Pierre Hubert
9b18b787a9
All checks were successful
continuous-integration/drone/push Build is passing
Let BasicOIDC delegate authentication to upstream providers (Google, GitHub, GitLab, Keycloak...) Reviewed-on: #107
88 lines
3.6 KiB
Markdown
88 lines
3.6 KiB
Markdown
# Basic OIDC
|
|
[![Build Status](https://drone.communiquons.org/api/badges/pierre/BasicOIDC/status.svg)](https://drone.communiquons.org/pierre/BasicOIDC)
|
|
|
|
Basic & lightweight OpenID provider, written in Rust using the Actix framework.
|
|
|
|
**WARNING :** This tool has not been audited, use it at your own risks!
|
|
|
|
BasicOIDC operates without any database, just with three files :
|
|
* `clients.yaml`: a list of authorized relying parties.
|
|
* `providers.yaml`: a list of upstream providers for authentication federation (this file is optional)
|
|
* `users.json`: a list of users, managed through a web UI.
|
|
|
|
## Configuration
|
|
You can configure a list of clients (Relying Parties) in a `clients.yaml` file with the following syntax :
|
|
```yaml
|
|
- id: gitea
|
|
name: Gitea
|
|
description: Git with a cup of tea
|
|
secret: TOP_SECRET
|
|
redirect_uri: https://mygit.mywebsite.com/
|
|
# If you want new accounts to be granted access to this client by default
|
|
default: true
|
|
# If you want the client to be granted to every users, regardless their account configuration
|
|
granted_to_all_users: true
|
|
```
|
|
|
|
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
|
|
|
|
In order to run BasicOIDC for development, you will need to create a least an empty `clients.yaml` file inside the storage directory.
|
|
|
|
## Features
|
|
* [x] `authorization_code` flow
|
|
* [x] Client authentication using secrets
|
|
* [x] Bruteforce protection
|
|
* [x] 2 factor authentication
|
|
* [x] TOTP (authenticator app)
|
|
* [x] Using a security key (Webauthn)
|
|
* [ ] Fully responsive webui
|
|
* [x] `robots.txt` prevents indexing
|
|
* [x] Support authentication from upstream provider
|
|
|
|
## Add an upstream provider
|
|
You can add as much upstream provider as you want, using the following syntax in `providers.yaml`:
|
|
```yaml
|
|
- id: gitlab
|
|
name: GitLab
|
|
logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
|
|
client_id: CLIENT_ID_GIVEN_BY_PROVIDER
|
|
client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
|
|
configuration_url: https://gitlab.com/.well-known/openid-configuration
|
|
|
|
```
|
|
|
|
> Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.
|
|
|
|
## Compiling
|
|
You will need the Rust toolchain to compile this project. To build it for production, just run:
|
|
```bash
|
|
cargo build --release
|
|
```
|
|
|
|
## Testing with OAauth proxy
|
|
If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering `192.168.2.103` is your local IP address):
|
|
|
|
```bash
|
|
# In a shell, start BasicOID
|
|
RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"
|
|
|
|
# In another shell, run OAuth proxy
|
|
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false
|
|
```
|
|
|
|
Corresponding client configuration:
|
|
```yaml
|
|
- id: oauthproxy
|
|
name: Oauth proxy
|
|
description: oauth proxy
|
|
secret: secretoauth
|
|
redirect_uri: http://192.168.2.103:4180/
|
|
```
|
|
|
|
> Note: We do need to use real domain name instead of IP address due to the `webauthn-rs` crate limitations. We therefore use the `nip.io` domain helper.
|
|
|
|
OAuth proxy can then be access on this URL: http://192.168.2.103:4180/
|
|
|
|
## Contributing
|
|
If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)
|