{"id":28178558,"url":"https://github.com/ivanjosipovic/pam_oidc_auth","last_synced_at":"2026-02-13T15:27:17.624Z","repository":{"id":290888968,"uuid":"975742965","full_name":"IvanJosipovic/pam_oidc_auth","owner":"IvanJosipovic","description":"OpenID Connect (OIDC) Pluggable Authentication Module for Linux","archived":false,"fork":false,"pushed_at":"2025-05-08T02:09:30.000Z","size":58,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"alpha","last_synced_at":"2025-05-08T20:56:11.233Z","etag":null,"topics":["jwt","oauth2","oidc","pam","pam-authentication","pam-module"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IvanJosipovic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"IvanJosipovic"}},"created_at":"2025-04-30T20:30:27.000Z","updated_at":"2025-05-07T22:28:09.000Z","dependencies_parsed_at":"2025-05-01T06:33:12.175Z","dependency_job_id":null,"html_url":"https://github.com/IvanJosipovic/pam_oidc_auth","commit_stats":null,"previous_names":["ivanjosipovic/pam_oidc_auth"],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IvanJosipovic%2Fpam_oidc_auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IvanJosipovic%2Fpam_oidc_auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IvanJosipovic%2Fpam_oidc_auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IvanJosipovic%2Fpam_oidc_auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IvanJosipovic","download_url":"https://codeload.github.com/IvanJosipovic/pam_oidc_auth/tar.gz/refs/heads/alpha","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254448567,"owners_count":22072765,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","oauth2","oidc","pam","pam-authentication","pam-module"],"created_at":"2025-05-16T01:12:41.624Z","updated_at":"2026-02-13T15:27:17.587Z","avatar_url":"https://github.com/IvanJosipovic.png","language":"C#","funding_links":["https://github.com/sponsors/IvanJosipovic"],"categories":[],"sub_categories":[],"readme":"# OpenID Connect (OIDC) Pluggable Authentication Module for Linux\n\n## What is this?\n\nThis project is a Pluggable Authentication Module (PAM) for Linux that implements OpenID Connect (OIDC)-based authentication.\n\n## Features\n- Automatic discovery via the `/.well‑known/openid‑configuration` endpoint\n- JWT Validation\n  - Signature and key verification\n  - Issuer, audience, expiry, and not‑before (`nbf`) checks\n- Configurable username claim (defaults to `sub`)\n- Pre‑built binaries for x64 and arm64\n## Installation\n1. Download the appropriate binary from [Releases](https://github.com/IvanJosipovic/pam_oidc_auth/releases) and copy it to\n    - x64  `/lib/x86_64-linux-gnu/security/pam_oidc_auth.so`\n    - arm64 `/lib/aarch64-linux-gnu/security/pam_oidc_auth.so`\n1. Set permission `chmod 555 /lib/x86_64-linux-gnu/security/pam_oidc_auth.so`\n1. Create a file named: `/etc/pam.d/oidc_auth`\n1. Enter and update the parameters\n    ```\n    auth required pam_oidc_auth.so discovery_url=https://{issuer}/.well-known/openid-configuration audience={audience}\n    account required pam_oidc_auth.so\n    ```\n    - Parameters:\n      - Name: `discovery_url`\n        - Description: URL to the OpenID Connect discovery document. Eg `https://login.microsoftonline.com/{TenantId}/v2.0/.well-known/openid-configuration`\n        - Required: true\n      - Name: `audience`\n        - Description: The audience claim in the JWT token. This is usually the client ID of the application.\n        - Required: true\n      - Name: `username_claim`\n        - Description: The claim in the JWT token that will be used as the username. If not specified, it defaults to `sub`.\n        - Required: false\n\n## Testing\n1. Download [pamtester](https://pamtester.sourceforge.net)\n\n2. Run `pamtester -v oidc_auth name@company.com authenticate`\n\n3. When prompted, enter a JWT Token provided by your issuer\n\nResults should look like\n```\npamtester -v oidc_auth name@company.com authenticate\npamtester: invoking pam_start(oidc_auth, name@company.com, ...)\npamtester: performing operation - authenticate\nPassword:\npamtester: successfully authenticated\n```\n\n## Postgres\n1. Complete the Installation steps above\n1. Update `/var/lib/postgresql/data/pg_hba.conf`\n    - `host all all all pam pamservice=oidc_auth`\n1. Create User, replace someuser@company.com with a value matching username which defaults to the `sub` claim.\n    ```\n    CREATE ROLE \"someuser@company.com\" LOGIN PASSWORD NULL;\n    GRANT CONNECT ON DATABASE postgres TO \"someuser@company.com\";\n    ```\n[Example](/tests/pam_oidc_auth_tests/Dockerfile.postgres#L63-L69)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivanjosipovic%2Fpam_oidc_auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fivanjosipovic%2Fpam_oidc_auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivanjosipovic%2Fpam_oidc_auth/lists"}