{"id":29251695,"url":"https://github.com/macrat/lauth","last_synced_at":"2025-07-04T01:08:12.685Z","repository":{"id":40277208,"uuid":"332231280","full_name":"macrat/lauth","owner":"macrat","description":"Simple OpenID Provider for LDAP like a Microsoft ActiveDirectory.","archived":false,"fork":false,"pushed_at":"2023-05-05T02:30:25.000Z","size":884,"stargazers_count":4,"open_issues_count":7,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-06-21T19:03:40.977Z","etag":null,"topics":["ldap","oauth2","openid-provider"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/macrat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-23T14:36:15.000Z","updated_at":"2023-02-17T08:35:22.000Z","dependencies_parsed_at":"2024-06-19T11:27:46.398Z","dependency_job_id":"6380ff16-aea0-47f7-a874-29e79aa2909e","html_url":"https://github.com/macrat/lauth","commit_stats":{"total_commits":224,"total_committers":2,"mean_commits":112.0,"dds":0.004464285714285698,"last_synced_commit":"5758a76684a2c439a075f61f83e69d5bc6f80548"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/macrat/lauth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macrat%2Flauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macrat%2Flauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macrat%2Flauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macrat%2Flauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/macrat","download_url":"https://codeload.github.com/macrat/lauth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macrat%2Flauth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263427316,"owners_count":23464845,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ldap","oauth2","openid-provider"],"created_at":"2025-07-04T01:08:11.384Z","updated_at":"2025-07-04T01:08:12.661Z","avatar_url":"https://github.com/macrat.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"Lauth\n=====\n\n![Test and Build status](https://github.com/macrat/lauth/workflows/Test%20and%20Build/badge.svg)\n[![codecov coverage](https://codecov.io/gh/macrat/lauth/branch/main/graph/badge.svg)](https://codecov.io/gh/macrat/lauth)\n[![Container in Docker Hub](https://img.shields.io/badge/container-Docker%20Hub-blue.svg?logo=docker\u0026logoColor=white)](https://hub.docker.com/r/macrat/lauth)\n[![Container in GitHub Container Registry](https://img.shields.io/badge/container-ghcr.io-blue.svg?logo=docker\u0026logoColor=white)](https://github.com/users/macrat/packages/container/package/lauth)\n[![MIT License](https://img.shields.io/github/license/macrat/lauth)](https://github.com/macrat/lauth/blob/master/LICENSE)\n\nThe simple OpenID Provider for LDAP like a Microsoft ActiveDirectory(AD).\n\n![Lauth can translate LDAP and OAuth2/OpenID Connect](./images/lauth.jpg)\n\n\n## Compatibility\n\n- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)\n- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)\n- [OpenID Connect RP-Initiated Logout 1.0 - draft 01](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)\n- [OAuth2 (RFC6749)](https://tools.ietf.org/html/rfc6749)\n- LDAP v3 (use [go-ldap](https://github.com/go-ldap/ldap))\n\n\n## Installation\n\n### Use on Docker\n\n``` shell\n$ docker run macrat/lauth:latest --version\nlauth version 1.0.0\n```\n\n### Build by source\n\n``` shell\n$ go get github.com/macrat/lauth\n\n$ lauth --version\nlauth version 1.0.0\n```\n\n\n## Usage\n\nFirst, Generate a config file.\n\n``` shell\n$ lauth gen-client your-client-name -u https://you-client.example.com/callback \u003e\u003e config.toml\n```\n\nThen, start the server.\n\n``` shell\n$ lauth \\\n --ldap ldap://ldap.example.com \\\n --ldap-user \"CN=username,OU=somewhere,DC=example,DC=local\" \\\n --ldap-password ${LDAP_USER_PASSWORD} \\\n --config config.toml\n```\n\nFinally, use it.\n\n- authorization endpoint:\n http://localhost:8000/login\n- token endpoint:\n http://localhost:8000/login/token\n- userinfo endpoint:\n http://localhost:8000/login/userinfo\n- jwks endpoint:\n http://localhost:8000/login/jwks\n- discovery endpoint:\n http://localhost:8000/.well-known/openid-configuration\n\nSee also [all options list](#Options) and [example config file](./config.example.toml).\n\n### For production\n\nIn the production use-case, please add those options.\n\n- `--issuer`: External URL of the server.\n- `--sign-key`: RSA private key for signing to the token.\n- `--tls-cert` and `--tls-key` (or `--tls-auto`): TLS encryption key files (Or automate generate those with Let's encryption).\n- `--metrics-username` and `--metrics-password`: Credentials for protect metrics page. (metrics page perhaps interesting hint for an attacker)\n\n### Use in docker-compose\n\nPlease see [example](./examples/docker-compose/).\n\n\n## Customize\n\n### Page design\n\nThis is default page design:\n\n![default design of login page and error page](./images/default_design.jpg)\n\nIf you want to customize the design, you can use `--login-page`, `--logout-page`, and `--error-page`.\nTemplates using [html/template](https://golang.org/pkg/html/template/) libraries format.\n\nPlease see also the default page templates:\n\n- [login page](./page/html/login.tmpl)\n- [logged out page](./page/html/logout.tmpl)\n- [error page](./page/html/error.tmpl)\n\n### ID attribute\n\nIn default, Lauth uses `sAMAccountName` as the username.\nThat is the logon ID of Microsoft ActiveDirectory.\n\nPlease use `--ldap-id-attribute` option if you want to use another attribute as the username.\n\n``` shell\n$ lauth --ldap-id-attribute mail # login with e-mail\n```\n\nOr, you can use a config file.\n\n``` shell\n$ cat \u003c\u003cEOS \u003e config.toml\n[ldap]\nid_attribute = \"mail\"\nEOS\n\n$ lauth --config config.toml\n```\n\n### Scope and Claims\n\nYou can change scope and claims for `id_token` and userinfo in the config file.\n\nThis is default config; That claims for Microsoft ActiveDirectory.\n\n``` toml\n[scope]\n\nprofile = [\n { claim = \"name\", attribute = \"displayName\" },\n { claim = \"given_name\", attribute = \"givenName\" },\n { claim = \"family_name\", attribute = \"sn\" },\n]\n\nemail = [\n { claim = \"email\", attribute = \"mail\" },\n]\n\nphone = [\n { claim = \"phone_number\", attribute = \"telephoneNumber\" },\n]\n\ngroups = [\n { claim = \"groups\", attribute = \"memberOf\", type = \"[]string\" },\n]\n```\n\n\n## Options\n\n### server command\n\n``` shell\n$ lauth [OPTIONS]\n```\n\n|command line |config file |environment variable |default value |description|\n|-----------------------|----------------------|----------------------------|---------------------------|-----------|\n|`--issuer` |`issuer` |`LAUTH_ISSUER` |`http://localhost:8000` |Issuer URL.|\n|`--listen` |`listen` |`LAUTH_LISTEN` |same port as the Issuer URL|Listen address and port.|\n|`--sign-key` |`sign_key` |`LAUTH_SIGN_KEY` |generate random key |RSA private key for signing to token.|\n|`--tls-auto` |`tls.auto` |`LAUTH_TLS_AUTO` | |Enable auto generate TLS cert with Let's Encryption.|\n|`--tls-cert` |`tls.cert` |`LAUTH_TLS_CERT` | |Cert file for TLS encryption.|\n|`--tls-key` |`tls.key` |`LAUTH_TLS_KEY` | |Key file for TLS encryption.|\n|`--authz-endpoint` |`endpoint.authz` |`LAUTH_ENDPOINT_AUTHZ` |`/login` |Path to authorization endpoint.|\n|`--token-endpoint` |`endpoint.token` |`LAUTH_ENDPOINT_TOKEN` |`/login/token` |Path to token endpoint.|\n|`--userinfo-endpoint` |`endpoint.userinfo` |`LAUTH_ENDPOINT_USERINFO` |`/login/userinfo` |Path to userinfo endpoint.|\n|`--jwks-uri` |`endpoint.jwks` |`LAUTH_ENDPOINT_JWKS` |`/login/jwks` |Path to jwks uri.|\n|`--login-expire` |`expire.login` |`LAUTH_EXPIRE_LOGIN` |`1h` |Time limit to input username and password on the login page.|\n|`--code-expire` |`expire.code` |`LAUTH_EXPIRE_CODE` |`5m` |Time limit to exchange code to `access_token` or `id_token`.|\n|`--token-expire` |`expire.token` |`LAUTH_EXPIRE_TOKEN` |`1d` |Expiration duration of `access_token` and `id_token`.|\n|`--refresh-expire` |`expire.refresh` |`LAUTH_EXPIRE_REFRESH` |`1w` |Expiration duration of `refresh_token`.\u003cbr /\u003eIf set 0, `refresh_token` will not create.|\n|`--sso-expire` |`expire.sso` |`LAUTH_EXPIRE_SSO` |`2w` |Duration for don't show login page if logged in past.\u003cbr /\u003eIf set 0, always ask the username and password to the end-user.|\n|`--ldap` |`ldap.server` |`LAUTH_LDAP_SERVER` | |URL of LDAP server.\u003cbr /\u003eYou can include user credentials like `ldap://USER_DN:PASSW|ORD@ldap.example.com`.\n|`--ldap-user` |`ldap.user` |`LAUTH_LDAP_USER` | |User DN for connecting to LDAP.\u003cbr /\u003eYou can use `DOMAIN\\username` style if using ActiveDirectory.|\n|`--ldap-password` |`ldap.password` |`LAUTH_LDAP_PASSWORD` | |Password for connecting to LDAP.|\n|`--ldap-base-dn` |`ldap.base_dn` |`LAUTH_LDAP_BASE_DN` |same as user DC |The base DN for search user account in LDAP like `OU=somewhere,DC=example,DC=local`.|\n|`--ldap-id-attribute` |`ldap.id_attribute` |`LAUTH_LDAP_ID_ATTRIBUTE` |`sAMAccountName` |ID attribute name in LDAP.|\n|`--ldap-disable-tls` |`ldap.disable_tls` |`LAUTH_LDAP_DISABLE_TLS` | |Disable use TLS when connecting to the LDAP server. *THIS IS INSECURE.*|\n|`--login-page` |`template.login_page` |`LAUTH_TEMPLATE_LOGIN_PAGE` | |Templte file for login page.|\n|`--logout-page` |`template.logout_page`|`LAUTH_TEMPLATE_LOGOUT_PAGE`| |Templte file for logged out page.|\n|`--error-page` |`template.error_page` |`LAUTH_TEMPLATE_ERROR_PAGE` | |Templte file for error page.|\n|`--metrics-path` |`metrics.path` |`LAUTH_METRICS_PATH` |`/metrics` |Path to Prometheus metrics.|\n|`--metrics-username` |`metrics.username` |`LAUTH_METRICS_USERNAME` | |Basic auth username to access to Prometheus metrics.\u003cbr /\u003eIf omit, disable authentication.|\n|`--metrics-password` |`metrics.password` |`LAUTH_METRICS_PASSWORD` | |Basic auth password to access to Prometheus metrics.\u003cbr /\u003eIf omit, disable authentication.|\n|`--config` | |`LAUTH_CONFIG` | |Load options from TOML, YAML, or JSON file.|\n|`--debug` | | | |Enable debug output. *This is insecure* for production use.|\n\n\n### gen-client sub command\n\n``` shell\n$ lauth gen-client CLIENT_ID [OPTIONS]\n```\n\n|option |description |\n|----------------|------------------------------------------------------------------------------------------|\n|`--redirect-uri`|URIs to accept redirect to. |\n|`--secret` |Client secret value. Generate random secret if omitted. *Not recommend using this option.*|\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacrat%2Flauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmacrat%2Flauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacrat%2Flauth/lists"}