All checks were successful
		
		
	
	continuous-integration/drone/push Build is passing
				
			
		
			
				
	
	
		
			113 lines
		
	
	
		
			4.6 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			113 lines
		
	
	
		
			4.6 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Basic OIDC
 | |
| [](https://drone.communiquons.org/pierre/BasicOIDC)
 | |
| 
 | |
| Basic & lightweight OpenID provider, written in Rust using the Actix framework.
 | |
| 
 | |
| **WARNING :** This tool has not been audited, use it at your own risks!
 | |
| 
 | |
| BasicOIDC operates without any database, just with three files :
 | |
| * `clients.yaml`: a list of authorized relying parties.
 | |
| * `providers.yaml`: a list of upstream providers for authentication federation (this file is optional)
 | |
| * `users.json`: a list of users, managed through a web UI.
 | |
| 
 | |
| ## Configuration
 | |
| You can configure a list of clients (Relying Parties) in a `clients.yaml` file with the following syntax :
 | |
| ```yaml
 | |
|   # Client ID
 | |
| - id: gitea
 | |
|   # Client name
 | |
|   name: Gitea
 | |
|   # Client description
 | |
|   description: Git with a cup of tea
 | |
|   # Client secret. Specify this value to use authorization code flow, remove it for implicit authentication flow
 | |
|   secret: TOP_SECRET
 | |
|   # The URL where user shall be redirected after authentication
 | |
|   redirect_uri: https://mygit.mywebsite.com/
 | |
|   # Optional, If you want new accounts to be granted access to this client by default
 | |
|   default: true
 | |
|   # Optional, If you want the client to be granted to every user, regardless their account configuration
 | |
|   granted_to_all_users: true
 | |
|   # Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
 | |
|   enforce_2fa_auth: true
 | |
|   # Optional, claims to be added to the ID token payload.
 | |
|   # The following placeholders can be set, they will the replaced when the token is created:
 | |
|   # * {username}: user name of the user
 | |
|   # * {mail}: email address of the user
 | |
|   # * {first_name}: first name of the user
 | |
|   # * {last_name}: last name of the user
 | |
|   # * {uid}: user id of the user
 | |
|   claims_id_token:
 | |
|     groups: ["group_{user}"]
 | |
|     service: "auth"
 | |
|   # Optional, claims to be added to the user info endpoint response
 | |
|   # The placeholders of `claims_id_token` can also be used here 
 | |
|   claims_user_info:
 | |
|     groups: ["group_{user}"]
 | |
|     service: "auth"
 | |
| ```
 | |
| 
 | |
| On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
 | |
| 
 | |
| In order to run BasicOIDC for development, you will need to create a least an empty `clients.yaml` file inside the storage directory.
 | |
| 
 | |
| ## Features
 | |
| * [x] `authorization_code` flow
 | |
| * [x] `implicit` flow
 | |
| * [x] Client authentication using secrets 
 | |
| * [x] Bruteforce protection 
 | |
| * [x] 2 factors authentication
 | |
|   * [x] TOTP (authenticator app)
 | |
|   * [x] Using a security key (Webauthn)
 | |
| * [ ] Fully responsive webui
 | |
| * [x] `robots.txt` prevents indexing
 | |
| * [x] Support authentication from upstream provider
 | |
| 
 | |
| ## Add an upstream provider
 | |
| You can add as much upstream provider as you want, using the following syntax in `providers.yaml`:
 | |
| ```yaml
 | |
| - id: gitlab
 | |
|   name: GitLab
 | |
|   logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
 | |
|   client_id: CLIENT_ID_GIVEN_BY_PROVIDER
 | |
|   client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
 | |
|   configuration_url: https://gitlab.com/.well-known/openid-configuration
 | |
| 
 | |
| ```
 | |
| 
 | |
| > Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.
 | |
| 
 | |
| ## Compiling
 | |
| You will need the Rust toolchain to compile this project. To build it for production, just run:
 | |
| ```bash
 | |
| cargo build --release
 | |
| ```
 | |
| 
 | |
| ## Testing with OAauth proxy
 | |
| If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering `192.168.2.103` is your local IP address):
 | |
| 
 | |
| ```bash
 | |
| export IP=192.168.2.103
 | |
| 
 | |
| # In a shell, start BasicOID
 | |
| RUST_LOG=debug cargo run -- -s storage -w "http://$IP.nip.io:8000"
 | |
| 
 | |
| # In another shell, run OAuth proxy
 | |
| docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://$IP.nip.io:8000 --http-address 0.0.0.0:4180  --upstream http://$IP --redirect-url http://$IP:4180/oauth2/callback --cookie-secure=false
 | |
| ```
 | |
| 
 | |
| Corresponding client configuration:
 | |
| ```yaml
 | |
| - id: oauthproxy
 | |
|   name: Oauth proxy
 | |
|   description: oauth proxy
 | |
|   secret: secretoauth
 | |
|   redirect_uri: http://192.168.2.103:4180/
 | |
| ```
 | |
| 
 | |
| > Note: We do need to use real domain name instead of IP address due to the `webauthn-rs` crate limitations. We therefore use the `nip.io` domain helper.
 | |
| 
 | |
| OAuth proxy can then be access on this URL: http://192.168.2.103:4180/
 | |
| 
 | |
| ## Contributing
 | |
| If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)
 |