{"id":36418567,"url":"https://github.com/actoaps/fafnir-sso","last_synced_at":"2026-01-11T17:01:29.209Z","repository":{"id":37780601,"uuid":"234097897","full_name":"actoaps/fafnir-sso","owner":"actoaps","description":"An SSO provider, which provides a Single Sign On functionality based on industry standards and best practices.","archived":false,"fork":false,"pushed_at":"2025-07-16T12:11:06.000Z","size":1257,"stargazers_count":7,"open_issues_count":16,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-17T13:10:57.692Z","etag":null,"topics":["authentication","oauth2","oidc","sso"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/actoaps.png","metadata":{"files":{"readme":"README-v2.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-01-15T14:26:54.000Z","updated_at":"2025-07-16T12:07:02.000Z","dependencies_parsed_at":"2024-04-08T15:52:48.965Z","dependency_job_id":"76ffada9-0da7-433c-9ce1-a31a2f085955","html_url":"https://github.com/actoaps/fafnir-sso","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/actoaps/fafnir-sso","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actoaps%2Ffafnir-sso","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actoaps%2Ffafnir-sso/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actoaps%2Ffafnir-sso/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actoaps%2Ffafnir-sso/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/actoaps","download_url":"https://codeload.github.com/actoaps/fafnir-sso/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actoaps%2Ffafnir-sso/sbom","scorecard":{"id":164007,"data":{"date":"2025-08-11","repo":{"name":"github.com/actoaps/fafnir-sso","commit":"7bfcf3690e6450fd54544441d4b48d2a24bcbba6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.1,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":10,"reason":"16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 1/21 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yaml:1","Warn: no topLevel permission defined: .github/workflows/release.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":9,"reason":"binaries present in source code","details":["Warn: binary detected: gradle/wrapper/gradle-wrapper.jar:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yaml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/actoaps/fafnir-sso/release.yaml/master?enable=pin","Warn: containerImage not pinned by hash: iam/Dockerfile:1: pin your Docker image by updating eclipse-temurin:17-jre to eclipse-temurin:17-jre@sha256:8662ba1cb90a891b1784687e9ed880ab0bbbcb741d56079c33516c135e606d7d","Warn: containerImage not pinned by hash: sso/Dockerfile:1: pin your Docker image by updating amazoncorretto:17 to amazoncorretto:17@sha256:e2adb8e2da6716cf3d8a4090396daa61005d070fe9ea9d9f54de7cfffc942ec0","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   7 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 16 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T14:20:17.936Z","repository_id":37780601,"created_at":"2025-08-16T14:20:17.936Z","updated_at":"2025-08-16T14:20:17.936Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28314259,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-11T14:58:17.114Z","status":"ssl_error","status_checked_at":"2026-01-11T14:55:53.580Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","oauth2","oidc","sso"],"created_at":"2026-01-11T17:01:26.178Z","updated_at":"2026-01-11T17:01:29.173Z","avatar_url":"https://github.com/actoaps.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"Fafnir-SSO\n===\nFafnir-SSO is an SSO provider, which provides a Single Sign On functionality based on industry standards and best\npractices, using 3rd party providers Fafnir generates JWT's which can be used uniformly by web applications in a\ndistributed cloud based setup.\n\nAuthentication Providers\n===\nFafnir-SSO supports the following Authentication providers:\n\n* Facebook\n* Google\n* Unilogin\n* Economic customers\n* LinkedIn\n* Hazelcast (Username/Password)\n* Apple\n* MitID\n* Microsoft Identity\n\nAuthentication Tokens\n===\nFafnir-SSO issues JWT RSA-512 tokens, which can be validated using the exposed public key. The fields populated are:\n\n* sub: The subjects name, as provided by the Authentication provider.\n* iss: The issuer, which will be fafnir-\u003cprovidername\u003e, where \u003cprovidername\u003e will be the name of the provider used.\n* iat: The time the JWT was issued at.\n* name: The full name, as provided by the authentication provider.\n\nUsage\n===\n\nVersion 2.x\n---\nIn version 2 onward, configuration happens through individual environment variables.\nThese are (Environment variables marked with :heavy_check_mark: are **required** if you want a specific login provider to be available):\n* E-conomic\n    * ECONOMIC_AST - The E-conomic Application Secret Token :heavy_check_mark:\n    * ECONOMIC_AGT - The Economic Application Grant Token :heavy_check_mark:\n* Facebook\n    * FACEBOOK_AID - The Facebook Application Id :heavy_check_mark:\n    * FACEBOOK_SECRET - The Facebook Secret :heavy_check_mark:\n* Google\n    * GOOGLE_AID - The Google Application Id :heavy_check_mark:\n    * GOOGLE_SECRET - The Google Secret :heavy_check_mark:\n* Microsoft Identity  \n  As Fafnir is using OpenID Connect to authenticate, you need to check the \"ID tokens\" box under \"Implicit grant and hybrid flows\" in the Authentication menu. If this box is not checked, you will receive an error upon authentication.\n    * MSID_AID - The Azure App Application ID :heavy_check_mark:\n    * MSID_SECRET - The Azure App Client Secret :heavy_check_mark:\n    * MSID_TENANT - The Azure App's chosen [tenancy](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints) :heavy_check_mark:\n* LinkedIn\n    * LINKED_IN_AID - The LinkedIn Application Id :heavy_check_mark:\n    * LINKED_IN_SECRET - The LinkedIn Secret :heavy_check_mark:\n* UniLogin\n    * UL_AID - The UniLogin Application Id\n    * UL_SECRET - The UniLogin Secret :heavy_check_mark:\n    * UL_WS_USER - Your UniLogin WebService username :heavy_check_mark:\n    * UL_WS_PASS - Your UniLogin WebService password :heavy_check_mark:\n    * UL_SSO - Whether to use UniLogin in Single Sign On mode, default is false.\n* Hazelcast\n    * HAZELCAST_USERNAME_IS_EMAIL - Determines if usernames are stored in lowercase only, so that look ups can be performed case-insensitively, default is false.\n    * HAZELCAST_PASSWORD_IS_ENCRYPTED - Determines if passwords are encrypted using RSA encryption, or hashed with bcrypt, default is false.\n    * HAZELCAST_MAP_NAME - The name of the Hazelcast Map to use for storing user data. Default is `fafnir-users`\n    * HAZELCAST_TCP_IP_ADDRESS - Makes Fafnir connect to hazelcast using TCP/IP instead of Multicast, to the specified address.\n* MitID\n    * MITID_AID - The MitID ClientID :heavy_check_mark:\n    * MITID_SECRET - The MitID Client-Secret :heavy_check_mark:\n    * MITID_AUTHORITY_URL - The URL to the MitID broker authority (for example `https://brokertest.signaturgruppen.dk/op`) :heavy_check_mark:\n\n  If Fafnirs test mode is enabled, the MitID provider will use the `mitid_demo` scope instead of `mitid`.  \n  Fafnir uses the `ssn` scope in order to add the users name to the resulting JWT.\n* Fafnir\n    * FAFNIR_URL - The url used to access this instance of fafnir, default is  http://localhost:8080\n    * FAFNIR_SUCCESS - The url to redirect to after successful authentication, default is http://localhost:8080/success\n    * FAFNIR_FAILURE - The url to redirect to after authentication failure, default is http://localhost:8080/fail\n* Testing\n    * TEST_ENABLED - enables the `/test` endpoint which will always return a valid jwt for a test user.\n\nPersistent Key Storage\n---\nIn some cases you may want to store the generated keypair (or use one you generated manually). In this case you should\nmount a docker volume on `/var/lib/fafnir` and add the `KEYSTORE_PASS` and `KEY_PASS` ENV variables.\n\nIf a keystore does not already exist, one will be automatically created at startup.\n\nThe keystore is a standard JKS keystore, the key alias is \"FAFNIR\".\n\nVersion 1.x (Deprecated)\n---\nYou must provide a configuration as an ACTO_CONF Environment variable, the JSON should look like this:\n\n    {\n        \"facebookAppId\": \"0\",\n        \"facebookSecret\": \"secret\",\n        \"googleAppId\": \"0\",\n        \"googleSecret\": \"secret\",\n        \"uniLoginAppId\": \"0\",\n        \"uniLoginSecret\": \"secret\",\n        \"uniLoginWSUsername\": \"username\",\n        \"uniLoginWSPassword\": \"password\",\n        \"successUrl\": \"http://localhost:8080/success\",\n        \"failureUrl\": \"http://localhost:8080/fail\",\n        \"myUrl\": \"http://localhost:8080\",\n        \"enableParameter\": false,\n        \"testMode\": false,\n        \"hazelcastUsernameIsEmail\": false\n    }\n\nThe different fields mean:\n\n* facebookAppId: Your facebook appid, you can find this in the facebook developer console.\n* facebookSecret: Your facebook secret, you can find this in the facebook developer console.\n* googleAppId: Your google appid, you can find this in the google developer console.\n* googleSecret: Your google secret, you can find this in the google developer console.\n* uniLoginAppId: Your unilogin appid.\n* uniLoginSecret: Your unilogin secret.\n* uniLoginWSUsername: Your unilogin webservice username.\n* uniLoginWSPassword: Your unilogin webservice password.\n* uniLoginSingleSignOn: (Default: false) Choose if unilogin should be SingleLogin (false) or SingleSignOn (true)\n* successUrl: The URL to redirect to when successful - the JWT will be appended to this URL.\n* failureUrl: The URL to redirect to when unsuccessful.\n* myUrl: The URL for the whole app.\n* enableParameter: (Default: false) How the JWT token will be appended to URL, using URL?jwtToken=JWT for true or URL#JWT for false\n* testMode: If set to true, on startup the service/docker image will write a test token to the log. It also enables the /test endpoint, from which you can retrieve a test token programmatically.\n* hazelcastUsernameIsEmail: If set to true, the username will be treated as case insensitive when logging in. It assumes that all usernames (emails) are stored as lowercase.\n\nHow It Works\n---\nOn startup the server will generate a new secure RSA private key. This private key is kept in memory, so will be\ndestroyed when the service shuts down (unless you've explicitly enabled persistent key storage as described above),\ninvalidating all existing JWT's. It will also expose the public key on the `/public-key` endpoint. This key is in\nX509 certificate format (aka. Base64 encoded raw data). You can use this to validate your JWT.\n\nYour JWT is returned to the success url as a fragment, as browsers do not ordinarily send this part to the server,\nso the JWT will not bleed through to server access logs. This means that the browser is responsible for storing the JWT\nsecurely until it is needed for API requests.\n\n## Developer Setup\nBefore running this setup, you need to build the system. To build it, you need to run:\n\n```Bash\n$ .\\gradlew build\n```\n---\nFor running \"iam\" you will need to run the iam main\n\nAfter running the main you can now acces http://localhost:8082/iam/org/page/1\n\n---\n\nRunning the app with Docker:\n\n```Bash\n$ docker-compose up --build -d\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factoaps%2Ffafnir-sso","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Factoaps%2Ffafnir-sso","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factoaps%2Ffafnir-sso/lists"}