OpenBadge: Open-Source Credentialing System for CCSO featured image

OpenBadge: Open-Source Credentialing System for CCSO

A self-hosted, open-source alternative to Canvas badging that enables the Penn State CCSO to issue, manage, and verify digital badges without vendor lock-in or recurring fees.

Contributors: Aiden Johnson

Overview

When Canvas abruptly revoked all previously issued badges and gated the feature behind a paid subscription, the Penn State Competitive Cyber Security Organization (CCSO) lost its entire credentialing system overnight. Hundreds of member achievements—earned through workshops, competitions, and leadership roles—became inaccessible. The organization needed a self-hosted, open-source replacement that gave them complete control over their data and recognition workflows without recurring fees.

OpenBadge was built to fill that gap. It is a lightweight, customizable platform for creating, issuing, and verifying digital badges. Unlike vendor-locked solutions, OpenBadge stores all badge definitions, issuance records, and verification logic within a self-managed database, ensuring that the CCSO retains full ownership and can continue its recognition program indefinitely, regardless of external platform changes.

Since its deployment, OpenBadge has become the central hub for member credentialing at CCSO. It integrates seamlessly with the organization’s existing infrastructure—including MRM360, the workshop check-in system, for automated event-based issuance—and provides a polished admin interface for officers to manage the entire lifecycle of a badge.

Key Features

  • Self-Hosted Badge Lifecycle Management: Complete control over badge creation, metadata, design assets, and issuance rules. All data resides in a dedicated PostgreSQL database, eliminating vendor lock-in and recurring SaaS expenses.
  • Automated MRM360-Triggered Issuance: Badges are automatically granted when members check into enough workshops tracked by MRM360, the organization’s workshop management system. Webhooks from MRM360 instantly call the OpenBadge API to generate and assign credentials based on attendance thresholds.
  • Forgery-Resistant Public Verification: Every badge includes a unique, shareable URL that displays the credential’s details. A digitally signed JWT embedded in a QR code enables offline verification, so badge integrity can be confirmed without relying on a live server.
  • Role-Based Admin Dashboard: A Vue.js-based interface lets officers with appropriate permissions create badge templates, bulk-issue credentials, review issuance history, and generate reports—all without touching the command line.
  • Data Portability & Interoperability: Badge definitions follow the Open Badges standard (IMS Global), allowing credentials to be exported as JSON-LD. Full database and media exports are available to prevent the data loss experienced during the Canvas transition.

Technologies & Implementation

OpenBadge’s stack was chosen to align with the CCSO’s existing infrastructure and to minimize operational overhead:

  • Backend: Node.js with Express.js provides a fast, event-driven API. Its lightweight footprint allows it to coexist on the same bare-metal homelab server running other CCSO services.
  • Frontend: Vue.js delivers a responsive, single-page admin dashboard that handles real-time badge previews, bulk operations, and badge management workflows.
  • Database: PostgreSQL was chosen over document stores because the relational schema naturally models badge types, issuances, and member records, enabling complex reporting without sacrificing performance.
  • Verification Logic: Badge issuance generates a cryptographically signed JSON Web Token (JWT) containing the recipient, criteria hash, and a checksum of the badge image. The token is embedded in a QR code, allowing anyone with the public key to verify authenticity offline.
  • Deployment: Docker Compose orchestrates the API, frontend, database, and a file storage volume. This enables one-command deployment and makes the platform trivial to update or migrate.
graph TD
  A["MRM360 (Workshop Check-in)"] -->|"Check-in Events"| B["Express API"]
  C["Admin Dashboard (Vue.js)"] --> B
  B --> D["PostgreSQL"]
  B --> E["File Storage (Badge Images)"]
  F["Badge Recipient"] -->|"Verification URL"| G["Verification Endpoint"]
  G --> B
  B --> H["JWT Signing Service"]
  H -->|"Public Key"| I["Offline Verification"]

Challenges & Solutions

Challenge: Migrating from a Proprietary Badge System with No Export Canvas provided no standard way to export existing badge designs or issuance records. All historical data was effectively lost the moment the feature was disabled. The team had to reconstruct critical credentials—such as officer appointments and competition awards—from screenshots, emails, and member testimonies.

Solution: We adopted the Open Badges v2.0 specification (a JSON-LD based format) for all new badges. This ensured future-proof interoperability and provided a machine-readable structure. A manual reconciliation process was used to reissue high-priority historical badges, and the platform now enforces a strict backup policy to prevent any similar data loss.

Challenge: Ensuring Verifiable Credentials Without a Permanent Online Authority Unlike Canvas, which validates badges through its own always-available infrastructure, OpenBadge needed to remain verifiable even if the self-hosted instance was temporarily unreachable or eventually taken offline. A purely server-side validation model would create a future single point of failure.

Solution: Each badge carries a self-contained JWT with all relevant metadata and a digital signature. The public verification endpoint only serves as a convenience; the core validity can be checked offline by any verifier in possession of the public key. This design was inspired by decentralized identity principles and ensures that CCSO credentials remain trustworthy long after issuance, even if the hosting environment changes.

Results & Impact

OpenBadge replaced the deprecated Canvas system and has become the official credentialing platform for the Penn State CCSO. Since its launch:

  • 50+ badge types have been created, spanning workshops, competitions, officer roles, and special achievements.
  • 200+ credentials have been issued without a single recurring cost to the organization.
  • Batch issuance time dropped from hours (using manual Canvas workarounds) to under two minutes for a cohort of 30 members.
  • Members now actively share their verified badges on LinkedIn and resumes, increasing the visibility and perceived value of CCSO participation.

Planned enhancements include a public badge directory and direct integration with the CCSO’s CTF platform (Wiretap) to auto-award badges upon challenge completion.

{TODO: Add screenshot of the badge admin dashboard showing badge editor and issuance log}