Basic OpenID Provider
Go to file
Pierre Hubert 4f7c56a4b8
All checks were successful
continuous-integration/drone/push Build is passing
Loads clients list only once (#106)
Currently, the list of client is loaded separately for each Actix HTTP handler threads.

In prevision of future improvements, it is worthwhile to load this list only once.

Reviewed-on: #106
2023-04-17 16:49:19 +00:00
assets Add IP location service 2022-11-12 17:02:34 +01:00
src Loads clients list only once (#106) 2023-04-17 16:49:19 +00:00
templates Add default clients (#105) 2023-04-15 10:19:15 +00:00
.drone.yml Forbid cargo clippy warnings 2022-09-02 15:56:31 +02:00
.gitignore Automatically create admin on first start 2022-03-29 19:32:31 +02:00
build_docker_image.sh Add dockerfile 2022-04-15 22:09:26 +02:00
Cargo.lock Add default clients (#105) 2023-04-15 10:19:15 +00:00
Cargo.toml Add default clients (#105) 2023-04-15 10:19:15 +00:00
Dockerfile Add dockerfile 2022-04-15 22:09:26 +02:00
LICENSE Add README & LICENSE 2022-04-18 17:00:28 +02:00
README.md Loads clients list only once (#106) 2023-04-17 16:49:19 +00:00
renovate.json Add renovate.json 2022-04-01 00:10:26 +00:00

Basic OIDC

Build Status

Basic & lightweight OpenID provider, written in Rust using the Actix framework.

WARNING : This tool has not been audited, use it at your own risks!

BasicOIDC operates without any database, just with two files :

  • clients.yaml: a list of authorized relying parties.
  • users.json: a list of users, managed through a web UI.

You can configure a list of clients (Relying Parties) in a clients.yaml file with the following syntax :

- id: gitea
  name: Gitea
  description: Git with a cup of tea
  secret: TOP_SECRET
  redirect_uri: https://mygit.mywebsite.com/
  # If you want new accounts to be granted access to this client by default
  default: true
  # If you want the client to be granted to every users, regardless their account configuration
  granted_to_all_users: true

On the first run, BasicOIDC will create a new administrator with credentials admin / admin. On first login you will have to change these default credentials.

In order to run BasicOIDC for development, you will need to create a least an empty clients.yaml file inside the storage directory.

Features :

  • authorization_code flow
  • Client authentication using secrets
  • Bruteforce protection
  • 2 factor authentication
    • TOTP (authenticator app)
    • Using a security key (Webauthn)
  • Fully responsive webui
  • robots.txt prevents indexing

Compiling

You will need the Rust toolchain to compile this project. To build it for production, just run:

cargo build --release

Testing with OAauth proxy

If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering 192.168.2.103 is your local IP address):

# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"

# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180  --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false

Corresponding client configuration:

- id: oauthproxy
  name: Oauth proxy
  description: oauth proxy
  secret: secretoauth
  redirect_uri: http://192.168.2.103:4180/

Note: We do need to use real domain name instead of IP address due to the webauthn-rs crate limitations. We therefore use the nip.io domain helper.

OAuth proxy can then be access on this URL: http://192.168.2.103:4180/

Contributing

If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)