2022-04-03 16:21:09 +02:00
# Basic OIDC
2022-05-05 17:52:48 +02:00
[![Build Status ](https://drone.communiquons.org/api/badges/pierre/BasicOIDC/status.svg )](https://drone.communiquons.org/pierre/BasicOIDC)
2022-04-18 17:02:30 +02:00
Basic & lightweight OpenID provider, written in Rust using the Actix framework.
2022-04-03 16:21:09 +02:00
2022-04-18 17:00:28 +02:00
**WARNING :** This tool has not been audited, use it at your own risks!
2023-04-27 10:10:28 +00:00
BasicOIDC operates without any database, just with three files :
2022-04-18 17:00:28 +02:00
* `clients.yaml` : a list of authorized relying parties.
2023-04-27 10:10:28 +00:00
* `providers.yaml` : a list of upstream providers for authentication federation (this file is optional)
2022-04-18 17:00:28 +02:00
* `users.json` : a list of users, managed through a web UI.
2023-04-27 10:10:28 +00:00
## Configuration
2022-04-18 17:00:28 +02:00
You can configure a list of clients (Relying Parties) in a `clients.yaml` file with the following syntax :
```yaml
2024-03-28 21:13:25 +00:00
# Client ID
2022-04-18 17:00:28 +02:00
- id: gitea
2024-03-28 21:13:25 +00:00
# Client name
2022-04-18 17:00:28 +02:00
name: Gitea
2024-03-28 21:13:25 +00:00
# Client description
2022-04-18 17:00:28 +02:00
description: Git with a cup of tea
2024-03-28 21:13:25 +00:00
# Client secret. Specify this value to use authorization code flow, remove it for implicit authentication flow
2022-04-18 17:00:28 +02:00
secret: TOP_SECRET
2024-03-28 21:13:25 +00:00
# The URL where user shall be redirected after authentication
2022-04-18 17:00:28 +02:00
redirect_uri: https://mygit.mywebsite.com/
2024-03-31 18:37:08 +02:00
# Optional, If you want new accounts to be granted access to this client by default
2023-04-15 10:19:15 +00:00
default: true
2024-03-31 18:37:08 +02:00
# Optional, If you want the client to be granted to every user, regardless their account configuration
2023-04-15 10:19:15 +00:00
granted_to_all_users: true
2024-03-31 18:37:08 +02:00
# Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
2024-03-27 21:03:49 +01:00
enforce_2fa_auth: true
2024-03-31 18:37:08 +02:00
# Optional, claims to be added to the ID token payload.
# The following placeholders can be set, they will the replaced when the token is created:
# * {username}: user name of the user
# * {mail}: email address of the user
# * {first_name}: first name of the user
# * {last_name}: last name of the user
# * {uid}: user id of the user
claims_id_token:
groups: ["group_{user}"]
service: "auth"
# Optional, claims to be added to the user info endpoint response
# The placeholders of `claims_id_token` can also be used here
claims_user_info:
groups: ["group_{user}"]
service: "auth"
2022-04-18 17:00:28 +02:00
```
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin` . On first login you will have to change these default credentials.
In order to run BasicOIDC for development, you will need to create a least an empty `clients.yaml` file inside the storage directory.
2023-04-27 10:10:28 +00:00
## Features
2022-04-18 17:17:02 +02:00
* [x] `authorization_code` flow
2024-03-28 21:13:25 +00:00
* [x] `implicit` flow
2022-04-18 17:02:30 +02:00
* [x] Client authentication using secrets
* [x] Bruteforce protection
2024-03-27 20:59:29 +01:00
* [x] 2 factors authentication
2022-04-20 09:39:28 +02:00
* [x] TOTP (authenticator app)
2022-04-23 20:31:09 +02:00
* [x] Using a security key (Webauthn)
2022-04-18 17:02:30 +02:00
* [ ] Fully responsive webui
2022-04-23 20:41:31 +02:00
* [x] `robots.txt` prevents indexing
2023-04-27 10:10:28 +00:00
* [x] Support authentication from upstream provider
## Add an upstream provider
You can add as much upstream provider as you want, using the following syntax in `providers.yaml` :
```yaml
- id: gitlab
name: GitLab
logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
client_id: CLIENT_ID_GIVEN_BY_PROVIDER
client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
configuration_url: https://gitlab.com/.well-known/openid-configuration
```
> Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.
2022-04-18 17:00:28 +02:00
## Compiling
You will need the Rust toolchain to compile this project. To build it for production, just run:
```bash
cargo build --release
```
2023-04-15 10:19:15 +00:00
## Testing with OAauth proxy
If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering `192.168.2.103` is your local IP address):
```bash
2024-03-27 19:46:25 +01:00
export IP=192.168.2.103
2023-04-15 10:19:15 +00:00
# In a shell, start BasicOID
2024-03-27 19:46:25 +01:00
RUST_LOG=debug cargo run -- -s storage -w "http://$IP.nip.io:8000"
2023-04-15 10:19:15 +00:00
# In another shell, run OAuth proxy
2024-03-27 19:46:25 +01:00
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://$IP.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://$IP --redirect-url http://$IP:4180/oauth2/callback --cookie-secure=false
2023-04-15 10:19:15 +00:00
```
Corresponding client configuration:
```yaml
- id: oauthproxy
name: Oauth proxy
description: oauth proxy
secret: secretoauth
redirect_uri: http://192.168.2.103:4180/
```
> Note: We do need to use real domain name instead of IP address due to the `webauthn-rs` crate limitations. We therefore use the `nip.io` domain helper.
2023-04-17 16:49:19 +00:00
OAuth proxy can then be access on this URL: http://192.168.2.103:4180/
2022-04-18 17:00:28 +02:00
## Contributing
2022-05-05 17:52:48 +02:00
If you wish to contribute to this software, feel free to send an email to contact@communiquons .org to get an account on my system, managed by BasicOIDC :)