{"id":13689466,"url":"https://github.com/libregraph/lico","last_synced_at":"2025-05-01T23:34:43.725Z","repository":{"id":37725757,"uuid":"377123604","full_name":"libregraph/lico","owner":"libregraph","description":"LibreGraph Connect implements an OpenID provider (OP) with integrated web login and consent forms.","archived":false,"fork":false,"pushed_at":"2024-11-11T11:09:46.000Z","size":15939,"stargazers_count":25,"open_issues_count":26,"forks_count":5,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-11T12:20:46.035Z","etag":null,"topics":["hacktoberfest","ldap-authentication","openid-connect","openid-provider"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/libregraph.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-15T10:28:50.000Z","updated_at":"2024-11-11T11:09:50.000Z","dependencies_parsed_at":"2023-02-18T17:46:09.164Z","dependency_job_id":"af7ac48b-64d0-4312-af1e-b4434e82fa06","html_url":"https://github.com/libregraph/lico","commit_stats":null,"previous_names":[],"tags_count":102,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libregraph%2Flico","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libregraph%2Flico/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libregraph%2Flico/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libregraph%2Flico/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/libregraph","download_url":"https://codeload.github.com/libregraph/lico/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224282286,"owners_count":17285800,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","ldap-authentication","openid-connect","openid-provider"],"created_at":"2024-08-02T15:01:48.981Z","updated_at":"2024-11-12T13:31:50.094Z","avatar_url":"https://github.com/libregraph.png","language":"Go","funding_links":[],"categories":["hacktoberfest"],"sub_categories":[],"readme":"# LibreGraph Connect\n\nLibreGraph Connect implements an [OpenID provider](http://openid.net/specs/openid-connect-core-1_0.html)\n(OP) with integrated web login and consent forms.\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/libregraph/lico)](https://goreportcard.com/report/github.com/libregraph/lico)\n\nLibreGraph Connect has it origin in Kopano Konnect and is meant as its vendor\nagnostic successor.\n\n## Technologies\n\n- Go\n- React\n\n## Standards supported by Lico\n\nLico provides services based on open standards. To get you an idea what\nLico can do and how you could use it, this section lists the\n[OpenID Connect](https://openid.net/connect/) standards which are implemented.\n\n- https://openid.net/specs/openid-connect-core-1_0.html\n- https://openid.net/specs/openid-connect-discovery-1_0.html\n- https://openid.net/specs/openid-connect-frontchannel-1_0.html\n- https://openid.net/specs/openid-connect-session-1_0.html\n- https://openid.net/specs/openid-connect-registration-1_0.html\n\nFurthermore the following extensions/base specifications extend, define and\ncombine the implementation details.\n\n- https://tools.ietf.org/html/rfc6749\n- https://tools.ietf.org/html/rfc7517\n- https://tools.ietf.org/html/rfc7519\n- https://tools.ietf.org/html/rfc7636\n- https://tools.ietf.org/html/rfc7693\n- https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html\n- https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html\n- https://www.iana.org/assignments/jose/jose.xhtml\n- https://nacl.cr.yp.to/secretbox.html\n\n## Build dependencies\n\nMake sure you have Go 1.18 or later installed. This project uses Go Modules.\n\nLico also includes a modern web app which requires a couple of additional\nbuild dependencies which are furthermore also assumed to be in your $PATH.\n\n  - yarn - [Yarn](https://yarnpkg.com)\n  - convert, identify - [Imagemagick](https://www.imagemagick.org)\n  - scour - [Scour](https://github.com/scour-project/scour)\n\nTo build Lico, a `Makefile` is provided, which requires [make](https://www.gnu.org/software/make/manual/make.html).\n\nWhen building, third party dependencies will tried to be fetched from the Internet\nif not there already.\n\n## Building from source\n\n```\ngit clone \u003cTHIS-PROJECT\u003e lico\ncd lico\nmake\n```\n\n### Optional build dependencies\n\nSome optional build dependencies are required for linting and continuous\nintegration. Those tools are mostly used by make to perform various tasks and\nare expected to be found in your $PATH.\n\n  - golangci-lint - [golangci-lint](https://github.com/golangci/golangci-lint)\n  - go2xunit - [go2xunit](https://github.com/tebeka/go2xunit)\n  - gocov - [gocov](https://github.com/axw/gocov)\n  - gocov-xml - [gocov-xml](https://github.com/AlekSi/gocov-xml)\n  - gocovmerge - [gocovmerge](https://github.com/wadey/gocovmerge)\n\n### Build with Docker\n\n```\ndocker build -t licod-builder -f Dockerfile.build .\ndocker run -it --rm -u $(id -u):$(id -g) -v $(pwd):/build licod-builder\n```\n\n## Running Lico\n\nLico can provide user login based on available backends.\n\nAll backends require certain general parameters to be present. Create a RSA\nkey-pair file with `openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:4096`\nand provide the key file with the `--signing-private-key` parameter. Lico can\nload PEM encoded PKCS#1 and PKCS#8 key files and JSON Web Keys from `.json` files\nIf you skip this, Lico will create a random non-persistent RSA key on startup.\n\nTo encrypt certain values, Lico needs a secure encryption key. Create a\nsuitable key of 32 bytes with `openssl rand -out encryption.key 32` and provide\nthe full path to that file via the `--encryption-secret` parameter. If you skip\nthis, Lico will generate a random key on startup.\n\nTo run a functional OpenID Connect provider, an issuer identifier is required.\nThe `iss` is a full qualified https:// URI pointing to the web server which\nserves the requests to Lico (example: https://example.com). Provide the\nIssuer Identifier with the `--iss` parametter when starting Lico.\n\nFurthermore to allow clients to utilize the Lico services, clients need to\nbe known/registered. For now Lico uses a static configuration file which\nallows clients and their allowed urls to be registered. See the the example at\n`identifier-registration.yaml.in`. Copy and modify that file to include all\nthe clients which should be able to use OpenID Connect and/or OAuth2 and start\nLico with the `--identifier-registration-conf` parameter pointing to that\nfile. Without any explicitly registered clients, Lico will only accept clients\nwhich redirect to an URI which starts with the value provided with the `--iss`\nparameter.\n\n### Lico cryptography and validation\n\nA tool can be used to create keys for Lico and also to validate tokens to\nensure correct operation is [Step CLI](https://github.com/smallstep/cli). This\nhelps since OpenSSL is not able to create or validate all of the different key\nformats, ciphers and curves which are supported by Lico.\n\nHere are some examples relevant for Lico.\n\n```\nstep crypto keypair 1-rsa.pub 1-rsa.pem \\\n  --kty RSA --size 4096 --no-password --insecure\n```\n\n```\nstep crypto keypair 1-ecdsa-p-256.pub 1-ecdsa-p-256.pem \\\n  --kty EC --curve P-256 --no-password --insecure\n```\n\n```\nstep crypto jwk create 1-eddsa-ed25519.pub.json 1-eddsa-ed25519.key.json \\\n  -kty OKP --crv Ed25519 --no-password --insecure\n```\n\n```\necho $TOKEN_VALUE | step crypto jwt verify --iss $ISS \\\n  --aud playground-trusted.js --jwks $ISS/konnect/v1/jwks.json\n```\n\n### URL endpoints\n\nTake a look at `Caddyfile.example` on the URL endpoints provided by Lico and\nhow to expose them through a TLS proxy.\n\nThe base URL of the frontend proxy is what will become the value of the `--iss`\nparameter when starting up Lico. OIDC requires the Issuer Identifier to be\nsecure (https:// required).\n\n### LibreGraph backend\n\nGeneric backend support is available through the LibreGraph API. Any service can\nprovide the required endpoints and Lico connects to them.\n\n```\nexport LIBREGRAPH_URI=http://your-backend.local:5050\nbin/licod serve --listen=127.0.0.1:8777 \\\n  --iss=https://mylico.local \\\n  libregraph\n```\n\n### LDAP backend\n\nThis assumes that Lico can directly connect to an LDAP server via TCP.\n\n```\nexport LDAP_URI=ldap://myldap.local:389\nexport LDAP_BINDDN=\"cn=admin,dc=example,dc=local\"\nexport LDAP_BINDPW=\"its-a-secret\"\nexport LDAP_BASEDN=\"dc=example,dc=local\"\nexport LDAP_SCOPE=sub\nexport LDAP_LOGIN_ATTRIBUTE=uid\nexport LDAP_EMAIL_ATTRIBUTE=mail\nexport LDAP_NAME_ATTRIBUTE=cn\nexport LDAP_UUID_ATTRIBUTE=uidNumber\nexport LDAP_UUID_ATTRIBUTE_TYPE=text\nexport LDAP_FILTER=\"(objectClass=organizationalPerson)\"\n\nbin/licod serve --listen=127.0.0.1:8777 \\\n  --iss=https://mylico.local \\\n  ldap\n```\n\n### Build Lico Docker image\n\nThis project includes a `Dockerfile` which can be used to build a Docker\ncontainer from the locally build version. Similarly the `Dockerfile.release`\nbuilds the Docker image locally from the latest release download.\n\n```\ndocker build -t licod .\n```\n\n```\ndocker build -f Dockerfile.release -t licod .\n```\n\n## Run unit tests\n\n```\nmake test\n```\n\n## Development\n\nAs Lico includes a web application (identifier), a `Caddyfile.dev` file is\nprovided which exposes the identifier's web application directly via a\nwebpack dev server.\n\n### Debugging\n\nLico is built stripped and without debug symbols by default. To build for\ndebugging, compile with additional environment variables which override/reset\nbuild optimization like this\n\n```\nLDFLAGS=\"\" GCFLAGS=\"all=-N -l\" ASMFLAGS=\"\" make cmd/licod\n```\n\nThe resulting binary is not stripped and sutiable to be debugged with [Delve](https://github.com/go-delve/delve).\n\nTo connect Delve to a running Lico binary you can use the `make dlv` command.\nControl its behavior via `DLV_*` environment variables. See the `Makefile` source\nfor details.\n\n```\nDLV_ARGS= make dlv\n```\n\n#### Remote debugging\n\nTo use remote debugging, pass additional args like this.\n\n```\nDLV_ARGS=--listen=:2345 make dlv\n```\n\n## Usage survey\n\nBy default, any running licod regularly transmits survey data to a Kopano\nuser survey service at https://stats.kopano.io . To disable participation, set\nthe environment variable `KOPANO_SURVEYCLIENT_AUTOSURVEY` to `no`.\n\nThe survey data includes system and platform information and the following\nspecific settings:\n\n - Identify manager name (as selected when starting licod)\n\nSee [here](https://stash.kopano.io/projects/KGOL/repos/ksurveyclient-go) for further\ndocumentation and customization possibilities.\n\n## License\n\nSee `LICENSE.txt` for licensing information of this project.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flibregraph%2Flico","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flibregraph%2Flico","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flibregraph%2Flico/lists"}