BasicOIDC/README.md
Pierre Hubert 4f7c56a4b8
All checks were successful
continuous-integration/drone/push Build is passing
Loads clients list only once (#106)
Currently, the list of client is loaded separately for each Actix HTTP handler threads.

In prevision of future improvements, it is worthwhile to load this list only once.

Reviewed-on: #106
2023-04-17 16:49:19 +00:00

2.9 KiB

Basic OIDC

Build Status

Basic & lightweight OpenID provider, written in Rust using the Actix framework.

WARNING : This tool has not been audited, use it at your own risks!

BasicOIDC operates without any database, just with two files :

  • clients.yaml: a list of authorized relying parties.
  • users.json: a list of users, managed through a web UI.

You can configure a list of clients (Relying Parties) in a clients.yaml file with the following syntax :

- id: gitea
  name: Gitea
  description: Git with a cup of tea
  secret: TOP_SECRET
  redirect_uri: https://mygit.mywebsite.com/
  # If you want new accounts to be granted access to this client by default
  default: true
  # If you want the client to be granted to every users, regardless their account configuration
  granted_to_all_users: true

On the first run, BasicOIDC will create a new administrator with credentials admin / admin. On first login you will have to change these default credentials.

In order to run BasicOIDC for development, you will need to create a least an empty clients.yaml file inside the storage directory.

Features :

  • authorization_code flow
  • Client authentication using secrets
  • Bruteforce protection
  • 2 factor authentication
    • TOTP (authenticator app)
    • Using a security key (Webauthn)
  • Fully responsive webui
  • robots.txt prevents indexing

Compiling

You will need the Rust toolchain to compile this project. To build it for production, just run:

cargo build --release

Testing with OAauth proxy

If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering 192.168.2.103 is your local IP address):

# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"

# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180  --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false

Corresponding client configuration:

- id: oauthproxy
  name: Oauth proxy
  description: oauth proxy
  secret: secretoauth
  redirect_uri: http://192.168.2.103:4180/

Note: We do need to use real domain name instead of IP address due to the webauthn-rs crate limitations. We therefore use the nip.io domain helper.

OAuth proxy can then be access on this URL: http://192.168.2.103:4180/

Contributing

If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)