{"id":13714125,"url":"https://github.com/maximthomas/blazewall","last_synced_at":"2025-12-15T13:42:24.941Z","repository":{"id":48420870,"uuid":"200840227","full_name":"maximthomas/blazewall","owner":"maximthomas","description":"Open Source Single-Sign-On and Access Management platform built in microservice architecture","archived":true,"fork":false,"pushed_at":"2023-05-05T09:34:35.000Z","size":606,"stargazers_count":17,"open_issues_count":0,"forks_count":5,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-08-03T23:29:47.135Z","etag":null,"topics":["authentication","authorization","cloud-native","gateway-service","go","go-gin","golang","information-security","microservice","microservices","security","sso","sso-solution"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/maximthomas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-06T11:45:00.000Z","updated_at":"2024-08-02T11:26:15.000Z","dependencies_parsed_at":"2024-06-20T05:14:10.148Z","dependency_job_id":"2c6f4515-e641-4b95-b817-0b1b7166067e","html_url":"https://github.com/maximthomas/blazewall","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maximthomas%2Fblazewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maximthomas%2Fblazewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maximthomas%2Fblazewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maximthomas%2Fblazewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/maximthomas","download_url":"https://codeload.github.com/maximthomas/blazewall/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224551163,"owners_count":17330089,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","cloud-native","gateway-service","go","go-gin","golang","information-security","microservice","microservices","security","sso","sso-solution"],"created_at":"2024-08-02T23:01:52.785Z","updated_at":"2025-12-15T13:42:24.840Z","avatar_url":"https://github.com/maximthomas.png","language":"Go","funding_links":[],"categories":["Repositories"],"sub_categories":[],"readme":"\u003c!--\nLicensed to the Apache Software Foundation (ASF) under one\nor more contributor license agreements. See the NOTICE file\ndistributed with this work for additional information\nregarding copyright ownership. The ASF licenses this file\nto you under the Apache License, Version 2.0 (the\n\"License\"); you may not use this file except in compliance\nwith the License. You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing,\nsoftware distributed under the License is distributed on an\n\"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\nKIND, either express or implied. See the License for the\nspecific language governing permissions and limitations\nunder the License.\n--\u003e\n\n# BLAZEWALL\n\n![Blazewall logo](docs/img/logo.png)\n\n**BLAZEWALL** is an Open Source Single Sign-On and Access Management platform built with microservice architecture \nand released under Apache 2.0 license.\n\n## Table of Contents\n * [Solution architecture](#solution-architecture)\n * [Processes](#processes)\n * [Quick Start](#quick-start)\n * [Protecting Your Own Site](#protecting-your-own-site)\n\n## Solution architecture\n\nThe solution architecture is shown in the diagram below:\n![Services interaction diagram](docs/img/services-diagram.png)\n\n### Services:\n\n|Service|Description|\n|-------|-----------|\n|**auth-service**|Authentication service, responsible for signing up or signing in users|\n|**gateway-service**|Proxies all user requests to protected resources. Gateway insures if a user request does not violate the security policy enriches the request with the user session info and passes the request to the protected resource. If the request violates the policy, gateway service denies this request and redirects the user to the authentication|\n|**session-service**|Stores and manages user sessions|\n|**user-service**|Responsible for user account management|\n|**protected-service**|Test service with unsecured and secured zone|\n\n## Processes\n\n### Authentication process diagram\n\n![Access protected resource process](docs/img/authentication.png)\n\n### Access Protected Resource\n\n![Authentication process](docs/img/access-protected-resource.png)\n\n\n## Quick Start\n\nQuick start with docker-compose.\n\nAdd following entry to `/etc/hosts` file on an Unix-based OS or `c:\\Windows\\System32\\Drivers\\etc\\hosts` on Windows:\n\n```\n127.0.0.1 example.com auth.example.com\n```\n\nStart all services locally with docker-compose:\n```bash\ndocker-compose up --build\n```\nAfter all the services started, go to `http://example.com:8080/`, you will see an entry point page that is available to all users. Click on the `Try to Authenticate` button. You will be redirected to the page `http://example.com:8080/user` protected by `gateway-service`.\n\n`gateway-service` checks whether the user is authenticated or not, if he is not, redirects him to the `auth-service` `http://auth.example.com:8081/auth-service/v1/users`\n\nEnter default credentials: login `admin` and password `password` to authenticate.\n\nAfter authentication succeded, you will be redirected back to the protected resource `http://example.com:8080/user`.\n\n## Protecting Your Own Site\n\nLet us describe how to protect your service step by step using Docker.\n\n### Create network\n\n```bash\ndocker network create blazewall-network\n```\n\n### Deploy Your Service to Protect\nWe will take `protected-service` as an example.\nLet us run the service in a Docker container.\n\n```bash\ndocker run --name protected-service -h protected-service --network=blazewall-network -d blazewall/protected-service\n```\nThere is no port forwarding, so the site cannot be accessed from an external network.\n\n### Configure **gateway-service**\n\nCreate or modify the gateway-service yaml configuration in `gateway-config.yaml` file. You can find a configuration sample in [gateway-config-test.yaml](./gateway-service/config/gateway-config-test.yaml)\n\nCreate a config file for gateway-service named `gateway-config.yaml` to set up hosts, paths, and policies:\n\n```yaml\nprotectedHosts: #array of hosts\n -\n requestHost: example.com:8080 #gateway host and port\n targetHost: 'http://protected-service:8080' #tagret host and port\n pathsConfig: #paths and policies config\n -\n policyValidator:\n type: authenticated #could also be 'realms' 'allowed', 'denied', \n urlPattern: /user #protected url\n authUrl: 'http://auth.example.com:8081/auth-service/v1/login?realm=users' #auth-service url. If request violates the policy user will be redirected to this url for authentication\nsessionID: BlazewallSession #session cookie\nendpoints:\n sessionService: http://session-service:8080/session-service/v1/sessions # session-service endpoint\n```\n\nStart the gateway service:\n\n```bash\ndocker run --name gateway-service \\\n-v $(pwd)/gateway-config.yaml:/app/config/gateway-config.yaml \\\n-p 8080:8080 \\\n--network=blazewall-network \\\nblazewall/gateway-service \\\n-d \\\n./main -yc /app/config/gateway-config.yaml\n```\nAnd check if the protected service can be accessed via gateway `http://example.com:8080`.\n\n\n\n### Configure **auth-service**\n\nCreate or modify the auth-service yaml configuration in `auth-config.yaml` file. You can find a configuration sample in [auth-config-test.yaml](./auth-service/config/auth-config-test.yaml):\n\n```yaml\nrealms: #set of realms\n -\n name: users #realm name\n redirectOnSuccess: \"http://example.com:8080/user\" #redirect location after successfull authentication\n authConfig: #authenctication configyration\n -\n type: userService #authenticate via user-service, shows login and password page\n parameters: #authentication parameters\n endpoint: http://user-service:8080/user-service/v1 #user-service endpoing\n realm: users #user service realm\n -\n name: staff\n redirectOnSuccess: \"http://example.com:8080/user\"\n authConfig:\n -\n type: userService\n parameters:\n endpoint: http://user-service:8080/user-service/v1\n realm: staff\ncookieDomains: #array of cookie domains, where cokie should set\n - .example.com\n - localhost\nsessionID: BlazewallSession #blazewall session cooke name, should be the same as in gateway-service\nendpoints:\n sessionService: http://session-service:8080/session-service/v1/sessions #session service endpoint\n```\n\n```bash\ndocker run --name auth-service \\\n-v $(pwd)/auth-config.yaml:/app/config/auth-config.yaml \\\n-p 8081:8080 \\\n--network=blazewall-network \\\n-d \\\nblazewall/auth-service \\\n./main -yc /app/config/auth-config.yaml\n```\n\n### Configure **session-service**\n\nThe session service utilizes Redis in order to store session data. You must set following environment variables to connect to Redis:\n\n* REDIS_ADDRES - redis database address (default localhost:6379)\n* REDIS_PASS - redis DB password (default empty)\n* REDIS_DB - redis DB number (default 0)\n\nLet us build a docker image and run it with Redis:\n\nStart Redis:\n```bash\ndocker run --name redis --network=blazewall-network -h redis redis\n```\nStart session-service:\n```bash\ndocker run --name session-service \\\n--env REDIS_ADDRES=redis:6379 \\\n--network=blazewall-network \\\n-d \\\nblazewall/session-service\n```\n\n### Configure **user-service**\n\nThe current version of the user service could supports only MongoDB.\nYou can configure **user-service** using an yaml file.\nThere are connection settings for each realm in the yaml file.\nYou can find a configuration sample in [user-config-test.yaml](./user-service/config/user-config-test.yaml)\n\nCreate `user-config.yaml` file:\n\n```yaml\nrealms: #realms for user service, to use different user databases\n -\n realm: users #realm name\n type: mongodb #database type\n parameters: #database connection parameters\n uri: 'mongodb://root:example@mongo:27017'\n db: users\n collection: users\n```\n\nRun MongoDB:\n```bash\ndocker run --name mongo \\\n--env MONGO_INITDB_ROOT_USERNAME=root --env MONGO_INITDB_ROOT_PASSWORD=example \\\n-d \\\n--network=blazewall-network -h mongo mongo\n```\n\nRun user-service:\n```bash\ndocker run --name user-service \\\n-v $(pwd)/user-config.yaml:/app/config/user-config.yaml \\\n--network=blazewall-network \\\n-d \\\nblazewall/user-service \\\n./main -yc /app/config/user-config.yaml\n```\n\nIn the request header `X-Blazewall-Session` you will see all the session info in JSON format, for instance:\n\n```json\n{\"id\":\"5c02e842-7844-40f5-a90b-2fec3f6dd8d4\",\"userId\":\"admin\",\"realm\":\"users\",\"properties\":{\"firstname\":\"John\",\"lastname\":\"Doe\",\"roles\":\"[\\\"admin\\\",\\\"manager\\\"]\"}}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaximthomas%2Fblazewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmaximthomas%2Fblazewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaximthomas%2Fblazewall/lists"}