OpenID Connect Single Sign-On Identity Provider

Related tags

Authentication rust jwt keycloak server sso openid-connect oidc mfa single-sign-on oidc-provider webauthn fido2 passkey single-sign
Overview

Rauthy

CAUTION:
There has not been any third party security audit for this project.
Use this software at your own risk!

INFO:
This project is currently pre v1.0, which means, even though it is not expected, breaking changes might come with new versions.

What it is

Rauthy is an OpenID Connect (OIDC) Provider and Single Sign-On solution written in Rust.

Secure by default
It tries to be as secure as possible by default while still providing all the options needed to be compatible with older systems. For instance, if you create a new OIDC client, it activates ed25519 as the default algorithm for token signing and S256 PKCE flow. This will not work with old clients, which do not support it, but you can of course deactivate this to your liking.

MFA and Passwordless Login
Rauthy provides FIDO 2 / Webauthn login flows. If you once logged in on a new client with your username + password, you will get an encrypted cookie which will allow you to log in without a password from that moment on. You only need to have a FIDO compliant Passkey being registered for your account.
The reason why it requests your password on a new host at least once is pretty simple. Even though most browsers have full support even for user verification, it is possible that in some scenarios a set PIN oder biometric fingerprint reader will just be ignored by some browsers, which would reduce the strong MFA login to only a single factor again. As long as the full support does not exist on every device out there, Rauthy will not allow a "Passkey only Login flow" for security reasons.
An Example for a not correctly working combination would be Firefox on Mac OS, Firefox pre v114 on Linux, or almost every browser on Android.

Fast and efficient
The main goal was to provide an SSO solution like Keycloak and others while using a way lower footprint and being more efficient with resources. For instance, Rauthy can easily run a fully blown SSO provider on just a Raspberry Pi. It makes extensive use of caching to be as fast as possible in cases where your database is further away or just a bit slower, because it is maybe running on an SBC from an SD card. Most things are even cached for several hours (config options will come in the future) and special care has been taken into account in case of cache eviction and invalidation.
A Rauthy deployment with the embedded SQLite, filled caches and a small set of clients and users configured typically only uses between 15 and 20 MB of memory! This is pretty awesome when comparing it to other existing solutions out there. If a password from a login is hashed, the memory consumption will of course go up way higher than this depending on your configured Argon2ID parameters, which you got fully under control. If you use it with an external Postgres, the memory consumption of Rauthy itself will even be a bit lower, since it does not need to care about SQLite.
For achieving this speed and efficiency, some additional design tradeoffs werde made. For instance, some things you configure statically via config file and not dynamically via UI, while most of them are configured once and then never touched again.

Highly Available
Even though it makes extensive use of caching, you can run it in HA mode. It uses its own embedded distributed HA cache called redhac, which cares about cache eviction on remote hosts. You can choose between a SQLite for single instance deployments and a Postgres, if you need HA. MySQL support might come in the future.

Client Branding
You have a simple way to create some kind of branding or stylized look for the Login page for each client.
The whole color theme can be changed and each client can have its own custom logo.
Additionally, if you modify the branding for the default rauthy client, it will not only change the look for the Login page, but also for the Account and Admin page.

Already in production
Rauthy is already being used in production, and it works with all typical OIDC clients (so far). It was just not an open source project for quite some time.
Keycloak was a rough inspiration in certain places and if something is working with Keycloak, it does with rauthy too (again, so far).

What it is not (yet?)

Since Rauthy is currently pre v1.0, it might be missing some nice to have features. Some of them will never be implemented (see below), while others might come or are even planned already.

Currently missing features:

UI translation
The Admin UI will never be translated, but a basic translation for the Login and Account page may come.

Rauthy Name Override
The idea of this feature is, that one may be able to override the Rauthy name in different places like E-Mail notifications or the Admin UI. This would make it possible to not confuse external users, when they expect some other deployment name.

Rauthy Authenticator MFA App
Even though things like OTP codes will never be implemented, it is not set in stone yet that there will never be Rauthy's own Authenticator App, which then basically acts as a Webauthn Software Authenticator. There are already existing solutions out there to serve this purpose.

Customizable E-Mail templates
It is unsure, if this feature will come.

OIDC Client
Rauthy will most probably have the option to be an OIDC Client itself as well. With this feature, you would be able to do things like "Login with Github" to Rauthy and then use Rauthy for the extended management and features.

MySQL Support
At the time of writing it is not clear yet, if MySQL / MariaDB databases will be added.
The Foundation is there, it just is the case that some specific queries need to be rewritten / added in a few places to match the new SQL dialect.

What it will never be

Rauthy does not try to just replicate already existing, great software.
For instance, if you need way more flexibility regarding federated users, fully customizable login flows or things like SAML or LDAP, then you might want to take a look at solutions like Keycloak.

Rauthy wants to do just a few things, but these things good, fast, efficient and secure.
This means it will never implement (if not contributed from someone):

  • Insecure OIDC flows like the Implicit Flow
  • SAML 2.0 / LDAP
  • Other (older, more insecure or just annoying) 2FA mechanisms than the existing ones
  • No fully customizable themes in addition to the existing branding.

Getting Started

Either just take a look at the Rauthy Book, or start directly by taking a look at the application yourself with docker on your localhost:

docker run --rm -p 8080:8080 sdobedev/rauthy

NOTE:
Please keep in mind, that t the time of writing, the docker image is hosted in the free tier and will be rate limited if there are too many pulls.

Next Steps for the project

  • add more documentation
  • cleanup code
  • benchmarks and performance tuning
  • ...
You might also like...
an extended polynomial identity language (PIL) in rust

powdr an extended polynomial identity language (PIL) in rust Ideas This is a random list of ideas that help designing the language. Most if this is he

null 4 Jan 7, 2023
PyO3 bindings and Python interface to skani, a method for fast fast genomic identity calculation using sparse chaining.

🐍 ⛓️ 🧬 Pyskani PyO3 bindings and Python interface to skani, a method for fast fast genomic identity calculation using sparse chaining. 🗺️ Overview

Martin Larralde 13 Mar 21, 2023
Single-reader, multi-writer & single-reader, multi-verifier; broadcasts reads to multiple writeable destinations in parallel

Bus Writer This Rust crate provides a generic single-reader, multi-writer, with support for callbacks for monitoring progress. It also provides a gene

Pop!_OS 26 Feb 7, 2022
A single-producer single-consumer Rust queue with smart batching

Batching Queue A library that implements smart batching between a producer and a consumer. In other words, a single-producer single-consumer queue tha

Roland Kuhn 2 Dec 21, 2021
Handoff is an unbuffered, single-producer / single-consumer, async channel

handoff handoff is a single-producer / single-consumer, unbuffered, asynchronous channel. It's intended for cases where you want blocking communicatio

Nathan West 7 Feb 7, 2023
Filen.io is a cloud storage provider with an open-source desktop client.

Library to call Filen.io API from Rust Filen.io is a cloud storage provider with an open-source desktop client. My goal is to write a library which ca

Konstantin Zakharov 5 Nov 15, 2022
Open Source terraform provider registry

Terustry Simple configurable proxy that implement terraform provider registry protocol, to build your own terraform provider private registry. How it

Open-Source by Veepee 53 Nov 24, 2022
Demo Terraform Provider in Rust

terraform-provider-helloworld Welcome to a large pile of hacks masquerading as a PoC. This repository proves that it's possible to write a Terraform P

Tom Parker-Shemilt 25 Sep 15, 2022
Obtain (wildcard) certificates from let's encrypt using dns-01 without the need for API access to your DNS provider.

Agnos Presentation Agnos is a single-binary program allowing you to easily obtain certificates (including wildcards) from Let's Encrypt using DNS-01 c

Arthur Carcano 246 Dec 20, 2022
Bitcoin Push Notification Service (BPNS) allows you to receive notifications of Bitcoin transactions of your non-custodial wallets on a provider of your choice, all while respecting your privacy

Bitcoin Push Notification Service (BPNS) Description Bitcoin Push Notification Service (BPNS) allows you to receive notifications of Bitcoin transacti

BPNS 1 May 2, 2022
Browser tab search provider for GNOME
Browser tab search provider for GNOME

What is this ? This is repository provides browser tab search provider for GNOME Screenshot Installation Installl all 3 components for tab search to w

Harshad 28 Dec 20, 2022
legitima is a work in progress LDAP provider for ORY Hydra.
legitima is a work in progress LDAP provider for ORY Hydra.

legitima is a work in progress LDAP provider for ORY Hydra. Together with it, it can be used as an OpenID Connect (OIDC) provider to authenticate to any OIDC capable apps.

leona 3 Aug 1, 2022
A boringssl-based rustls crypto provider

boring-rustls-provider This is supposed to be the start to a boringssl-based rustls crypto provider. Status This is just a dump of me figuring out how

Jan 5 Nov 28, 2023
siamstr.com Nostr Address Provider written in Rust.
siamstr.com Nostr Address Provider written in Rust.

Siamstr Nostr Address Provider Running project Rust Toolchain You'll need to use the nightly Rust toolchain, and install the wasm32-unknown-unknown ta

Vaz. 5 Nov 27, 2023
Standalone analytics provider and realtime dashboard designed for self-hosting.
Standalone analytics provider and realtime dashboard designed for self-hosting.

Stats Stats is a high-performance, standalone analytics provider designed for self-hosting, enabling the collection and viewing of event data from web

Udara Jay 120 Mar 23, 2024
A user crud written in Rust, designed to connect to a MySQL database with full integration test coverage.

SQLX User CRUD Purpose This application demonstrates the how to implement a common design for CRUDs in, potentially, a system of microservices. The de

null 78 Nov 27, 2022
Library + CLI-Tool to measure the TTFB (time to first byte) of HTTP requests. Additionally, this crate measures the times of DNS lookup, TCP connect and TLS handshake.

TTFB: CLI + Lib to Measure the TTFB of HTTP/1.1 Requests Similar to the network tab in Google Chrome or Mozilla Firefox, this crate helps you find the

Philipp Schuster 24 Dec 1, 2022
A compact implementation of connect four written in rust.
A compact implementation of connect four written in rust.

connect-four A compact implementation of connect four written in rust. Run the game At the moment there no pre-built binaries - but you can build it l

Maximilian Schulke 12 Jul 31, 2022
Autogenerated async RPC bindings that instantly connect a JS frontend to a Rust backend service via WebSockets and WASM.

Turbocharger Autogenerated async RPC bindings that instantly connect a JS frontend to a Rust backend service via WebSockets and WASM. See https://gith

null 28 Jan 2, 2023
Comments
  • target database check at startup

    target database check at startup

    This checks (and possibly panics) at startup, if the target database type / url matches the currently used rauthy image with the correct feature flags.

    Since the drivers for SQLite and Postgres are compiled into both binaries to make the DB_MIGRATE_FROM work in any combination, without this check it would be possible to use a SQLite database with the postgres features enabled, which would cause errors at runtime when the first db specific query would be fired up (latest).

    This check does panic at startup immediately and informs the user about the misconfiguration and logs a hint about the correct container image.

    opened by sebadob 0
  • sqlx migration + debugging

    sqlx migration + debugging

    This is a big WIP.
    sqlx broke a few things about the Any driver with the 0.7 release and it does not work anymore like it did before.

    This PR is about testing out a possible split of the code into basically 2 versions behind feature flags to get rid of the Any driver and possibly be able to use native drivers further down the road as well, like rusqlite or tokio-postgres, if things don't work out.

    I opened up a few issues about it, but sticking with the Any driver and waiting for fixes seems too uncertain to me, because it might even happen again in the future, since this driver is just not that wide spread as all other drivers.

    opened by sebadob 0
  • browser native language detection

    browser native language detection

    Add a Language enum and make it possible to detect the browsers native language on 2 ways:

    1. priority: LOCALE cookie which overrides the Accept-Language header
    2. priority: try to extract and match the Accept-Language header
    opened by sebadob 0
Releases(v0.13.3)

  • v0.13.3(Jul 13, 2023)

    • UI: small visual bugfixes and improvements in different places 459bdbd 57a5600
    • UI: All navigation routes can be reached via their own link now. This means a refresh of the page does not return to the default anymore 4999995 7f0ac0b cadaa40
    • UI: added an index to the users table to prevent a rendering bug after changes e35ffbe

    Image

    sdobedev/rauthy@sha256:94b68248afe425600d19461f050091b02db677a5d9ae66ad2db23e19fd86d753

    Source code(tar.gz)
    Source code(zip)

  • v0.13.2(Jul 10, 2023)

    Default Image

    sdobedev/rauthy@sha256:f9780e426ba97a5331bd7152108a3f5f86158f624ed28d2f69f6e060a4541075

    Debug Image

    sdobedev/rauthy@sha256:db9c035dda6ad7780b2ea1cff36e029b6bef9901a54930551b5a98c2b3c0d206
    Source code(tar.gz)
    Source code(zip)

  • v0.13.1(Jul 6, 2023)

    Bugfix

    • UI Bugfix: Client flow updates were not applied via UI 6fe8fbc

    Container Images

    default

    sdobedev/rauthy@sha256:726352306a583dd1af849004be1773d1fb04a04afc856b9df72a8d55ed8ba482

    debug

    sdobedev/rauthy@sha256:847314df74cabb7f0ce34a401502077d7ca88f969d8e1e4cfac1dfa219dc9667

    Source code(tar.gz)
    Source code(zip)

  • v0.13.0(Jul 5, 2023)

    Changes

    • Improved container security: Rauthy is based off a Scratch container image by default now. This improved the security quite a lot, since you cannot even get a shell into the container anymore, and it reduced the image size by another ~4MB.
      This makes it difficult however if you need to debug something, for instance when you use a SQLite deployment. For this reason, you can append -debug to a tag and you will get an Alpine based version just like before. 1a7e79d
    • More stable HA deployment: In some specific K8s HA deployments, the default HTTP2 keep-alive's from redhac were not good enough and we got broken pipes in some environments which caused the leader to change often. This has been fixed in redhac-0.6.0 too, which at the same time makes Rauthy HA really stable now.
    • The client branding section in the UI has better responsiveness for smaller screens dfaa23a
    • For a HA deployment, cache modifications are now using proper HA cache functions. These default back to the single instance functions in non-HA mode since redhac-0.6.0 7dae043
    • All static UI files are now precompressed with gzip and brotli to use even fewer resources 10ad51a
    • CSP script-src unsafe-inline was removed in favor of custom nonce's 7de918d
    • UI migrated to Svelte 4 21f73ab

    New Docker images:

    Default (now based on Scratch)

    sdobedev/rauthy:0.13.0@sha256:a374b592b4e489d13eaf7d1b9154e0346303c82f615341cf8e6cfc57a286b38a

    Debug Image

    sdobedev/rauthy:0.13.0@sha256:29882a03b90b9339a02bbd4ee2a8a96f23beb2d27b1cae14c603e32d4e249fa2

    Source code(tar.gz)
    Source code(zip)

  • v0.12.0(Jul 1, 2023)

Owner
Sebastian Dobe
Rustacean and Cloud Architect
Sebastian Dobe
GitHub https://sebadob.github.io/rauthy/
Demo provider, source code for the Provider tutorial.

Fiberplane "Catnip" (tutorial) provider This repository contains the final code of the provider built within the "Create a Provider" tutorial. It reli

Fiberplane 4 Feb 15, 2023
OpenID login for wallets owning an nft.

nft-login OIDC login for wallets owning an nft. context Non fungible tokens are a proof for a digital ownership. This ownership can be used to give ac

NFT Login 49 Dec 2, 2022
Decode, explore, and sign JWTs

JWT Explorer A utility for inspecting, modifying, and attacking JWTs. Supports Windows and Linux and probably also works on macOS but this has not bee

David Young 9 Nov 9, 2022
Git FIDO Helper - Sign your Git commits with multiple resident SSH keys

gfh Git FIDO helper, or God Fucking Help me. gfh is a tool for helping you sign your commits in Git with resident SSH keys stored on multiple FIDO dev

Michael Mitchell 16 Nov 30, 2022
Harness the power of signify(1) to sign arbitrary git objects

git-signify A tool to sign arbitrary objects in a git repository. Generating keys Signing keys can be generated with signify, from the OpenBSD project

Tiago Carvalho 3 Jul 27, 2023
xyz is a chat platform where people sign up, play a matching game, and say goodbye

xyz is an asynchronous chat and web service What you need Docker Desktop ?? Cargo (Rust package manager) ?? Clone our project Follow the steps below t

Matthew 12 Oct 11, 2023
A prototype implementation of the Host Identity Protocol v2 for bare-metal systems, written in pure-rust.

Host Identity Protocol for bare-metal systems, using Rust I've been evaluating TLS replacements in constrained environments for a while now. Embedded

null 31 Dec 12, 2022
Alternative Free Identity System

Alfis Alternative Free Identity System This project represents a minimal blockchain without cryptocurrency, capable of sustaining any number of domain

Revertron 207 Jan 5, 2023
IDP2P is a peer-to-peer identity protocol which enables a controller to create, manage and share its own proofs as well as did documents

IDP2P Experimental, inspired by ipfs, did:peer and keri Background See also (related topics): Decentralized Identifiers (DIDs) Verifiable Credentials

null 5 Oct 31, 2022
As part of the IOP Stack™ Morpheus is a toolset to have gatekeeper-free identity management and verifiable claims as a 2nd layer on top of a blockchain

Internet of People Internet of People (IoP) is a software project creating a decentralized software stack that provides the building blocks and tools

We are building a complete decentralized ecosystem with the IOP Stack™ 9 Nov 4, 2022