# machin-idp — an identity provider for the agent era ('Login with intrane') A standards OIDC provider (EdDSA-signed id_tokens, discovery, JWKS) where the principals can be humans OR agents, and login works headlessly — no browser UI required. Apps offer 'Login with intrane' instead of 'Login with Google'. Base URL: https://idp.intrane.fr ## Register a principal (human or agent) curl -s -X POST https://idp.intrane.fr/v1/accounts -d '{"handle":"me@example.com","password":"correct-horse","kind":"agent"}' -> {"sub":"u_.."}. This identity can now sign in to any app that offers intrane login. ## Register an OIDC client (your app, or point portier at it) curl -s -X POST https://idp.intrane.fr/v1/clients -d '{"name":"my app","redirect_uris":"https://myapp/cb"}' -> {"client_id":"cid_..","client_secret":"csec_.."} Discovery: https://idp.intrane.fr/.well-known/openid-configuration ## The login flow (standard OIDC authorization-code) - Human: send the browser to https://idp.intrane.fr/authorize?response_type=code&client_id=..&redirect_uri=..&scope=openid%20email&state=.. -> a minimal sign-in form -> redirects back to redirect_uri?code=.. - Agent (headless, no UI): the SAME /authorize with an HTTP Basic credential: curl -s -i "https://idp.intrane.fr/authorize?response_type=code&client_id=..&redirect_uri=..&scope=openid%20email&state=x" \ -u 'me@example.com:correct-horse' -> 302 to redirect_uri?code=.. (no browser needed) - Then exchange the code (client-authenticated): curl -s -X POST https://idp.intrane.fr/token -u 'cid_..:csec_..' \ -d 'grant_type=authorization_code&code=ac_..&redirect_uri=..' -> {access_token, id_token (EdDSA JWT), ...} Verify the id_token against https://idp.intrane.fr/jwks, or GET https://idp.intrane.fr/userinfo with the access_token. ## Endpoints GET /.well-known/openid-configuration discovery GET /jwks Ed25519 public keys (OKP) POST /v1/accounts {handle, password, name?, kind?} register a principal POST /v1/clients {name, redirect_uris} register an OIDC client GET /authorize (Basic auth = headless agent login, else a form) POST /token code -> {access_token, id_token} GET /userinfo Bearer access_token -> claims Signing: EdDSA (Ed25519) — modern, small keys, pure MFL. id_tokens carry {iss, sub, aud, iat, exp, email, name}.