{"id":42293965,"url":"https://github.com/korpling/forwarding-oauth2-server","last_synced_at":"2026-01-27T09:53:58.407Z","repository":{"id":45556118,"uuid":"385251673","full_name":"korpling/forwarding-oauth2-server","owner":"korpling","description":null,"archived":false,"fork":false,"pushed_at":"2024-04-02T10:12:24.000Z","size":291,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-01-14T11:48:06.004Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/korpling.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-07-12T13:09:12.000Z","updated_at":"2024-04-02T10:12:27.000Z","dependencies_parsed_at":"2025-04-12T03:26:51.232Z","dependency_job_id":null,"html_url":"https://github.com/korpling/forwarding-oauth2-server","commit_stats":null,"previous_names":["korpling/shibboleth-oauth2-forwarding"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/korpling/forwarding-oauth2-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korpling%2Fforwarding-oauth2-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korpling%2Fforwarding-oauth2-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korpling%2Fforwarding-oauth2-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korpling%2Fforwarding-oauth2-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/korpling","download_url":"https://codeload.github.com/korpling/forwarding-oauth2-server/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korpling%2Fforwarding-oauth2-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28811483,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T07:41:26.337Z","status":"ssl_error","status_checked_at":"2026-01-27T07:41:08.776Z","response_time":168,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-27T09:53:58.350Z","updated_at":"2026-01-27T09:53:58.400Z","avatar_url":"https://github.com/korpling.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OAuth2 server that runs behind a protected resource\n\nThis is a server that creates an [OAuth2](https://oauth.net/2/) Server (identity provider).\nIt assumes it runs behind as protected resource (e.g. by securing it with `AuthType shibboleth` in an Apache 2 server or by using any other [Apache 2 authorization method](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html)). \nShibboleth/SAML meta data fields that are passed through as HTTP headers (like `X-Remote-User`) variables can be mapped to [JWT token](https://jwt.io/) attributes.\n\n\n## Background\n\nThis project is used as identity provider for the [ANNIS frontend](https://github.com/korpling/ANNIS) when an institutional Shibboleth identity provider (like the DFN AAI) should be used.\n\n## Installation and configuration\n\n### Configure Apache2 with Shibboleth\n\nFollow one of the Shibboleth guides like in the [Shibboleth Wiki](https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335062/Apache) to configure your Apache with a location secured by Shibboleth.\nThis secured location must be forwared to the actual web service we are going to install.\n\n```\n\u003cLocation /login\u003e\n        # Proxy all requests to /login to our service at port 8020\n        ProxyPass http://localhost:8020\n        ProxyPassReverse http://localhost:8020\n\u003c/Location\u003e\n\u003cLocation /login/authorize\u003e\n      AuthType shibboleth\n      ShibRequestSetting requireSession true\n      \u003cRequireAll\u003e\n              Require shib-session\n              # Add more conditions on the user here\n      \u003c/RequireAll\u003e\n      # This is important since we want to use the forwarded headers\n      ShibUseHeaders On\n\n\u003c/Location\u003e\n```\n\n### Installation of the service binary\n\n1. To install this binary as a service you will need a working Rust compiler environment, which can be installed with \u003chttps://rustup.rs/\u003e\n2. Compile the binary with `cargo install forwarding-oauth2-server`,\n3. Copy the resulting binary file to you system-wide binary folder\n```bash\ncp ~/.cargo/bin/forwarding-oauth2-server /usr/local/bin/\n```\n4. For [systemd](https://wiki.debian.org/systemd/Services) based Linux servers like Ubuntu 18.04, create a service unit definition file with a `.service` suffix in the `/etc/systemd/system` directory. This file could look like following example. Also make sure to choose a user (here `youruser`) this service should run as.\n\n```\n[Unit]\nDescription=Authorization token wrapper for ANNIS\n\n[Service]\nType=simple\nExecStart=/usr/local/bin/forwarding-oauth2-server -c /usr/local/etc/forwarding-oauth2-server.toml\nUser=youruser\nGroup=youruser\nWorkingDirectory=/usr/local/\n\n[Install]\nWantedBy=multi-user.target\n```\n\nExecute\n```bash\nsystemctl daemon-reload\n```\nto make the new file known to the system.\n\nFor non-systemd-based servers use the operating system manual to define a corresponding service.\n\n### Configuration file\n\nIn the previous service definition, the `/usr/local/etc/forwarding-oauth2-server.toml` file was used as configuration file.\nYou can copy one of the example files in the `examples/` folder and adjust them to your needs.\nWe use TOML files, which syntax is documented at \u003chttps://toml.io/\u003e\n\n```toml\n[bind]\n# Define the port to use for the service\nport = 8020\n\n[mapping]\n# List all headers that should be forwared from Apache2 to the \ninclude_headers = [\"x-admin\"]\n# Path to the template file that is used to generate the JWT tokens\ntoken_template = \"\u003cpath-to-template-file\u003e\"\n# The default value for the \"sub\" field\ndefault_sub = \"academic\"\n\n[client]\n# Define the OAuth2 client ID\nid = \"Shibboleth\"\n# A valid redirect URI\nredirect_uri = \"https://youapplicationserver/appcontext/\"\n\n[client.token_verification]\n# Define a secret to be shared between identity provider and service consuming the JWT token\ntype = \"HS256\"\nsecret = \"random-words-are-not-secure-please-change-me\"\n# Alternativly, you can use a private/public key approach\n# type = \"RS256\"\n# private_key = \"yourprivatekey\"\n# public_key = \"yourpublikey\"\n```\n\n### Token template\n\nJWT tokens are created using a template file, which is given as `token_template` field in the `mapping` section of the configuration file. \nWe use the template language [Handlebars](https://handlebarsjs.com/) for including dynamic content like the user name (given as `sub` variable).\nAlso, all forwarded headers which are defined in the `include_header` field of the configuration variable can be used inside the JWT token definition.\n\n```\n{\n    \"sub\": \"{{sub}}\",\n    \"exp\": {{exp}},\n    {{#if x-admin}}\n    \"https://corpus-tools.org/annis/roles\": [\"admin\"],\n    {{/if}}\n    \"https://corpus-tools.org/annis/groups\": [\"academic\"]\n}\n```\n\n### Start and test the service\n\nWhen you installed the service, created the configuration files and secured the `/login` path, you should be able to start the newly defined service.\nIf the service unit file was named `shib-wrapper.service` you can start and enable the service at each boot with \n\n```bash\nsystemctl enable shib-wrapper.service\nsystemctl start shib-wrapper.service\n```\n\n### Configure the application to use this OAuth2 identity provider\n\nIf your application uses Spring Security (like e.g. ANNIS), you can configure the endpoints of this OAuth2 service like this in your application properties:\n\n```properties\nspring.security.oauth2.client.registration.shib.client-id=Shibboleth\nspring.security.oauth2.client.registration.shib.authorization-grant-type=authorization_code\nspring.security.oauth2.client.registration.shib.redirect-uri=https://youapplicationserver/appcontext/login/oauth2/code/shib\n\nspring.security.oauth2.client.provider.shib.authorization-uri=https://yourserver/login/authorize\nspring.security.oauth2.client.provider.shib.token-uri=https://yourserver/login/authorize/token\nspring.security.oauth2.client.provider.shib.user-info-uri=https://yourserver/login/userinfo\nspring.security.oauth2.client.provider.shib.user-name-attribute=sub\n\n```\n\n## 3rd party dependencies\n\nThis software depends on several 3rd party libraries. These are documented in the \"third-party-licenses.html\" file in this folder.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkorpling%2Fforwarding-oauth2-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkorpling%2Fforwarding-oauth2-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkorpling%2Fforwarding-oauth2-server/lists"}