assets | ||
src | ||
templates | ||
.drone.yml | ||
.gitignore | ||
build_docker_image.sh | ||
Cargo.lock | ||
Cargo.toml | ||
Dockerfile | ||
LICENSE | ||
README.md | ||
renovate.json |
Basic OIDC
Basic & lightweight OpenID provider, written in Rust using the Actix framework.
WARNING : This tool has not been audited, use it at your own risks!
BasicOIDC operates without any database, just with two files :
clients.yaml
: a list of authorized relying parties.users.json
: a list of users, managed through a web UI.
You can configure a list of clients (Relying Parties) in a clients.yaml
file with the following syntax :
- id: gitea
name: Gitea
description: Git with a cup of tea
secret: TOP_SECRET
redirect_uri: https://mygit.mywebsite.com/
# If you want new accounts to be granted access to this client by default
default: true
# If you want the client to be granted to every users, regardless their account configuration
granted_to_all_users: true
On the first run, BasicOIDC will create a new administrator with credentials admin
/ admin
. On first login you will have to change these default credentials.
In order to run BasicOIDC for development, you will need to create a least an empty clients.yaml
file inside the storage directory.
Features :
authorization_code
flow- Client authentication using secrets
- Bruteforce protection
- 2 factor authentication
- TOTP (authenticator app)
- Using a security key (Webauthn)
- Fully responsive webui
robots.txt
prevents indexing
Compiling
You will need the Rust toolchain to compile this project. To build it for production, just run:
cargo build --release
Testing with OAauth proxy
If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering 192.168.2.103
is your local IP address):
# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"
# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false
Corresponding client configuration:
- id: oauthproxy
name: Oauth proxy
description: oauth proxy
secret: secretoauth
redirect_uri: http://192.168.2.103:4180/
Note: We do need to use real domain name instead of IP address due to the
webauthn-rs
crate limitations. We therefore use thenip.io
domain helper.
Contributing
If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)