|
||
---|---|---|
assets | ||
src | ||
templates | ||
.drone.yml | ||
.gitignore | ||
build_docker_image.sh | ||
Cargo.lock | ||
Cargo.toml | ||
Dockerfile | ||
LICENSE | ||
README.md | ||
renovate.json |
Basic OIDC
Basic & lightweight OpenID provider, written in Rust using the Actix framework.
WARNING : This tool has not been audited, use it at your own risks!
BasicOIDC operates without any database, just with three files :
clients.yaml
: a list of authorized relying parties.providers.yaml
: a list of upstream providers for authentication federation (this file is optional)users.json
: a list of users, managed through a web UI.
Configuration
You can configure a list of clients (Relying Parties) in a clients.yaml
file with the following syntax :
# Client ID
- id: gitea
# Client name
name: Gitea
# Client description
description: Git with a cup of tea
# Client secret. Specify this value to use authorization code flow, remove it for implicit authentication flow
secret: TOP_SECRET
# The URL where user shall be redirected after authentication
redirect_uri: https://mygit.mywebsite.com/
# Optional, If you want new accounts to be granted access to this client by default
default: true
# Optional, If you want the client to be granted to every user, regardless their account configuration
granted_to_all_users: true
# Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
enforce_2fa_auth: true
# Optional, claims to be added to the ID token payload.
# The following placeholders can be set, they will the replaced when the token is created:
# * {username}: user name of the user
# * {mail}: email address of the user
# * {first_name}: first name of the user
# * {last_name}: last name of the user
# * {uid}: user id of the user
claims_id_token:
groups: ["group_{user}"]
service: "auth"
# Optional, claims to be added to the user info endpoint response
# The placeholders of `claims_id_token` can also be used here
claims_user_info:
groups: ["group_{user}"]
service: "auth"
On the first run, BasicOIDC will create a new administrator with credentials admin
/ admin
. On first login you will have to change these default credentials.
In order to run BasicOIDC for development, you will need to create a least an empty clients.yaml
file inside the storage directory.
Features
authorization_code
flowimplicit
flow- Client authentication using secrets
- Bruteforce protection
- 2 factors authentication
- TOTP (authenticator app)
- Using a security key (Webauthn)
- Fully responsive webui
robots.txt
prevents indexing- Support authentication from upstream provider
Add an upstream provider
You can add as much upstream provider as you want, using the following syntax in providers.yaml
:
- id: gitlab
name: GitLab
logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
client_id: CLIENT_ID_GIVEN_BY_PROVIDER
client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
configuration_url: https://gitlab.com/.well-known/openid-configuration
Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.
Compiling
You will need the Rust toolchain to compile this project. To build it for production, just run:
cargo build --release
Testing with OAauth proxy
If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering 192.168.2.103
is your local IP address):
export IP=192.168.2.103
# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://$IP.nip.io:8000"
# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://$IP.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://$IP --redirect-url http://$IP:4180/oauth2/callback --cookie-secure=false
Corresponding client configuration:
- id: oauthproxy
name: Oauth proxy
description: oauth proxy
secret: secretoauth
redirect_uri: http://192.168.2.103:4180/
Note: We do need to use real domain name instead of IP address due to the
webauthn-rs
crate limitations. We therefore use thenip.io
domain helper.
OAuth proxy can then be access on this URL: http://192.168.2.103:4180/
Contributing
If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)