{"id":22598540,"url":"https://github.com/nilorg/naas","last_synced_at":"2025-05-07T17:44:56.446Z","repository":{"id":36084715,"uuid":"203946199","full_name":"nilorg/naas","owner":"nilorg","description":"authentication authorized server(认证授权服务器)OAuth2 + Casbin + Swagger + Gin","archived":false,"fork":false,"pushed_at":"2025-04-25T08:13:39.000Z","size":14139,"stargazers_count":54,"open_issues_count":3,"forks_count":16,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-25T09:27:08.587Z","etag":null,"topics":["casbin","go-oauth2-server","naas","oauth2","openid-connect"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nilorg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-08-23T07:21:44.000Z","updated_at":"2025-04-25T08:12:36.000Z","dependencies_parsed_at":"2025-04-25T09:23:27.610Z","dependency_job_id":"4ef491e4-ed9b-4321-a5e6-0ccc926eecdf","html_url":"https://github.com/nilorg/naas","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nilorg%2Fnaas","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nilorg%2Fnaas/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nilorg%2Fnaas/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nilorg%2Fnaas/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nilorg","download_url":"https://codeload.github.com/nilorg/naas/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252928769,"owners_count":21826748,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["casbin","go-oauth2-server","naas","oauth2","openid-connect"],"created_at":"2024-12-08T11:06:11.493Z","updated_at":"2025-05-07T17:44:56.425Z","avatar_url":"https://github.com/nilorg.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# naas\nAuthentication authorization server(认证授权服务器)\n\n# 功能\n✅ 已实现\u0026emsp;\u0026emsp;♻️ 实现中\u0026emsp;\u0026emsp;❗️待实现\n\n1. ✅ [OAuth2](https://github.com/nilorg/oauth2)\n * ✅ 授权码模式(Authorization Code)\n * ✅ 简化模式(Implicit Grant Type)\n * ✅ 密码模式(Resource Owner Password Credentials Grant)\n * ✅ 客户端模式(Client Credentials Grant)\n * ✅ 设备模式(Device Code)\n * ✅ 内省端点(Token Introspection)\n * ✅ Token销毁端点(Token Revocation)\n * ✅ 自定义端点\n\n2. ✅ OpenIDConnent\n * ✅ jwks\n * ✅ openid\n * ✅ openid-configuration\n * ✅ Userinfo(用户信息端点)\n3. ♻️ [Swagger](https://github.com/swaggo/gin-swagger)\n * ✅ 集成OAuth2认证\n4. ✅ [Casbin](https://github.com/casbin/casbin)\n * ✅ [RBAC](https://casbin.org/docs/zh-CN/rbac-api)\n * ✅ [多租户](https://casbin.org/docs/zh-CN/rbac-with-domains)\n * ✅ [自定义naas-casbin-adapter](./pkg/casbin/adapter/adapter.go)\n5. ♻️ [NAAS后台管理系统](https://github.com/nilorg/naas-web)\n * ✅ 集成OAuth2认证\n * ✅ 基础数据\n * ✅ 组织\n * ✅ 角色\n * ✅ 用户\n * ✅ OAuth2\n * ✅ 客户端\n * ✅ 范围\n * ✅ Casbin\n * ✅ 路由-访问策略\n * ✅ 菜单-访问策略\n * ✅ 动作-访问策略\n * ✅ 资源\n * ✅ 资源服务器\n * ✅ 路由\n * ✅ 菜单\n * ✅ 动作\n6. ♻️ 其他\n * ❗️手机验证码登录\n * ❗邮箱验证码登录\n * ✅ 二维码扫码登录\n * ✅ 微信扫码登录(使用微信服务号/订阅号)\n * ❗ 微信扫码登录(使用微信小程序)\n * ♻️ 第三方登录(微信、钉钉)\n * ♻️ 微信扫码登录(使用微信开放平台,实现了相关的接口(目前没正式测试通过,原因注册流程太繁琐))\n * ❗️用户日志记录\n * ❗️注册页面\n * ✅ 极验验证\n\n\n# 页面展示(以下展示Nilorg任务调度平台对接使用)\n\n1. 登录页面\n ![qrcode](./examples/images/qrcode.png)\n ![login](./examples/images/login.png)\n\n2. 授权页面\n\n ![authorize](./examples/images/authorize.png)\n\n# 部署\n\n## 使用Docker\n```bash\ndocker run -d \\\n-p 8080:8080 -p 5000:5000 -p 9000:9000 \\\n--name naas \\\n-v \u003clocal path\u003e/naas/configs:/workspace/configs \\\n-v \u003clocal path\u003e/naas/web:/workspace/web \\\n--link mysql:mysql \\\n--link redis:redis \\\n-e HTTP_ENABLE=true \\\n-e GRPC_ENABLE=true \\\n-e GRPC_GATEWAY_ENABLE=true \\\nnilorg/naas:latest\n```\n## 使用Kubernetes\n1. 创建命名空间\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n name: nilorg\n```\n```bash\nkubectl apply -f ./deployments/k8s/namespace.yaml\n```\n2. 创建配置文件\n```yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: naas\n namespace: nilorg\ndata:\n config.yaml: |\n \u003c内容和configs/config.yaml相同\u003e\n rbac_model.conf: |\n \u003c内容和configs/rbac_model.conf相同\u003e\n```\n```bash\nkubectl apply -f ./deployments/k8s/config-cm.yaml\n```\n3. 创建Pod\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: naas\n namespace: nilorg\nspec:\n selector:\n matchLabels:\n app: naas\n service: naas\n version: v1\n replicas: 1\n template:\n metadata:\n labels:\n app: naas\n service: naas\n version: v1\n spec:\n restartPolicy: Always\n containers:\n - name: naas\n image: nilorg/naas:latest\n imagePullPolicy: Always\n ports:\n - containerPort: 8080 # 对应 HTTP_ENABLE\n - containerPort: 5000 # 对应 GRPC_ENABLE\n - containerPort: 9000 # 对应 GRPC_GATEWAY_ENABLE\n env:\n - name: GRPC_ENABLE\n value: \"true\"\n - name: GRPC_GATEWAY_ENABLE\n value: \"true\"\n - name: HTTP_ENABLE\n value: \"true\"\n volumeMounts:\n - name: config-cm # 配置文件\n mountPath: /workspace/configs/\n volumes:\n - name: config-cm # 配置文件\n configMap:\n name: naas\n```\n```bash\nkubectl apply -f ./deployments/k8s/pod.yaml\n```\n4. 创建Service\n```yaml\nkind: Service\napiVersion: v1\nmetadata:\n name: naas\n namespace: nilorg\n labels:\n app: naas\nspec:\n selector:\n app: naas\n service: naas\n version: v1\n ports: # 根据自己实际需求配置端口\n - name: naas-8080\n port: 8080\n protocol: TCP\n targetPort: 8080\n - name: naas-5000\n port: 5000\n protocol: TCP\n targetPort: 5000\n - name: naas-9000\n port: 9000\n protocol: TCP\n targetPort: 9000\n```\n```bash\nkubectl apply -f ./deployments/k8s/service.yaml\n```\n5. 创建Ingress(我这里使用的是`traefik`,根据自己的环境进行调整)\n```yaml\napiVersion: traefik.containo.us/v1alpha1\nkind: IngressRoute\nmetadata:\n name: naas\n namespace: nilorg\nspec:\n entryPoints:\n - web\n routes:\n - kind: Rule\n match: Host(`naas.nilorg.com`)\n services:\n - name: naas\n namespace: nilorg\n port: 8080\n```\n```bash\nkubectl apply -f ./deployments/k8s/traefik.yaml\n```\n## 配置文件解答\n`configs/config.yaml`\n```yaml\nserver:\n name: naas # 服务器名\n oauth2:\n port: 8080 # http服务端口\n issuer: \"https://github.com/nilorg/naas\"\n device_authorization_endpoint_enabled: true # 设备授权端点\n introspection_endpoint_enabled: true # 内省端点\n revocation_endpoint_enabled: true # Token销毁端点\n grpc:\n port: 9000\n gateway:\n port: 5000\n oidc:\n enabled: true # 是否开启OpenID Connent\n userinfo_endpoint_enabled: true # 根据token获取用户信息\n open:\n enabled: true # 开放API\n admin:\n enabled: true # 管理端\n external: true # 启用外部管理,需要配置外部URL\n external_url: http://naas-admin.nilorg.com\n super_user: \"root\"\n oauth2: # 管理端的OAuth2Client配置信息\n client_id: 1000\n\nlog:\n level: \"debug\" # panic/fatal/error/warn/info/debug\n report_caller: true\n\njwt:\n secret: \"github.com/nilorg/naas\"\n timeout: 20 # Token过期时间 分钟单位\n max_refresh: 10 #Token过期容忍刷新时间\n rsa: # 用于JWT Token生成,使用脚本创建`./scripts/create.sh`私钥和证书\n private: | # 私钥\n -----BEGIN RSA PRIVATE KEY-----\n MIIEowIBAAKCAQEA20St6pqB4LQvqT1Aq2jZPbrkpSiwFeQwiu6AA2eBz3oYveYA\n SCDzl/jXfPsY36b8VahDWmhgB/ie5Ku+R6yXiZcY9SYDiu8sMONwdkhlIL4nP1oC\n 97CffWf4vkt4mH7i5/rJWCd/MMLzjSmrMPdUOh9Jd2awNjUZ9QiVTBogZeMo8b5i\n nVBRfRcKAQDZYlo5/VkpaRBTqahh+RoIReX1MHy/LuPMJywPaqHpIh3dlwOvnY6Q\n uFrPo3cF4B7mi/ofTeRX7xzm6z+uxVZGkUHAxgm4VMAYmiP0dLSzyagA5IHUaPHV\n ex8luTSR6DcbINm0bw9skUzI8zYPIGzI/rchSQIDAQABAoIBAQDazaAXOfNcvbHJ\n 2jvMUKZn+TXssbt1PO5L1U+dFg7tcVN7PCcP0wIBpumx6AecNtAa0fvUHc+mZKx6\n V/9bGpllTYg0KajjXWPlrTAueHOhxt73UuUfMfsVc0k+66T917Cp+RIui8taZ1AO\n j4QrKsO79Dilk61HipnKcLQ66t9liv4Uf/oxOjfvjaw0+mRDgD2eulTNE+pSIw6L\n uZXduUcpZkYenXCIS+YfRjKMJGHdCiy0bj8887vg0JiqF+mPxGo1UrOMrkWtC4am\n Fht7IMUO5KnfBveL1rMB3ed8LRie9B5EOopRoBZ7PhZ31sqlimYargHGnZwYH8BH\n HzazCGwBAoGBAO8N14JcbqEcs0VpGqyuuBffheu3+6waGt90MhYEMVJsL07qLkIw\n 8P4zvPDthXMncrLBC7VJzKkZ7hmww3/qZX5xYjeSVggxG149I1Kncqn9l9BW/Qes\n IEmTUfDE8Js6mQfJVxf7qKDsN9E5N90Oj2j4XZK2ECfaLKbwWfDv3IBBAoGBAOrP\n x/jm9s6Y6KBzxBkXK0jtx2PGM1KxwJFcH9TKgz1A5yue0I1gVdU5Yf3HQowkUGJK\n lT2sUHh1JXUWd2gSrZ5ba6Fc7yITIRUYjAJaW4JKvGtk59QsdRUsHiKsMxmM1GJl\n /uDuZem+EiSA4R9ZZZSHAIfQY2VJD3MLDWVMvt8JAoGAJDebo/NvC1e2zVhMI0dh\n OrSxrHG2Xm+iDKKlB/LgqhUb4b/W/E4/5LNf97x0kGq0lOJsbK3epOv5x8ihBds0\n P0DcWYEBKcKO2+s1U8tsstZpzrWvJh9s0NjR/EFKFqp9DtHxMP/+n0rKdhdOIF6Z\n WZTvUE/nCLKkOzKE3dzpMkECgYAYkkmwyCqHkAS31aVtorkK1qcIz9LLEoK+M0+5\n ar+1BzepnuLgCHay62BPuCxEkgA/aOKZI5EAKfITgJhaMaotag+nQRxdCndpx7nO\n /TmaNsvkyRhhYY2W+5jjs/Vc9Rm8ekPjsc7EWPl5DGuCZk507nOlwq7ECJMvTLbI\n JPHMUQKBgF9O0xzJu7NwR1njqeU1MWdo8nzmb9F2itsYRXmOtC+rjTs3uqWBqlu3\n TE+L0j3o3S6navSHhzzcZLwozW6otHfDcmfFBQG48zbH7YgBVuTnSQyegEpSUHRa\n Pk78NMGbTCMJ65lA96vscXaSk0hF9Y83YY9Jjiju+uwWdnx74khb\n -----END RSA PRIVATE KEY-----\n cert: | # 签名后的证书\n -----BEGIN CERTIFICATE-----\n MIIDSjCCAjICCQDWXqh/wC9VZjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJD\n TjERMA8GA1UECAwIU2hhbmRvbmcxDjAMBgNVBAcMBUppbmFuMQ8wDQYDVQQKDAZk\n ZXZvcHMxDzANBgNVBAsMBmRldm9wczETMBEGA1UEAwwKbmlsb3JnLmNvbTAeFw0y\n MDA1MTYxMjA5MjNaFw0yMTA1MTYxMjA5MjNaMGcxCzAJBgNVBAYTAkNOMREwDwYD\n VQQIDAhTaGFuZG9uZzEOMAwGA1UEBwwFSmluYW4xDzANBgNVBAoMBmRldm9wczEP\n MA0GA1UECwwGZGV2b3BzMRMwEQYDVQQDDApuaWxvcmcuY29tMIIBIjANBgkqhkiG\n 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA20St6pqB4LQvqT1Aq2jZPbrkpSiwFeQwiu6A\n A2eBz3oYveYASCDzl/jXfPsY36b8VahDWmhgB/ie5Ku+R6yXiZcY9SYDiu8sMONw\n dkhlIL4nP1oC97CffWf4vkt4mH7i5/rJWCd/MMLzjSmrMPdUOh9Jd2awNjUZ9QiV\n TBogZeMo8b5inVBRfRcKAQDZYlo5/VkpaRBTqahh+RoIReX1MHy/LuPMJywPaqHp\n Ih3dlwOvnY6QuFrPo3cF4B7mi/ofTeRX7xzm6z+uxVZGkUHAxgm4VMAYmiP0dLSz\n yagA5IHUaPHVex8luTSR6DcbINm0bw9skUzI8zYPIGzI/rchSQIDAQABMA0GCSqG\n SIb3DQEBBQUAA4IBAQAxCCdWsJjI0BNja2VhW4UjN+E2NiE5YQU0wZWtoPtc//lt\n RziOGrZP82W6uh6BreonBu9JdNOJ0z+FYO957OrCrk6YBoFHe3l38KkQa13Vc4yG\n 2I4s1QPwor9rPRLcRQv4rB/ZS42IXXQBaCEHg+RfQ6oOX8E8YVpmRI8i3fBL4Zcf\n KPiaI5i2Ey9p7ncV+7LhZ9+rZvMeA10v1jdXhl0rRphJjN+EyC+pHCu01NAaQKAo\n Cj3vnvAfK8f8dEsZ9hUHLw1olVz0PbdsoUwdvULvVU5weVNyIGFfFMQeoZESrhxr\n B36K98eWEdm2Wc3IY6OL2xj+DaYm8Tuyh9KzL9hU\n -----END CERTIFICATE-----\n\nsession:\n name: \"naas-session\" # session使用的cookie名称\n secret: \"github.com/nilorg/naas\" # 用于session的加密\n options: # session 配置的可选项\n path: \"/\"\n domain: \"naas.nilorg.com\"\n max_age: 86400\n secure: false # 要在HTTPS下开启才可以,HTTP下开启导致Session不可用问题\n http_only: true\n redis: # 用于存储Session的Redis配置信息\n address: \"localhost:6379\"\n password: \"\"\n\nmysql: # MySQL数据库\n address: \"root:test123@tcp(localhost:3306)/naas?charset=utf8\u0026parseTime=True\u0026loc=Local\"\n log: true # 是否打印log\n\nredis: # Redis\n address: \"localhost:6379\"\n password: \"\"\n db: 0\n\nswagger: # https://swagger.io\n enabled: true # 是否启用Swagger\n oauth2: # 用于Swagger中的OAuth2配置信息\n client_id: 1000\n client_secret: 22222\n realm:\n app_name: naas-server\n redirect_url: http://naas.nilorg.com/swagger/oauth2-redirect.html # 授权回调地址\n\ncasbin: # https://casbin.org\n init:\n enabled: false # 是否初始化Casbin信息,用于项目第一次初始化使用。\n config: configs/rbac_model.conf # casbin配置文件\n\nstorage: # 对象存储,目前支持两种方式default和oss,default使用指定文件夹目录进行存储、oss使用阿里云对象存储进行存储\n type: default # default/oss\n default: \n base_path: ./web/storage\n oss: # 阿里云对象存储配置信息\n endpoint: oss-cn-shanghai.aliyuncs.com\n bucket: xxx\n access:\n key_id: aaaaa\n key_secret: bbbbb\n public_path: http://localhost:8080/storage # 文件前缀地址,用于访问文件使用.oss的方式可以使用外网地址\n max_memory: 20 # 20MB\n\nnaas:\n resource: # 用于后端API授权资源使用\n id: 1\n\ngeetest: # https://www.geetest.com 极验验证\n enabled: true\n id: \"c9c4facd1a6feeb80802222cbb74ca8e\" # 可更换为自己的\n key: \"f7475f921a41f7ba79ae15e41658627c\" # 可更换为自己的\n```\n`configs/rbac_model.conf` 查看 [Casbin Model语法](https://casbin.org/docs/zh-CN/syntax-for-models)\n```conf\n# Model语法 https://casbin.org/docs/zh-CN/syntax-for-models\n# sub, obj, act 表示经典三元组: 访问实体 (Subject),访问资源 (Object) 和访问方法 (Action)。\n# sub:希望访问资源的用户\n# dom:域/域租户 https://casbin.org/docs/zh-CN/rbac-with-domains\n# obj:要访问的资源\n# act:用户对资源执行的操作\n\n# request_definition:请求定义\n[request_definition]\nr = sub, dom, obj, act\n\n# policy_definition:策略定义\n[policy_definition]\np = sub, dom, obj, act\n\n# role_definition:角色定义\n[role_definition]\ng = _, _, _\n\n# policy_effect:政策的影响\n[policy_effect]\ne = some(where (p.eft == allow))\n\n# matchers:匹配器\n[matchers]\nm = g(r.sub, p.sub, r.dom) == true \\\n\u0026\u0026 MyDomKeyMatch2(r.obj, p.obj, r.dom, p.dom) == true \\\n\u0026\u0026 MyRegexMatch(r.act, p.act, r.dom, p.dom) == true \\\n|| r.sub == \"role:naas_root\"\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnilorg%2Fnaas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnilorg%2Fnaas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnilorg%2Fnaas/lists"}