{"id":13393647,"url":"https://github.com/buzzfeed/sso","last_synced_at":"2025-05-14T12:09:06.192Z","repository":{"id":37951898,"uuid":"145011089","full_name":"buzzfeed/sso","owner":"buzzfeed","description":"sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services","archived":false,"fork":false,"pushed_at":"2024-05-30T11:24:45.000Z","size":3175,"stargazers_count":3090,"open_issues_count":87,"forks_count":184,"subscribers_count":53,"default_branch":"main","last_synced_at":"2024-10-29T15:34:46.712Z","etag":null,"topics":["aes","authentication","go","oauth","security","sso"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/buzzfeed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-16T16:06:36.000Z","updated_at":"2024-10-18T13:43:32.000Z","dependencies_parsed_at":"2024-11-19T04:17:16.062Z","dependency_job_id":"1fd4c04d-9b02-4b6e-b6c3-445d50429acf","html_url":"https://github.com/buzzfeed/sso","commit_stats":{"total_commits":197,"total_committers":30,"mean_commits":6.566666666666666,"dds":0.7157360406091371,"last_synced_commit":"8f2d3aca98d40e4469b81a7c32bb4d6bc1360087"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buzzfeed%2Fsso","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buzzfeed%2Fsso/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buzzfeed%2Fsso/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buzzfeed%2Fsso/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/buzzfeed","download_url":"https://codeload.github.com/buzzfeed/sso/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247968370,"owners_count":21025823,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes","authentication","go","oauth","security","sso"],"created_at":"2024-07-30T17:00:58.009Z","updated_at":"2025-04-09T03:10:48.548Z","avatar_url":"https://github.com/buzzfeed.png","language":"Go","readme":"# sso\n\n\u003e See our launch [blog post](https://tech.buzzfeed.com/unleashing-the-a6a1a5da39d6) for more information!\n\n[![CircleCI](https://circleci.com/gh/buzzfeed/sso.svg?style=svg)](https://circleci.com/gh/buzzfeed/sso)\n[![MIT license](http://img.shields.io/badge/license-MIT-brightgreen.svg)](http://opensource.org/licenses/MIT)\n[![Docker Automated build](https://img.shields.io/docker/automated/buzzfeed/sso.svg)](https://hub.docker.com/r/buzzfeed/sso/)\n[![codecov.io](https://codecov.io/github/buzzfeed/sso/coverage.svg?branch=main)](https://codecov.io/github/buzzfeed/sso?branch=main)\n\n\n\u003cimg src=\"https://user-images.githubusercontent.com/10510566/44476420-a64e5980-a605-11e8-8ad9-2820109deb75.png\" width=\"128px\"\u003e\n\n\u003e Please take the [SSO Community Survey][sso_survey] to let us know how we're doing, and to help us plan our roadmap!\n\n----\n\n**sso** — lovingly known as *the S.S. Octopus* or *octoboi* — is the\nauthentication and authorization system BuzzFeed developed to provide a secure,\nsingle sign-on experience for access to the many internal web apps used by our\nemployees.\n\nIt depends on Google as its authoritative OAuth2 provider, and authenticates\nusers against a specific email domain. Further authorization based on Google\nGroup membership can be required on a per-upstream basis.\n\nThe main idea behind **sso** is a \"double OAuth2\" flow, where `sso-auth` is the\nOAuth2 provider for `sso-proxy` and Google is the OAuth2 provider for `sso-auth`.\n\n[sso](https://github.com/buzzfeed/sso) is built on top of Bitly’s open source [oauth2_proxy](https://github.com/bitly/oauth2_proxy)\n\nIn a nutshell:\n\n- If a user visits an `sso-proxy`-protected service (`foo.sso.example.com`) and does not have a session cookie, they are redirected to `sso-auth` (`sso-auth.example.com`).\n   - If the user **does not** have a session cookie for `sso-auth`,\n     they are prompted to log in via the usual Google OAuth2 flow, and then\n     redirected back to `sso-proxy` where they will now be logged in (to\n     `foo.sso.example.com`)\n   - If the user *does* have a session cookie for `sso-auth` (e.g. they\n     have already logged into `bar.sso.example.com`), they are\n     transparently redirected back to `proxy` where they will be logged in,\n     without needing to go through the Google OAuth2 flow\n- `sso-proxy` transparently re-validates \u0026 refreshes the user's session with `sso-auth`\n\n## Installation\n\n- [Prebuilt binary releases](https://github.com/buzzfeed/sso/releases)\n- [Docker][docker_hub]\n- `go get github.com/buzzfeed/sso/cmd/...`\n\n## Quickstart\n\nFollow our [Quickstart guide](docs/quickstart.md) to spin up a local deployment\nof **sso** to get a feel for how it works!\n\n## Code of Conduct\n\nHelp us keep **sso** open and inclusive. Please read and follow our [Code of Conduct](CODE_OF_CONDUCT.md).\n\n## Contributing\n\nContributions to **sso** are welcome! Please follow our [contribution guideline](CONTRIBUTING.md).\n\n### Issues\n\nPlease file any issues you find in our [issue tracker](https://github.com/buzzfeed/sso/issues).\n\n### Security Vulns\n\nIf you come across any security vulnerabilities with the **sso** repo or software, please email security@buzzfeed.com. In your email, please request access to our [bug bounty program](https://hackerone.com/buzzfeed) so we can compensate you for any valid issues reported.\n\n## Maintainers\n\n**sso** is actively maintained by the BuzzFeed Infrastructure teams.\n\n## Notable forks\n\n - [pomerium](https://github.com/pomerium/pomerium) an identity-access proxy, inspired by BeyondCorp.\n\n[docker_hub]: https://hub.docker.com/r/buzzfeed/sso/\n[sso_survey]: https://docs.google.com/forms/d/e/1FAIpQLSeRjf66ZSpMkSASMbYebx6QvECYRj9nUevOhUF2huw53sE6_g/viewform\n","funding_links":[],"categories":["Go","Open Source Software","Go (134)","go","security","`Authentication`","Authentication"],"sub_categories":["`SSO (Single-Sign-On)`","SSO"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuzzfeed%2Fsso","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuzzfeed%2Fsso","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuzzfeed%2Fsso/lists"}