http —
+     so Identizer always listens over TLS.</p>
+
+  <h2>Default: self-signed</h2>
+  <p>With no cert provided, Identizer generates a self-signed cert under the config dir
+     (<span class="mono">cert.pem</span> / <span class="mono">key.pem</span>). Browsers will warn; for the
+     app's server-to-server calls (token / userinfo / AWS SDK) trust it:</p>
+  <pre>export SSL_CERT_FILE=…/cert.pem</pre>
+
+  <h2>Custom domain</h2>
+  <p>Want Identizer to look like a real provider host (e.g. <span class="mono">myco.okta.local</span>)? Run it
+     with a domain and tell your machine that name points at localhost:</p>
+  <pre>identizer --domain myco.okta.local
+# /etc/hosts
+127.0.0.1   myco.okta.local</pre>
+  <p>The generated self-signed certificate automatically includes the custom domain in its SAN, so HTTPS to
+     <span class="mono">https://myco.okta.local:9999</span> validates the hostname. (If you pass your own
+     <span class="mono">--tls-cert</span>, make sure that cert covers the domain.)</p>
+
+  <h2>Recommended: mkcert (locally trusted)</h2>
+  <pre>mkcert -install
+mkcert localhost 127.0.0.1
+bundle exec identizer --tls-cert ./localhost+1.pem --tls-key ./localhost+1-key.pem</pre>
+  <p>Or set <span class="mono">IDENTIZER_TLS_CERT</span> / <span class="mono">IDENTIZER_TLS_KEY</span>. A
+     locally-trusted cert means no browser warnings and no <span class="mono">SSL_CERT_FILE</span> juggling.</p>
+</article>

data/lib/identizer/web/views/docs/troubleshooting.html.erb

@@ -0,0 +1,25 @@
+<p class="muted"><a href="<%= prefix %>/docs">&larr; Docs</a></p>
+<article>
+  <h1>Troubleshooting</h1>
+
+  <h2>"Unknown user" / access_denied on login</h2>
+  <p>The email isn't in the <a href="<%= prefix %>/directory">Directory</a>, or the password didn't match the
+     shared password in <a href="<%= prefix %>/settings">Settings</a>. Add the entry or fix the password.</p>
+
+  <h2>Browser blocks the popup / cert warnings</h2>
+  <p>Login must be https. Use a locally-trusted cert via <a href="<%= prefix %>/docs/tls">mkcert</a>, or accept
+     the self-signed cert in the browser once.</p>
+
+  <h2>App can't reach the token / userinfo endpoint (SSL error)</h2>
+  <p>Server-to-server calls must trust the cert. Set <span class="mono">SSL_CERT_FILE</span> for the app
+     process, or use mkcert. See <a href="<%= prefix %>/docs/tls">TLS</a>.</p>
+
+  <h2>id_token signature won't verify</h2>
+  <p>The default HS256 key is shared and meant for clients that don't verify. If your client verifies, switch
+     to RS256 in <a href="<%= prefix %>/settings">Settings</a> and point it at the JWKS
+     (<span class="mono"><%= h(config.base_url) %>/.well-known/jwks.json</span>).</p>
+
+  <h2>Resetting state</h2>
+  <p>Identities and settings are plain JSON under the config dir. Delete
+     <span class="mono">config.json</span> / <span class="mono">settings.json</span> to start fresh.</p>
+</article>

data/lib/identizer/web/views/layout.html.erb

@@ -0,0 +1,58 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title><%= h(title) %> · Identizer</title>
+  <style>
+    :root { --fg:#1d2433; --muted:#667085; --line:#e4e7ec; --accent:#3538cd; --bg:#f9fafb; }
+    * { box-sizing: border-box; }
+    body { font-family: system-ui, sans-serif; color: var(--fg); margin: 0; background: var(--bg); }
+    header { display: flex; align-items: center; gap: 24px; padding: 14px 24px;
+             background: #fff; border-bottom: 1px solid var(--line); }
+    header .brand { font-weight: 700; letter-spacing: .2px; }
+    nav { display: flex; gap: 4px; }
+    nav a { padding: 6px 12px; border-radius: 8px; text-decoration: none; color: var(--muted); }
+    nav a.active { background: var(--bg); color: var(--accent); font-weight: 600; }
+    main { max-width: 880px; margin: 28px auto; padding: 0 24px; }
+    h1 { font-size: 22px; margin: 0 0 4px; }
+    h2 { font-size: 16px; margin: 28px 0 10px; }
+    p.lead { color: var(--muted); margin-top: 0; }
+    .card { background: #fff; border: 1px solid var(--line); border-radius: 12px; padding: 18px 20px; margin: 14px 0; }
+    table { width: 100%; border-collapse: collapse; }
+    th, td { text-align: left; padding: 8px 10px; border-bottom: 1px solid var(--line); font-size: 14px; vertical-align: top; }
+    th { color: var(--muted); font-weight: 600; }
+    code, .mono { font-family: ui-monospace, monospace; font-size: 13px; }
+    label { display: block; font-size: 13px; color: var(--muted); margin: 10px 0 4px; }
+    input[type=text], input[type=email], input[type=password], textarea, select {
+      width: 100%; padding: 8px 10px; border: 1px solid var(--line); border-radius: 8px; font: inherit; }
+    textarea { min-height: 70px; font-family: ui-monospace, monospace; }
+    button, .btn { padding: 8px 14px; border: 1px solid var(--line); border-radius: 8px; background: #fff;
+                   cursor: pointer; font: inherit; text-decoration: none; color: var(--fg); display: inline-block; }
+    button.primary { background: var(--accent); border-color: var(--accent); color: #fff; }
+    button.danger { color: #b42318; border-color: #fda29b; }
+    .row { display: grid; grid-template-columns: 1fr 1fr; gap: 12px; }
+    .tag { display: inline-block; padding: 1px 8px; border-radius: 999px; background: var(--bg);
+           border: 1px solid var(--line); font-size: 12px; margin: 1px 2px; }
+    .muted { color: var(--muted); }
+    .actions { display: flex; gap: 6px; }
+    article h2 { border-top: 1px solid var(--line); padding-top: 16px; }
+    article pre { background: #0b1020; color: #e6edf3; padding: 14px 16px; border-radius: 10px; overflow: auto; }
+    article ul { padding-left: 20px; }
+  </style>
+</head>
+<body>
+  <header>
+    <span class="brand">🔑 Identizer</span>
+    <nav>
+      <a href="<%= prefix %>/"          class="<%= "active" if nav == :overview %>">Overview</a>
+      <a href="<%= prefix %>/directory" class="<%= "active" if nav == :directory %>">Directory</a>
+      <a href="<%= prefix %>/settings"  class="<%= "active" if nav == :settings %>">Settings</a>
+      <a href="<%= prefix %>/docs"      class="<%= "active" if nav == :docs %>">Docs</a>
+    </nav>
+  </header>
+  <main>
+    <%= content %>
+  </main>
+</body>
+</html>

data/lib/identizer/web/views/login.html.erb

@@ -0,0 +1,19 @@
+<!doctype html><html><head><meta charset="utf-8"><title><%= h(title) %></title></head>
+<body style="font-family:sans-serif;max-width:480px;margin:64px auto">
+  <h2><%= h(heading) %></h2>
+  <p><%= note %></p>
+  <form method="<%= h(form_method) %>" action="<%= h(action) %>">
+    <% hidden.each do |name, value| -%>
+    <input type="hidden" name="<%= h(name) %>" value="<%= h(value) %>">
+    <% end -%>
+    <input name="email" type="email" required autofocus list="identizer-emails"
+           value="<%= h(emails.first) %>" placeholder="user@example.com" style="width:100%;padding:8px">
+    <datalist id="identizer-emails"><% emails.each do |email| -%><option value="<%= h(email) %>"><% end -%></datalist>
+    <input name="password" type="password" required placeholder="password"
+           style="width:100%;padding:8px;margin-top:8px">
+    <button type="submit" style="margin-top:16px;padding:8px 16px">Sign in</button>
+  </form>
+  <% unless config_link.to_s.empty? -%>
+  <p style="margin-top:24px"><a href="<%= h(config_link) %>">Configure identities</a></p>
+  <% end -%>
+</body></html>

data/lib/identizer/web/views/overview/index.html.erb

@@ -0,0 +1,40 @@
+<h1>Overview</h1>
+<p class="lead">A local identity provider for developing and testing auth/SSO integrations.</p>
+
+<div class="card" style="border-left:4px solid var(--accent)">
+  <strong>New here? Three steps:</strong>
+  <ol style="margin:8px 0 0;padding-left:20px">
+    <li><a href="<%= prefix %>/directory">Add a user</a><% if count.zero? %> — <strong>your directory is empty</strong><% else %> (you have <%= count %>)<% end %>.
+       The sign-in password is in <a href="<%= prefix %>/settings">Settings</a>.</li>
+    <li>Point your app's SSO config at the values below (or in <a href="<%= prefix %>/docs">Docs</a>).</li>
+    <li>Trigger login in your app and sign in as that user.</li>
+  </ol>
+  <p class="muted" style="margin:8px 0 0">Not sure which protocol you need? See
+     <a href="<%= prefix %>/docs/getting-started">Docs → Getting started</a>.</p>
+</div>
+
+<div class="card">
+  <table>
+    <tr><th>Base URL</th><td class="mono"><%= h(config.base_url) %></td></tr>
+    <tr><th>Issuer</th><td class="mono"><%= h(config.issuer) %></td></tr>
+    <tr><th>Directory entries</th><td><%= count %> &middot; <a href="<%= prefix %>/directory">manage</a></td></tr>
+    <tr><th>Token signing</th><td><%= h(config.signing.to_s.upcase) %> &middot; <a href="<%= prefix %>/settings">change</a></td></tr>
+    <tr><th>LDAP base DN</th><td class="mono"><%= h(config.ldap_base_dn) %></td></tr>
+  </table>
+</div>
+
+<h2>Provider setup cheatsheet</h2>
+<p class="muted">Values to paste into your app's integration form. The runtime is identical for all of them.</p>
+<% config.providers.each do |provider| %>
+  <div class="card">
+    <strong><%= h(provider[:title]) %></strong>
+    <% if provider[:note] %><p class="muted"><%= h(provider[:note]) %></p><% end %>
+    <table>
+      <% provider[:fields].each do |label, value| %>
+        <tr><th><%= h(label) %></th><td class="mono"><%= h(value) %></td></tr>
+      <% end %>
+    </table>
+  </div>
+<% end %>
+
+<p class="muted">New here? Read the <a href="<%= prefix %>/docs">docs</a>.</p>

data/lib/identizer/web/views/settings/index.html.erb

@@ -0,0 +1,28 @@
+<h1>Settings</h1>
+<p class="lead">Runtime settings. Changes apply immediately and are persisted to
+   <span class="mono">settings.json</span> under the config dir.</p>
+
+<form class="card" method="post" action="<%= prefix %>/settings">
+  <label>Shared sign-in password</label>
+  <input type="text" name="shared_password" value="<%= h(config.shared_password) %>">
+  <p class="muted">Type this on the login form to succeed; anything else exercises the provider's error path.</p>
+
+  <label>Token signing</label>
+  <select name="signing">
+    <option value="hs256" <%= "selected" unless config.rs256? %>>HS256 — shared key (simplest; clients don't verify)</option>
+    <option value="rs256" <%= "selected" if config.rs256? %>>RS256 — RSA + published JWKS (for clients that verify)</option>
+  </select>
+
+  <p><button class="primary" type="submit">Save settings</button></p>
+</form>
+
+<div class="card">
+  <h2 style="margin-top:0;border:0;padding:0">Boot-time (read-only)</h2>
+  <table>
+    <tr><th>Listen</th><td class="mono"><%= h(config.host) %>:<%= config.port %></td></tr>
+    <tr><th>Base URL</th><td class="mono"><%= h(config.base_url) %></td></tr>
+    <tr><th>Config dir</th><td class="mono"><%= h(config.config_dir) %></td></tr>
+    <tr><th>LDAP base DN</th><td class="mono"><%= h(config.ldap_base_dn) %></td></tr>
+  </table>
+  <p class="muted">These are set via CLI flags / env at boot.</p>
+</div>

data/lib/identizer.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "json"
+require "fileutils"
+require "securerandom"
+require "cgi"
+require "openssl"
+require "base64"
+require "digest"
+require "rack"
+require "jwt"
+
+require_relative "identizer/version"
+require_relative "identizer/identity"
+require_relative "identizer/authorization"
+require_relative "identizer/grant_store"
+require_relative "identizer/providers"
+require_relative "identizer/directory_entry"
+require_relative "identizer/identity_store"
+require_relative "identizer/configuration"
+require_relative "identizer/token_minter"
+require_relative "identizer/responses"
+require_relative "identizer/renderer"
+require_relative "identizer/docs"
+require_relative "identizer/handlers/base"
+require_relative "identizer/handlers/overview"
+require_relative "identizer/handlers/directory"
+require_relative "identizer/handlers/settings"
+require_relative "identizer/handlers/docs"
+require_relative "identizer/handlers/login"
+require_relative "identizer/handlers/cognito"
+require_relative "identizer/handlers/auth0"
+require_relative "identizer/handlers/auth0_management"
+require_relative "identizer/handlers/oidc"
+require_relative "identizer/handlers/saml"
+require_relative "identizer/app"
+require_relative "identizer/tls"
+require_relative "identizer/server"
+
+# Identizer is a local identity provider for developing and testing auth/SSO
+# integrations. It speaks OIDC, OAuth2 and emulates an AWS Cognito / Auth0 SSO
+# broker, with a pluggable identity store.
+module Identizer
+  class << self
+    def configure
+      yield(configuration) if block_given?
+      configuration
+    end
+
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def reset_configuration!
+      @configuration = Configuration.new
+    end
+
+    # Build a fresh Rack app for the given configuration (defaults to the
+    # process-wide configuration).
+    def app(config = configuration)
+      App.new(config)
+    end
+  end
+end

metadata

@@ -0,0 +1,282 @@
+--- !ruby/object:Gem::Specification
+name: identizer
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Alex Andreiev
+bindir: exe
+cert_chain: []
+date: 2026-06-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.65'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.65'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: |
+  Identizer boots a local identity provider that emulates OIDC, OAuth2 and an
+  AWS Cognito / Auth0 SSO broker, so the whole popup -> callback -> login round
+  trip can be configured and run locally without real tenants. Installable as a
+  gem, runnable standalone or mountable as a Rack app in tests.
+executables:
+- identizer
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- exe/identizer
+- lib/identizer.rb
+- lib/identizer/app.rb
+- lib/identizer/authorization.rb
+- lib/identizer/cli.rb
+- lib/identizer/configuration.rb
+- lib/identizer/directory_entry.rb
+- lib/identizer/docs.rb
+- lib/identizer/grant_store.rb
+- lib/identizer/handlers/auth0.rb
+- lib/identizer/handlers/auth0_management.rb
+- lib/identizer/handlers/base.rb
+- lib/identizer/handlers/cognito.rb
+- lib/identizer/handlers/directory.rb
+- lib/identizer/handlers/docs.rb
+- lib/identizer/handlers/login.rb
+- lib/identizer/handlers/oidc.rb
+- lib/identizer/handlers/overview.rb
+- lib/identizer/handlers/saml.rb
+- lib/identizer/handlers/settings.rb
+- lib/identizer/identity.rb
+- lib/identizer/identity_store.rb
+- lib/identizer/identity_store/sqlite_store.rb
+- lib/identizer/ldap.rb
+- lib/identizer/ldap/filter.rb
+- lib/identizer/ldap/handler.rb
+- lib/identizer/ldap/server.rb
+- lib/identizer/providers.rb
+- lib/identizer/renderer.rb
+- lib/identizer/responses.rb
+- lib/identizer/saml.rb
+- lib/identizer/saml/encryptor.rb
+- lib/identizer/saml/keypair.rb
+- lib/identizer/saml/response_builder.rb
+- lib/identizer/saml/signer.rb
+- lib/identizer/server.rb
+- lib/identizer/tls.rb
+- lib/identizer/token_minter.rb
+- lib/identizer/version.rb
+- lib/identizer/web/views/directory/index.html.erb
+- lib/identizer/web/views/docs/broker-app.html.erb
+- lib/identizer/web/views/docs/cognito.html.erb
+- lib/identizer/web/views/docs/getting-started.html.erb
+- lib/identizer/web/views/docs/index.html.erb
+- lib/identizer/web/views/docs/ldap.html.erb
+- lib/identizer/web/views/docs/oidc.html.erb
+- lib/identizer/web/views/docs/saml.html.erb
+- lib/identizer/web/views/docs/tls.html.erb
+- lib/identizer/web/views/docs/troubleshooting.html.erb
+- lib/identizer/web/views/layout.html.erb
+- lib/identizer/web/views/login.html.erb
+- lib/identizer/web/views/overview/index.html.erb
+- lib/identizer/web/views/settings/index.html.erb
+homepage: https://github.com/alex-andreiev/identizer
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/alex-andreiev/identizer
+  changelog_uri: https://github.com/alex-andreiev/identizer/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.2
+specification_version: 4
+summary: A local identity provider for developing and testing auth/SSO integrations.
+test_files: []