Let BasicOIDC delegate authentication to upstream providers (Google, GitHub, GitLab, Keycloak...) Reviewed-on: #107
3.6 KiB
Basic OIDC
Basic & lightweight OpenID provider, written in Rust using the Actix framework.
WARNING : This tool has not been audited, use it at your own risks!
BasicOIDC operates without any database, just with three files :
clients.yaml
: a list of authorized relying parties.providers.yaml
: a list of upstream providers for authentication federation (this file is optional)users.json
: a list of users, managed through a web UI.
Configuration
You can configure a list of clients (Relying Parties) in a clients.yaml
file with the following syntax :
- id: gitea
name: Gitea
description: Git with a cup of tea
secret: TOP_SECRET
redirect_uri: https://mygit.mywebsite.com/
# If you want new accounts to be granted access to this client by default
default: true
# If you want the client to be granted to every users, regardless their account configuration
granted_to_all_users: true
On the first run, BasicOIDC will create a new administrator with credentials admin
/ admin
. On first login you will have to change these default credentials.
In order to run BasicOIDC for development, you will need to create a least an empty clients.yaml
file inside the storage directory.
Features
authorization_code
flow- Client authentication using secrets
- Bruteforce protection
- 2 factor authentication
- TOTP (authenticator app)
- Using a security key (Webauthn)
- Fully responsive webui
robots.txt
prevents indexing- Support authentication from upstream provider
Add an upstream provider
You can add as much upstream provider as you want, using the following syntax in providers.yaml
:
- id: gitlab
name: GitLab
logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
client_id: CLIENT_ID_GIVEN_BY_PROVIDER
client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
configuration_url: https://gitlab.com/.well-known/openid-configuration
Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.
Compiling
You will need the Rust toolchain to compile this project. To build it for production, just run:
cargo build --release
Testing with OAauth proxy
If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering 192.168.2.103
is your local IP address):
# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"
# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false
Corresponding client configuration:
- id: oauthproxy
name: Oauth proxy
description: oauth proxy
secret: secretoauth
redirect_uri: http://192.168.2.103:4180/
Note: We do need to use real domain name instead of IP address due to the
webauthn-rs
crate limitations. We therefore use thenip.io
domain helper.
OAuth proxy can then be access on this URL: http://192.168.2.103:4180/
Contributing
If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)