{"id":31006450,"url":"https://github.com/emfcamp/uffd","last_synced_at":"2026-04-02T16:07:46.847Z","repository":{"id":310263097,"uuid":"1036121456","full_name":"emfcamp/uffd","owner":"emfcamp","description":"Official upstream: https://git.cccv.de/uffd/uffd","archived":false,"fork":false,"pushed_at":"2025-08-18T19:10:26.000Z","size":10385,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-13T02:22:36.398Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/emfcamp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-11T15:32:40.000Z","updated_at":"2025-08-22T21:55:33.000Z","dependencies_parsed_at":"2025-09-13T02:33:22.460Z","dependency_job_id":null,"html_url":"https://github.com/emfcamp/uffd","commit_stats":null,"previous_names":["lukegb/uffd","emfcamp/uffd"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/emfcamp/uffd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emfcamp%2Fuffd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emfcamp%2Fuffd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emfcamp%2Fuffd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emfcamp%2Fuffd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/emfcamp","download_url":"https://codeload.github.com/emfcamp/uffd/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emfcamp%2Fuffd/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29441257,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T07:24:13.446Z","status":"ssl_error","status_checked_at":"2026-02-14T07:23:58.969Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-13T02:13:08.463Z","updated_at":"2026-02-14T09:09:37.314Z","avatar_url":"https://github.com/emfcamp.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Uffd\n\nUffd (UserFerwaltungsFrontend) is a web-based user management and single sign-on software.\n\nDevelopment chat: [#uffd-development](https://rocket.cccv.de/channel/uffd-development)\n\n## Dependencies\n\nPlease note that we refer to Debian packages here and **not** pip packages.\n\n- python3\n- python3-flask\n- python3-flask-sqlalchemy\n- python3-flask-migrate\n- python3-qrcode\n- python3-fido2 (version 0.5.0 or 0.9.1, optional)\n- python3-prometheus-client (optional, needed for metrics)\n- python3-jwt\n- python3-cryptography\n- python3-flask-babel\n- python3-argon2\n- python3-itsdangerous (also a dependency of python3-flask)\n- python3-mysqldb or python3-pymysql for MariaDB support\n- python3-ua-parser (optional, better user agent parsing)\n\nSome of the dependencies (especially fido2) changed their API in recent versions, so make sure to install the versions from Debian Bookworm, Bullseye or Buster.\nFor development, you can also use virtualenv with the supplied `requirements.txt`.\n\n## Development\n\nBefore running uffd, you need to create the database with `flask db upgrade`. The database is placed in\n`instance/uffd.sqlit3`.\n\nThen use `flask run` to start the application:\n\n```\nFLASK_APP=uffd flask db upgrade\nFLASK_APP=uffd FLASK_ENV=development flask run\n```\n\nDuring development, you may want to create some example data:\n\n```\nexport FLASK_APP=uffd\nflask group create 'uffd_access' --description 'Access to Single-Sign-On and Selfservice'\nflask group create 'uffd_admin' --description 'Admin access to uffd'\nflask role create 'base' --default --add-group 'uffd_access'\nflask role create 'admin' --add-group 'uffd_admin'\nflask user create 'testuser' --password 'userpassword' --mail 'test@example.com' --displayname 'Test User'\nflask user create 'testadmin' --password 'adminpassword' --mail 'admin@example.com' --displayname 'Test Admin' --add-role 'admin'\n```\n\nAfterwards you can login as a normal user with \"testuser\" and \"userpassword\", or as an admin with \"testadmin\" and \"adminpassword\".\n\n## Deployment\n\nDo not use `pip install uffd` for production deployments!\nThe dependencies of the pip package roughly represent the versions shipped by Debian stable.\nWe do not keep them updated and we do not test the pip package!\nThe pip package only exists for local testing/development and to help build the Debian package.\n\nWe provide packages for Debian stable, oldstable and oldoldstable (currently Bookworm, Bullseye and Buster).\nSince all dependencies are available in the official package mirrors, you will get security updates for everything but uffd itself from Debian.\n\nTo install uffd on Debian Bullseye, add our package mirror to `/etc/sources.list`:\n\n```\ndeb https://packages.cccv.de/uffd bullseye main\n```\n\nThen download [cccv-archive-key.gpg](https://packages.cccv.de/docs/cccv-archive-key.gpg) and add it to the trusted repository keys in `/etc/apt/trusted.gpg.d/`.\nAfterwards run `apt update \u0026\u0026 apt install uffd` to install the package.\n\nThe Debian package uses uwsgi to run uffd and ships an `uffd-admin` script to execute flask commands in the correct context.\nIf you upgrade, make sure to run `flask db upgrade` after every update! The Debian package takes care of this by itself using uwsgi pre start hooks.\nFor an example uwsgi config, see our [uswgi.ini](uwsgi.ini). You might find our [nginx include file](nginx.include.conf) helpful to setup a web server in front of uwsgi.\n\nUffd supports SQLite and MariaDB. To use MariaDB, create the database with the options `CHARACTER SET utf8mb4 COLLATE utf8mb4_nopad_bin` and make sure to add the `?charset=utf8mb4` parameter to `SQLALCHEMY_DATABASE_URI`.\n\n## Python Coding Style Conventions\n\nPEP 8 without double new lines, tabs instead of spaces and a max line length of 160 characters.\nWe ship a [pylint](https://pylint.org/) config to verify changes with.\n\n## Configuration\n\nUffd reads its default config from `uffd/default_config.cfg`.\nYou can overwrite config variables by creating a config file in the `instance` folder.\nThe file must be named `config.cfg` (Python syntax), `config.json` or `config.yml`/`config.yaml`.\nYou can also set a custom file path with the environment variable `CONFIG_PATH`.\n\n## OAuth2 Single-Sign-On Provider\n\nOther services can use uffd as an OAuth2.0-based authentication provider.\nThe required credentials (client_id, client_secret and redirect_uris) for these services are defined in the config.\nThe services need to be setup to use the following URLs with the Authorization Code Flow:\n\n* `/oauth2/authorize`: authorization endpoint\n* `/oauth2/token`: token request endpoint\n* `/oauth2/userinfo`: endpoint that provides information about the current user\n\nIf the service supports server metadata discovery ([RFC 8414](https://www.rfc-editor.org/rfc/rfc8414)), configuring the base url of your uffd installation or `/.well-known/openid-configuration` as the discovery endpoint should be sufficient.\n\nThe only OAuth2 scope supported is `profile`. The userinfo endpoint returns json data with the following structure:\n\n```\n{\n  \"id\": 10000,\n  \"name\": \"Test User\",\n  \"nickname\": \"testuser\"\n  \"email\": \"testuser@example.com\",\n  \"groups\": [\n    \"uffd_access\",\n    \"users\"\n  ],\n}\n```\n\n`id` is the numeric (Unix) user id, `name` the display name and `nickname` the loginname of the user.\n\n## OpenID Connect Single-Sign-On Provider\n\nIn addition to plain OAuth2, uffd also has basic OpenID Connect support.\nEndpoint URLs are the same as for plain OAuth2.\nOpenID Connect support is enabled by requesting the `openid` scope.\nID token signing keys are served at `/oauth2/keys`.\n\nSee [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) specification for more details.\n\nSupported flows and response types:\n\n* Only Authorization Code Flow with `code` response type\n\nSupported scopes:\n\n* `openid`: Enables OpenID Connect support and returns mandatory `sub` claim\n* `profile`: Returns `name` and `preferred_username` claims\n* `email`: Returns `email` and `email_verified` claims\n* `groups`: Returns non-standard `groups` claim\n\nSupported claims:\n\n* `sub` (string): Decimal encoded numeric (Unix) user id\n* `name` (string): Display name\n* `preferred_username`(string): Loginname\n* `email` (string): Service-specific or primary email address\n* `email_verified` (boolean): Verification status of `email` value (always `true`)\n* `groups` (array of strings): Names of groups the user is a member of (non-standard)\n\nuffd supports the optional `claims` authorization request parameter for requesting claims individually.\n\nNote that there is a IANA-registered `groups` claim with a syntax borrowed from [SCIM](https://www.rfc-editor.org/rfc/rfc7643.html).\nThe syntax used by uffd is different and incompatible, although arguably more common for a claim named \"groups\" in this context.\n\nuffd aims for complience with OpenID provider conformance profiles Basic and Config.\nIt is, however, not a certified OpenID provider and it has the following limitations:\n\n* Only the `none` value for the `prompt` authorization request parameter is recognized. Other values (`login`, `consent` and `select_account`) are ignored.\n* The `max_age` authorization request parameter is not supported and ignored by uffd.\n* The `auth_time` claim is not supported and neither returned if the `max_age` authorization request parameter is present nor if it is requested via the `claims` parameter.\n* Requesting the `sub` claim with a specific value for the ID Token (or passing the `id_token_hint` authorization request parameter) is only supported if the `prompt` authorization request parameter is set to `none`. The authorization request is rejected otherwise.\n\n## Metrics\n\nUffd can export metrics in a prometheus compatible way. It needs python3-prometheus-client for this feature to work.\nMetrics can be accessed via `/metrics` and `/api/v1/metrics_prometheus`.\nThose endpoints are protected via api credentials. Add prometheus in the uffd UI as a service and create an\napi client with the `metrics` permission. Then you can access the metrics like that:\n\n```\n$ curl localhost:5000/api/v1/metrics_prometheus --user api-user:api-password\n# HELP python_info Python platform information\n# TYPE python_info gauge\npython_info{implementation=\"CPython\",major=\"3\",minor=\"9\",patchlevel=\"2\",version=\"3.9.2\"} 1.0\n# HELP uffd_version_info Various version infos\n# TYPE uffd_version_info gauge\nuffd_version_info{version=\"local\"} 1.0\n[..]\n```\n\n## Translation\n\nThe web frontend is initially written in English and translated in the following Languages:\n\n![status](https://git.cccv.de/uffd/uffd/badges/master/coverage.svg?job=trans_de\u0026key_text=DE)\n\nThe selection uses the language browser header by default but can be overwritten via a UI element.\nYou can specify the available languages in the config.\n\nUse the `update_translations.sh` to update the translation files.\n\n## License\n\nGNU Affero General Public License v3.0, see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femfcamp%2Fuffd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Femfcamp%2Fuffd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femfcamp%2Fuffd/lists"}