pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests 3 Projects Releases Wiki Activity
015af141d0
BasicOIDC/README.md
Pierre HUBERT 91ef6c25d5
All checks were successful
continuous-integration/drone/push Build is passing
Details
Can define additional claims on per-client basis
2024-03-31 18:37:08 +02:00

4.6 KiB
Raw Blame History

Basic OIDC

Build Status

Basic & lightweight OpenID provider, written in Rust using the Actix framework.

WARNING : This tool has not been audited, use it at your own risks!

BasicOIDC operates without any database, just with three files :

  • clients.yaml: a list of authorized relying parties.
  • providers.yaml: a list of upstream providers for authentication federation (this file is optional)
  • users.json: a list of users, managed through a web UI.

Configuration

You can configure a list of clients (Relying Parties) in a clients.yaml file with the following syntax :

  # Client ID
- id: gitea
  # Client name
  name: Gitea
  # Client description
  description: Git with a cup of tea
  # Client secret. Specify this value to use authorization code flow, remove it for implicit authentication flow
  secret: TOP_SECRET
  # The URL where user shall be redirected after authentication
  redirect_uri: https://mygit.mywebsite.com/
  # Optional, If you want new accounts to be granted access to this client by default
  default: true
  # Optional, If you want the client to be granted to every user, regardless their account configuration
  granted_to_all_users: true
  # Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
  enforce_2fa_auth: true
  # Optional, claims to be added to the ID token payload.
  # The following placeholders can be set, they will the replaced when the token is created:
  # * {username}: user name of the user
  # * {mail}: email address of the user
  # * {first_name}: first name of the user
  # * {last_name}: last name of the user
  # * {uid}: user id of the user
  claims_id_token:
    groups: ["group_{user}"]
    service: "auth"
  # Optional, claims to be added to the user info endpoint response
  # The placeholders of `claims_id_token` can also be used here 
  claims_user_info:
    groups: ["group_{user}"]
    service: "auth"

On the first run, BasicOIDC will create a new administrator with credentials admin / admin. On first login you will have to change these default credentials.

In order to run BasicOIDC for development, you will need to create a least an empty clients.yaml file inside the storage directory.

Features

  • authorization_code flow
  • implicit flow
  • Client authentication using secrets
  • Bruteforce protection
  • 2 factors authentication
    • TOTP (authenticator app)
    • Using a security key (Webauthn)
  • Fully responsive webui
  • robots.txt prevents indexing
  • Support authentication from upstream provider

Add an upstream provider

You can add as much upstream provider as you want, using the following syntax in providers.yaml:

- id: gitlab
  name: GitLab
  logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
  client_id: CLIENT_ID_GIVEN_BY_PROVIDER
  client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
  configuration_url: https://gitlab.com/.well-known/openid-configuration

Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.

Compiling

You will need the Rust toolchain to compile this project. To build it for production, just run:

cargo build --release

Testing with OAauth proxy

If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering 192.168.2.103 is your local IP address):

export IP=192.168.2.103

# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://$IP.nip.io:8000"

# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://$IP.nip.io:8000 --http-address 0.0.0.0:4180  --upstream http://$IP --redirect-url http://$IP:4180/oauth2/callback --cookie-secure=false

Corresponding client configuration:

- id: oauthproxy
  name: Oauth proxy
  description: oauth proxy
  secret: secretoauth
  redirect_uri: http://192.168.2.103:4180/

Note: We do need to use real domain name instead of IP address due to the webauthn-rs crate limitations. We therefore use the nip.io domain helper.

OAuth proxy can then be access on this URL: http://192.168.2.103:4180/

Contributing

If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)