{"id":28499275,"url":"https://github.com/fraunhofer-aisec/omejdn-server","last_synced_at":"2025-08-09T08:28:51.058Z","repository":{"id":37860450,"uuid":"353642593","full_name":"Fraunhofer-AISEC/omejdn-server","owner":"Fraunhofer-AISEC","description":"Omejdn is an OAuth2/OpenID connect server for IoT devices which use their private keys to request OAuth2 access tokens in order to access protected resources and websites or apps which retrieve user attributes.","archived":false,"fork":false,"pushed_at":"2023-08-29T15:10:42.000Z","size":488,"stargazers_count":15,"open_issues_count":12,"forks_count":26,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-06-08T14:44:35.936Z","etag":null,"topics":["bavaria","daps","oauth2","oauth2-server","openid-connect"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Fraunhofer-AISEC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-04-01T09:17:43.000Z","updated_at":"2024-11-15T06:31:32.000Z","dependencies_parsed_at":"2023-01-28T12:01:54.002Z","dependency_job_id":null,"html_url":"https://github.com/Fraunhofer-AISEC/omejdn-server","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/Fraunhofer-AISEC/omejdn-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fraunhofer-AISEC%2Fomejdn-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fraunhofer-AISEC%2Fomejdn-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fraunhofer-AISEC%2Fomejdn-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fraunhofer-AISEC%2Fomejdn-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Fraunhofer-AISEC","download_url":"https://codeload.github.com/Fraunhofer-AISEC/omejdn-server/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fraunhofer-AISEC%2Fomejdn-server/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263415128,"owners_count":23463098,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bavaria","daps","oauth2","oauth2-server","openid-connect"],"created_at":"2025-06-08T14:36:01.178Z","updated_at":"2025-07-03T22:31:37.334Z","avatar_url":"https://github.com/Fraunhofer-AISEC.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Omejdn _(Bavarian for \"Log in\")_\n\n[![build-server](https://github.com/Fraunhofer-AISEC/omejdn-server/actions/workflows/build-server.yml/badge.svg)](https://github.com/Fraunhofer-AISEC/omejdn-server/actions/workflows/build-server.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Fraunhofer-AISEC/omejdn-server?sort=semver)\n\n![Omejdn](public/img/logo.jpg)\n\nOmejdn is a minimal but extensible OAuth 2.0/OpenID connect server used for ...\n\n1. IoT devices which use their private keys to request OAuth2 access tokens in order to access protected resources\n1. Websites or apps which retrieve user attributes\n\nIt is used as the _Dynamic Attribute Provisioning Service (DAPS)_ prototype of\nthe [Industrial Data Space](https://industrial-data-space.github.io/trusted-connector-documentation/).\n\nSome of Omejdn's core features include:\n\n* Database-free easy-to-read configuration files\n* Integration of existing LDAP directory services\n* Fully configurable through the Admin API Plugin\n* A User Selfservice API Plugin\n* Standard Compliance (see below)\n\n\n**IMPORTANT**: Omejdn is meant to be a research sandbox in which we can\n(re)implement standard protocols and potentially extend and modify functionality\nunder the hood to support research projects.\nUse at your own risk!\nAt a minimum, take a look at the documentation for production setups.\n\n---\n\n## Quickstart\n\nThe main configuration file is `config/omejdn.yml`.\nIt will be generated when you first run Omejdn.\nThe default values result in a plain OAuth 2.0 server with no OpenID support\nand no way to add users via an API, served at `http://localhost:4567`\n\nDepending on your use case, you might want to at least configure the following options:\n\n* `issuer: https://example.org` defines Omejdn's Issuer Identifier. It is used for finding Omejdn's endpoints.\n* `front_url: https://example.org/auth` should point to where Omejdn is mounted. Defaults to `issuer` above.\n  If the two values differ or have a path segment, make sure to relay the well-known endpoints for the issuer according to the documentation.\n* `openid: true` enables OpenID functionality\n* `accept_audience` should include the issuer identifier and `$front_url/token`. Delete this config option to generate a default one for your setup.\n\nTo start Omejdn, simply execute\n\n```\n$ bundle config set --local with omejdn\n$ bundle config set --local without plugins development # Include these for more complex setups and development\n$ bundle install\n$ ruby omejdn.rb\n```\n\nYou may now add clients and users as decribed below, and request access tokens for them.\nThe token endpoint is `/token` and the authorization endpoint is `/authorize`,\nas advertised at `/.well-known/oauth-authorization-server`.\n\nFor testing purposes, a script for creating JWT Bearer Tokens for client authentication is located at `scripts/create_test_token.rb`.\n\n## Configuration\n\nThis section provides but a very brief overview of the possible configuration options.\nWhen in doubt, take a look at the documentation in `/docs`.\nBy default, all configuration options are specified in files under `/config` and `/keys`.\nOmejdn's Plugin system however allows them to be located almost anywhere (including databases, remote locations, ...).\n\n### Signing keys\n\nThe server public/private key pair used to sign tokens is located at `keys/omejdn/omejdn.key` in PEM format.\nThis file will be auto-generated, if it does not exist.\nIf you would like to use your own key, simply replace this file.\nYou may place other keys and certificates in this folder to have the keys be advertised via the JWKS endpoint (e.g. for key rollover).\n\n### Clients\n\nClients are configured in `config/clients.yml` using the client registration parameters.\nA minimal public client needs to have\n\n- a unique `client_id`\n- a `token_endpoint_auth_method` with a value of `none`\n- at least one value listed under `redirect_uris`\n- at least one value listed under `scope`\n\n### Users\n\nUsers are configured in `config/users.yml`.\nEach user has at least a `username`, `password`, and an empty array of `attributes`,\nwhich are (in their simplest form) key-value pairs describing information about the user. For instance:\n\n```yaml\n- key: given_name\n  value: Alice\n```\n\nFor more complex setups take a look at the documentation.\n\n### Scopes and Attributes\n\nA client can request any subset of scopes in his `scopes`, configurable in the client configuration file.\nIf you define a set of attributes for a scope in `config/scope_mapping.yml`,\nthe `userinfo` endpoint response will also include this attribute for OpenID requests.\n\n(Note: You can also add those attributes to the Access- and ID Tokens.\nHave a look at the `attributes` claim mapper plugin.)\n\nScopes of the form `k:v` are granted if the resource owner (the user in authorization code flows) contains an attribute with key `k` and value `v`.\nOther scopes are granted if the resource owner contains at least one attribute which the scope under consideration maps to.\nSee the documentation for details.\n\nIn `config/scope_description.yml` you can configure a short description string\nwhich is displayed to the user in an OpenID Connect flow upon requesting authorization.\n\nThere are some special predefined scopes you may want to use:\n\n  - `openid`, `profile`, `email`: These scopes are defined by OpenID.\n  - `omejdn:*`: These scopes are reserved for use with Omejdn and its APIs.\n  Values include:\n    - `omejdn:read` and `omejdn:write` for access to the User Selfservice API Plugin.\n    - `omejdn:admin` for access to the Omejdn Admin API Plugin.\n\n### Plugins\n\nOmejdn's functionality can be customized through the use of plugins.\nFor more information please take a look at the documentation.\n\n## Using the Omejdn Docker Image\n\nOmejdn comes with its own Docker images, which you can either grab from ghcr.io,\nor build yourself like so:\n\n```\n$ docker build . -t my-omejdn-server\n$ docker run -d  --name=omejdn -p 4567:4567 \\\n              -v $PWD/config:/opt/config \\\n              -v $PWD/keys:/opt/keys my-omejdn-server\n```\n\nMost of Omejdn's core features (excluding plugins) can be configured via environment variables, by upper-casing the config option and prepending `OMEJDN_`.\nFor instance, setting `OMEJDN_ISSUER` will overwrite the `issuer` configuration option.\n\nTo add an admin user, set `OMEJDN_ADMIN` to `username:password`.\n\n## Supported Standards\n\nThis server mostly implements the following standards (potentially via plugins):\n\n- Web Authorization Protocol (oauth)\n  * [RFC 6749](https://datatracker.ietf.org/doc/rfc6749/) - The OAuth 2.0 Authorization Framework\n  * [RFC 6750](https://datatracker.ietf.org/doc/rfc6750/) - The OAuth 2.0 Authorization Framework: Bearer Token Usage\n  * [RFC 7519](https://datatracker.ietf.org/doc/rfc7519/) - JSON Web Token (JWT)\n  * [RFC 7521](https://datatracker.ietf.org/doc/rfc7521/) - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants\n  * [RFC 7523](https://datatracker.ietf.org/doc/rfc7523/) - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants\n  * [RFC 7636](https://datatracker.ietf.org/doc/rfc7636/) - Proof Key for Code Exchange by OAuth Public Clients\n  * [RFC 8414](https://datatracker.ietf.org/doc/rfc8414/) - OAuth 2.0 Authorization Server Metadata\n  * [RFC 8707](https://datatracker.ietf.org/doc/rfc8707/) - Resource Indicators for OAuth 2.0\n  * [RFC 9068](https://datatracker.ietf.org/doc/rfc9068/) - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens\n  * [RFC 9101](https://datatracker.ietf.org/doc/rfc9101/) - The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)\n  * [RFC 9126](https://datatracker.ietf.org/doc/rfc9126/) - OAuth 2.0 Pushed Authorization Requests\n  * [RFC 9207](https://datatracker.ietf.org/doc/rfc9207/) - OAuth 2.0 Authorization Server Issuer Identification\n- OpenID Connect Protocol Suite\n  * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)\n  * [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)\n  * [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)\n- Other Standards\n  * [RFC 7033](https://datatracker.ietf.org/doc/rfc7033/) - WebFinger\n- Internet Drafts\n  * [draft-spencer-oauth-claims-01](https://www.ietf.org/archive/id/draft-spencer-oauth-claims-01.txt)\n  * [draft-ietf-oauth-security-topics-19](https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/)\n  * [draft-ietf-oauth-v2-1-05](https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/)\n\n\n**NOTE**: Omejdn only implements *two* grant types:\n\n  - `client_credentials` for RFC7523.\n  - `authorization_code` for OpenID Connect.\n\nIn particular, it does *not* implement the [JWT bearer authorization grant](https://tools.ietf.org/html/rfc7523#section-2.1)\nor the [Implicit Grant](https://tools.ietf.org/html/rfc6749#section-4.2).\n\nThe *only* OpenID Connect authorization flow supported is the authorization code\nflow (with or without [PKCE](https://tools.ietf.org/html/rfc7636)).\nAs specified in the\n[OAuth2 Security Best Current Practice Document](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14),\nthese are the only grant types we will likely support for OAuth2.0 and OpenID Connect.\n\n## Directory Structure\n\nOmejdn uses the following directory structure:\n\n```\n\\_ omejdn.rb                 (Omejdn Source code)\n\\_ lib/                      (Additional Source code)\n\\_ plugins/                  (Plugin Source code)\n\\_ config/\n    \\_ omejdn.yml            (The main configuration file)\n    \\_ clients.yml           (Client configuration file)\n    \\_ webfinger.yml         (Webfinger configuration)\n    \\_ oauth_providers.yml   (To configure external OpenID Providers)\n    \\_ scope_description.yml (Human-readable strings for Scopes)\n    \\_ scope_mapping.yml     (Mapping Scopes to Attributes)\n\\_ keys/\n    \\_ omejdn/               (Keys and Certificates to be JWKS-advertised)\n        \\_ omejdn.key        (The OAuth2 server private key)\n    \\_ clients/              (The public key certificates for clients)\n\\_ views/                    (Web-Pages)\n\\_ public/                   (Additional frontend resources (CSS+Images))\n\\_ docs/                     (Documentation)\n\\_ tests/\n    \\_ test_*.rb             (Unit and E2E tests for Omejdn)\n    \\_ test_resources/       (Test vectors)\n\\_ scripts/                  (Convenience Scripts)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffraunhofer-aisec%2Fomejdn-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffraunhofer-aisec%2Fomejdn-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffraunhofer-aisec%2Fomejdn-server/lists"}