{"id":16729093,"url":"https://github.com/keithduncan/oidc-provider","last_synced_at":"2025-10-24T04:54:02.712Z","repository":{"id":144668858,"uuid":"461638803","full_name":"keithduncan/oidc-provider","owner":"keithduncan","description":"OpenID Connect Identity Provider Rails engine with support for per-tenant keysets","archived":false,"fork":false,"pushed_at":"2022-02-21T00:41:11.000Z","size":180,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-24T10:04:03.290Z","etag":null,"topics":["oidc-provider","rails-engine"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/keithduncan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-20T22:56:32.000Z","updated_at":"2024-07-05T13:51:58.000Z","dependencies_parsed_at":null,"dependency_job_id":"479e33fe-3a25-4833-8769-44319975cb36","html_url":"https://github.com/keithduncan/oidc-provider","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keithduncan%2Foidc-provider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keithduncan%2Foidc-provider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keithduncan%2Foidc-provider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keithduncan%2Foidc-provider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/keithduncan","download_url":"https://codeload.github.com/keithduncan/oidc-provider/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248208563,"owners_count":21065202,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["oidc-provider","rails-engine"],"created_at":"2024-10-12T23:26:52.586Z","updated_at":"2025-10-24T04:53:57.679Z","avatar_url":"https://github.com/keithduncan.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenID Connect Provider\n\nProof-of-concept OpenID Connect provider Rails engine with support for\nper-tenant keysets.\n\nTenants can be arbitrarily deep in your object model. For example, your keyset\ncould be service-wide, per-organisation, or per-organisation resource. Whatever\nmakes sense to be a root of trust in your object model.\n\n\u003cimg width=\"1129\" alt=\"Diagram of a data model showing different OIDC keyset placements, service-wide e.g. GitHub Actions, per-org, and per-org resource e.g. AWS EKS Clusters\" src=\"https://user-images.githubusercontent.com/22101/154870621-178cc98c-e83a-44b9-9877-2d124e5efefa.png\"\u003e\n\nWhile you can use a single service-wide root of trust for your provider and\ndisambiguate principals using a subject claim (a la GitHub Actions), this engine\nsupports multiple roots providing more isolation between principals.\n\nMount the engine in your application’s routes at a path parameterised by the\ntenant in your model with an associated keyset e.g. `/organization/:org_slug/oidc`.\nThe engine renders resources for `.well-known/openid-configuration` and `keyset`\nallowing mounted instances to function as an OpenID Connect Identity Provider (IdP)\nfor a relying party (RP) such as AWS IAM.\n\n## Usage\n\n1. Install the gem.\n2. Install and run the engine’s migrations `rake oidc:install:migrations db:migrate`.\n3. Add a `belongs_to` relationship from your tenant to an `Oidc::Keyset`.\n4. Backfill or create just-in-time keysets for your tenants.\n5. Create a database (`Oidc::Key::Db`) or AWS KMS (`Oidc::Key::Kms`) signing key\nfor each keyset, see [Keys](#keys).\n\n6. Mount the Rails engine in your routes as a resource on your model’s root of\ntrust, e.g.:\n\n```ruby\nRails.application.routes.draw do\n  resources :organizations, only: [:show] do\n    mount Oidc::Engine, at: \"oidc\", as: \"oidc\"\n  end\nend\n```\n\n7. Provide an `Oidc.keyset_lookup` function in `config/initializers/oidc.rb`\nthat uses the route params to look up and return the tenant’s keyset.\n\n## Keys\n\nThere are two key models: [`Oidc::Key::Db`](app/models/oidc/key/db.rb), and\n[`Oidc::Key::Kms`](app/models/oidc/key/kms.rb).\n\n`Oidc::Key::Db` stores the RSA private key material in the database and can be\nused for local development and prototyping. The `private_key` field should be\nset to an unencrypted PEM encoded RSA private key. You can optionally store the\npublic key in the `public_key` field, otherwise the public key components will\nbe extracted from the private key when needed.\n\n`Oidc::Key::Kms` uses an AWS KMS Asymmetric RSA key for signing operations. The\n`private_key` field is an AWS KMS Key ARN. The KMS Key must be an RSA key. The\n`public_key` field is the KMS key’s public key in PEM format. Signing operations\ndepend on network connectivity to the AWS KMS region hosting the key.\n\n## Examples\n\n- [`examples/service-wide`](examples/service-wide) a single service-wide keyset\n- [`examples/tenant`](examples/tenant) a per-organisation keyset, single tenant\n- [`examples/per-tenant`](examples/per-tenant) a per-organisation cluster keyset, multi-tenant\n\n## Installation\nAdd this line to your application's Gemfile:\n\n```ruby\ngem 'oidc'\n```\n\nAnd then execute:\n```bash\n$ bundle\n```\n\nOr install it yourself as:\n```bash\n$ gem install oidc\n```\n\n## Contributing\nFork the repository and open a pull request.\n\n## License\nThe gem is available as open source under the terms of the [AGPL-3.0 License](https://opensource.org/licenses/AGPL-3.0).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeithduncan%2Foidc-provider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeithduncan%2Foidc-provider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeithduncan%2Foidc-provider/lists"}