Canonical docs site route:
https://docs.protocolsoup.com/start-here/platform-at-a-glance/This legacy file remains for in-repo context; public navigation should use the docs site route.
The Security Protocol Showcase is built as a modular, extensible platform for demonstrating authentication and authorization protocols. The architecture emphasizes separation of concerns, testability, and the ability to add new protocols without modifying core infrastructure.
┌─────────────────────────────────────────────────────────────────┐
│ Frontend (React) │
├─────────────────────────────────────────────────────────────────┤
│ Dashboard │ Protocol Demo │ Looking Glass │ Callback │
├─────────────────────────────────────────────────────────────────┤
│ Components: TokenInspector, FlowDiagram, Timeline, RequestView │
└───────────────────────────┬─────────────────────────────────────┘
│ HTTP/WebSocket
▼
┌─────────────────────────────────────────────────────────────────┐
│ Backend (Go) │
├─────────────────────────────────────────────────────────────────┤
│ Core Server │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │
│ │ Config │ │ Middleware │ │ Router (chi) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────────┘ │
├─────────────────────────────────────────────────────────────────┤
│ Plugin Registry │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ OAuth 2.0 Plugin │ OIDC Plugin │ Future Plugins... │ │
│ └─────────────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────────────┤
│ Shared Services │
│ ┌───────────┐ ┌───────────────┐ ┌─────────────────────────┐ │
│ │ Crypto │ │ Looking Glass │ │ Mock IdP │ │
│ │ (JWT/JWK) │ │ Engine │ │ (Users, Clients, Codes) │ │
│ └───────────┘ └───────────────┘ └─────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
The plugin architecture allows protocols to be added independently while sharing common infrastructure:
type ProtocolPlugin interface {
// Metadata
Info() PluginInfo
// Lifecycle
Initialize(ctx context.Context, config PluginConfig) error
Shutdown(ctx context.Context) error
// HTTP routing
RegisterRoutes(router chi.Router)
// Looking Glass integration
GetInspectors() []Inspector
GetFlowDefinitions() []FlowDefinition
// Demo capabilities
GetDemoScenarios() []DemoScenario
}Benefits:
- Each protocol is self-contained
- Easy to add/remove protocols
- Shared infrastructure (crypto, IdP)
- Consistent API patterns
Real-time protocol inspection via WebSocket:
┌─────────────────────────────────────────────────────────────────┐
│ Looking Glass Engine │
├─────────────────────────────────────────────────────────────────┤
│ Session Manager │ Event Broadcaster │ Token Decoder │
├─────────────────────────────────────────────────────────────────┤
│ WebSocket Hub │
│ - Client connections per session │
│ - Event fan-out │
│ - Session lifecycle │
└─────────────────────────────────────────────────────────────────┘
Event Types:
flow.step- Protocol flow progressiontoken.issued- New token createdrequest.sent- HTTP request capturedresponse.received- HTTP response capturedsecurity.warning- Security annotationcrypto.operation- Cryptographic operation
JWT/JWK utilities with support for multiple algorithms:
type KeySet struct {
rsaKey *rsa.PrivateKey // RS256
ecKey *ecdsa.PrivateKey // ES256
// Key IDs for rotation
}
type JWTService struct {
keySet *KeySet
issuer string
}Capabilities:
- Key generation (RSA 2048, EC P-256)
- JWT creation/validation
- JWKS endpoint support
- Key rotation
Self-contained IdP for demonstrations:
type MockIdP struct {
users map[string]*User
clients map[string]*Client
authCodes map[string]*AuthorizationCode
sessions map[string]*Session
refreshTokens map[string]*RefreshToken
}Features:
- Pre-configured demo users
- Multiple client types (confidential, public, M2M)
- PKCE validation
- Refresh token rotation
src/
├── components/
│ ├── common/
│ │ └── Layout.tsx # Main layout with navigation
│ └── lookingglass/
│ ├── TokenInspector.tsx # JWT decoding and annotation
│ ├── FlowDiagram.tsx # Animated protocol flows
│ ├── RequestViewer.tsx # HTTP request/response display
│ └── Timeline.tsx # Event timeline
├── pages/
│ ├── Dashboard.tsx # Landing page with protocol list
│ ├── ProtocolDemo.tsx # Interactive protocol demos
│ ├── LookingGlass.tsx # Real-time inspection view
│ └── Callback.tsx # OAuth callback handler
└── hooks/
├── useWebSocket.ts # WebSocket connection management
└── useProtocol.ts # Protocol state management
Using React hooks and Zustand for lightweight state:
// Protocol state
const useProtocolState = () => {
const [currentFlow, setCurrentFlow] = useState(null)
const [tokens, setTokens] = useState({})
// ...
}
// WebSocket connection
const useWebSocket = (url) => {
const [connected, setConnected] = useState(false)
const [lastMessage, setLastMessage] = useState(null)
// Auto-reconnect logic
}1. User clicks "Start Demo"
└─> Frontend creates PKCE challenge
└─> Stores verifier in sessionStorage
2. Redirect to /oauth2/authorize
└─> Backend validates request
└─> Shows login page with demo users
3. User submits credentials
└─> Backend validates credentials
└─> Creates authorization code
└─> Stores PKCE challenge
└─> Redirects to callback
4. Frontend /callback receives code
└─> Exchanges code + verifier for tokens
└─> Backend validates PKCE
└─> Returns access_token, refresh_token, id_token
5. Frontend displays decoded tokens
└─> TokenInspector shows claims
└─> Security annotations displayed
1. Start demo session
└─> POST /api/protocols/{id}/demo/{flow}
└─> Creates session in Looking Glass engine
└─> Returns session ID and WebSocket URL
2. Connect WebSocket
└─> WS /ws/lookingglass/{session}
└─> Receives historical events
└─> Subscribes to new events
3. Protocol execution
└─> Each step emits events
└─> Events broadcast to all connected clients
└─> UI updates in real-time
- HTTPS: Always use TLS in production
- Key Management: Use proper key storage (HSM, KMS)
- Token Storage: Use secure, httpOnly cookies for refresh tokens
- CORS: Restrict to known origins
- Rate Limiting: Implement per-client rate limits
The showcase uses appropriate security for demonstration purposes:
- Keys generated at startup (rotatable)
- Sessions expire after 24 hours
- Authorization codes expire after 10 minutes
- PKCE required for public clients
- State parameter for CSRF protection
- Create plugin directory:
internal/protocols/newprotocol/ - Implement
ProtocolPlugininterface - Register in
cmd/server/main.go - Add frontend components in
src/components/protocols/newprotocol/
See ADDING_PROTOCOLS.md for detailed guide.
Each plugin can define demo scenarios:
func (p *Plugin) GetDemoScenarios() []plugin.DemoScenario {
return []plugin.DemoScenario{
{
ID: "new_scenario",
Name: "New Demo",
Description: "Description",
Steps: []plugin.DemoStep{...},
},
}
}- Go's efficiency handles concurrent connections well
- WebSocket hub uses goroutines for fan-out
- In-memory storage (sufficient for demo purposes)
- React 18 with concurrent features
- Lazy loading for protocol-specific components
- Framer Motion for smooth animations
- TailwindCSS for minimal CSS bundle