Image: ghcr.io/parlesec/protocolsoup-federationPurpose: Run OAuth 2.0, OpenID Connect, SAML 2.0, OID4VCI, and OID4VP endpoints in one service runtime.Topology role: Core protocol service; can run standalone or behind protocolsoup-gateway.
8080/tcp: protocol endpoints, API index, and health checks.
No external database is required for a basic run.
Optional companion services:
protocolsoup-gateway for unified routing.protocolsoup-wallet for OID4VP wallet callback automation.
Variable
Required
Default
Description
SHOWCASE_LISTEN_ADDRNo
:8080Listen address
SHOWCASE_BASE_URLNo
http://localhost:8080Public issuer/base URL used in generated metadata and tokens
SHOWCASE_CORS_ORIGINSNo
http://localhost:3000,http://localhost:5173Allowed CORS origins
SHOWCASE_ENVNo
developmentRuntime environment label
SHOWCASE_MOCK_IDPNo
trueEnable built-in mock identity provider
SHOWCASE_DATA_DIRNo
(none)Enables durable VC wallet-credential and verifier-session persistence
MOCKIDP_ALICE_PASSWORDNo
(auto-generated)Demo user password override
MOCKIDP_BOB_PASSWORDNo
(auto-generated)Demo user password override
MOCKIDP_ADMIN_PASSWORDNo
(auto-generated)Demo user password override
MOCKIDP_DEMO_CLIENT_SECRETNo
(auto-generated)OAuth/OIDC demo-app client secret override
MOCKIDP_MACHINE_CLIENT_SECRETNo
(auto-generated)OAuth machine-client secret override
Stateless by default.
If SHOWCASE_DATA_DIR is set, mount a persistent volume (for example /app/data) to keep VC-related state across restarts.
GET /health returns runtime health.GET /api returns protocol and endpoint index metadata.Container healthchecks typically probe /health.
GET|POST /oauth2/authorizePOST /oauth2/tokenPOST /oauth2/introspectPOST /oauth2/revokeGET /oauth2/demo/usersGET /oauth2/demo/clients
GET /oidc/.well-known/openid-configurationGET /oidc/.well-known/jwks.jsonGET /oidc/authorizePOST /oidc/tokenGET|POST /oidc/userinfo
GET /saml/metadataGET|POST /saml/ssoGET|POST /saml/acsGET|POST /saml/sloGET /saml/demo/users
Verifiable Credentials (Mounted Modules)
GET /.well-known/openid-credential-issuer/oid4vciPOST /oid4vci/*POST /oid4vp/request/createGET|POST /oid4vp/request/{requestID}GET /oid4vp/verifier-attestation/.well-known/openid-configurationGET /oid4vp/verifier-attestation/.well-known/oauth-authorization-serverGET /oid4vp/verifier-attestation/jwksPOST /oid4vp/responseGET /oid4vp/result/{requestID}
docker run -p 8080:8080 \
-e SHOWCASE_BASE_URL=http://localhost:8080 \
-e SHOWCASE_DATA_DIR=/app/data \
-v federation-data:/app/data \
ghcr.io/parlesec/protocolsoup-federation:latest services :
federation-service :
image : ghcr.io/parlesec/protocolsoup-federation:latest
ports :
- " 8080:8080" environment :
- SHOWCASE_BASE_URL=http://localhost:8080
- SHOWCASE_DATA_DIR=/app/data
volumes :
- federation-data:/app/data
Set SHOWCASE_BASE_URL to your external HTTPS origin.
Restrict SHOWCASE_CORS_ORIGINS to trusted production origins.
Override autogenerated mock credentials in shared environments.
Keep services on private networks when fronted by a gateway or reverse proxy.
Persist VC state (SHOWCASE_DATA_DIR) on protected storage if replay/audit continuity matters.
OIDC discovery issuer mismatch: ensure SHOWCASE_BASE_URL matches the URL clients call.Login succeeds but client exchange fails: verify demo client secret via /oauth2/demo/clients.OID4VP result not found after restart: configure persistent SHOWCASE_DATA_DIR.Browser CORS errors: check SHOWCASE_CORS_ORIGINS includes the frontend origin.
latest is published from default-branch builds.sha-* tags are emitted per build for immutable traceability.release tags publish semver variants (vX.Y.Z, vX.Y, vX).