BasicOIDC/README.md
Pierre Hubert 9b18b787a9
All checks were successful
continuous-integration/drone/push Build is passing
Add authentication from upstream providers (#107)
Let BasicOIDC delegate authentication to upstream providers (Google, GitHub, GitLab, Keycloak...)

Reviewed-on: #107
2023-04-27 10:10:28 +00:00

3.6 KiB

Basic OIDC

Build Status

Basic & lightweight OpenID provider, written in Rust using the Actix framework.

WARNING : This tool has not been audited, use it at your own risks!

BasicOIDC operates without any database, just with three files :

  • clients.yaml: a list of authorized relying parties.
  • providers.yaml: a list of upstream providers for authentication federation (this file is optional)
  • users.json: a list of users, managed through a web UI.

Configuration

You can configure a list of clients (Relying Parties) in a clients.yaml file with the following syntax :

- id: gitea
  name: Gitea
  description: Git with a cup of tea
  secret: TOP_SECRET
  redirect_uri: https://mygit.mywebsite.com/
  # If you want new accounts to be granted access to this client by default
  default: true
  # If you want the client to be granted to every users, regardless their account configuration
  granted_to_all_users: true

On the first run, BasicOIDC will create a new administrator with credentials admin / admin. On first login you will have to change these default credentials.

In order to run BasicOIDC for development, you will need to create a least an empty clients.yaml file inside the storage directory.

Features

  • authorization_code flow
  • Client authentication using secrets
  • Bruteforce protection
  • 2 factor authentication
    • TOTP (authenticator app)
    • Using a security key (Webauthn)
  • Fully responsive webui
  • robots.txt prevents indexing
  • Support authentication from upstream provider

Add an upstream provider

You can add as much upstream provider as you want, using the following syntax in providers.yaml:

- id: gitlab
  name: GitLab
  logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
  client_id: CLIENT_ID_GIVEN_BY_PROVIDER
  client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
  configuration_url: https://gitlab.com/.well-known/openid-configuration

Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.

Compiling

You will need the Rust toolchain to compile this project. To build it for production, just run:

cargo build --release

Testing with OAauth proxy

If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering 192.168.2.103 is your local IP address):

# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"

# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180  --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false

Corresponding client configuration:

- id: oauthproxy
  name: Oauth proxy
  description: oauth proxy
  secret: secretoauth
  redirect_uri: http://192.168.2.103:4180/

Note: We do need to use real domain name instead of IP address due to the webauthn-rs crate limitations. We therefore use the nip.io domain helper.

OAuth proxy can then be access on this URL: http://192.168.2.103:4180/

Contributing

If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)