Basic OpenID Provider
Go to file
Pierre HUBERT ce76861739
All checks were successful
continuous-integration/drone/push Build is passing
Update Rust crate url to v2.5.1
2024-06-11 00:18:18 +00:00
assets Update Bootstrap to version 5.3.3 2024-03-29 21:00:25 +01:00
src Update Rust crate base32 to 0.5.0 (#269) 2024-05-23 11:16:26 +00:00
templates Can force 2FA authent 2024-03-26 21:07:29 +01:00
.drone.yml attempt to fix build 2023-12-23 14:50:20 +00:00
.gitignore Automatically create admin on first start 2022-03-29 19:32:31 +02:00 Add dockerfile 2022-04-15 22:09:26 +02:00
Cargo.lock Update Rust crate url to v2.5.1 2024-06-11 00:18:18 +00:00
Cargo.toml Update Rust crate base32 to 0.5.0 (#269) 2024-05-23 11:16:26 +00:00
Dockerfile Updated Docker image 2024-02-19 19:11:48 +01:00
LICENSE Add README & LICENSE 2022-04-18 17:00:28 +02:00 Can define additional claims on per-client basis 2024-03-31 18:37:08 +02:00
renovate.json Update renovate.json 2024-04-05 17:26:13 +00:00

Basic OIDC

Build Status

Basic & lightweight OpenID provider, written in Rust using the Actix framework.

WARNING : This tool has not been audited, use it at your own risks!

BasicOIDC operates without any database, just with three files :

  • clients.yaml: a list of authorized relying parties.
  • providers.yaml: a list of upstream providers for authentication federation (this file is optional)
  • users.json: a list of users, managed through a web UI.


You can configure a list of clients (Relying Parties) in a clients.yaml file with the following syntax :

  # Client ID
- id: gitea
  # Client name
  name: Gitea
  # Client description
  description: Git with a cup of tea
  # Client secret. Specify this value to use authorization code flow, remove it for implicit authentication flow
  secret: TOP_SECRET
  # The URL where user shall be redirected after authentication
  # Optional, If you want new accounts to be granted access to this client by default
  default: true
  # Optional, If you want the client to be granted to every user, regardless their account configuration
  granted_to_all_users: true
  # Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
  enforce_2fa_auth: true
  # Optional, claims to be added to the ID token payload.
  # The following placeholders can be set, they will the replaced when the token is created:
  # * {username}: user name of the user
  # * {mail}: email address of the user
  # * {first_name}: first name of the user
  # * {last_name}: last name of the user
  # * {uid}: user id of the user
    groups: ["group_{user}"]
    service: "auth"
  # Optional, claims to be added to the user info endpoint response
  # The placeholders of `claims_id_token` can also be used here 
    groups: ["group_{user}"]
    service: "auth"

On the first run, BasicOIDC will create a new administrator with credentials admin / admin. On first login you will have to change these default credentials.

In order to run BasicOIDC for development, you will need to create a least an empty clients.yaml file inside the storage directory.


  • authorization_code flow
  • implicit flow
  • Client authentication using secrets
  • Bruteforce protection
  • 2 factors authentication
    • TOTP (authenticator app)
    • Using a security key (Webauthn)
  • Fully responsive webui
  • robots.txt prevents indexing
  • Support authentication from upstream provider

Add an upstream provider

You can add as much upstream provider as you want, using the following syntax in providers.yaml:

- id: gitlab
  name: GitLab
  logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL

Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.


You will need the Rust toolchain to compile this project. To build it for production, just run:

cargo build --release

Testing with OAauth proxy

If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering is your local IP address):

export IP=

# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://$"

# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://$ --http-address  --upstream http://$IP --redirect-url http://$IP:4180/oauth2/callback --cookie-secure=false

Corresponding client configuration:

- id: oauthproxy
  name: Oauth proxy
  description: oauth proxy
  secret: secretoauth

Note: We do need to use real domain name instead of IP address due to the webauthn-rs crate limitations. We therefore use the domain helper.

OAuth proxy can then be access on this URL:


If you wish to contribute to this software, feel free to send an email to to get an account on my system, managed by BasicOIDC :)