{"id":13636197,"url":"https://github.com/pirogoeth/lsso","last_synced_at":"2025-03-23T18:31:30.759Z","repository":{"id":141112605,"uuid":"42562444","full_name":"pirogoeth/lsso","owner":"pirogoeth","description":"Nginx SSO middleware for protecting your internets.","archived":false,"fork":false,"pushed_at":"2017-01-02T03:17:22.000Z","size":92,"stargazers_count":46,"open_issues_count":6,"forks_count":7,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-08-17T14:02:31.094Z","etag":null,"topics":["lua","nginx","oauth","redis","sso","two-factor","u2f"],"latest_commit_sha":null,"homepage":null,"language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pirogoeth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2015-09-16T03:30:43.000Z","updated_at":"2024-08-17T14:02:31.095Z","dependencies_parsed_at":null,"dependency_job_id":"0a1d92cc-8413-4c08-937e-2b6e1becf1fc","html_url":"https://github.com/pirogoeth/lsso","commit_stats":null,"previous_names":["maiome-development/lsso"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pirogoeth%2Flsso","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pirogoeth%2Flsso/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pirogoeth%2Flsso/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pirogoeth%2Flsso/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pirogoeth","download_url":"https://codeload.github.com/pirogoeth/lsso/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245149281,"owners_count":20568866,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["lua","nginx","oauth","redis","sso","two-factor","u2f"],"created_at":"2024-08-02T00:00:58.430Z","updated_at":"2025-03-23T18:31:30.492Z","avatar_url":"https://github.com/pirogoeth.png","language":"Lua","funding_links":[],"categories":["Libraries","Nginx + Lua"],"sub_categories":[],"readme":"lsso\n=====\n\nlsso is a SSO middleware written in Lua to sit between Nginx and server endpoints.\n\nlsso uses client-side cookies alongside a Redis database of session hashes to track session.\nIn our setup, we use a fork of [Osiris](https://github.com/pirogoeth/osiris) with a Redis token store as an OAuth endpoint.\n\nFeatures:\n - OAuth authentication\n - Raven / Sentry support\n - Cross-domain-authentication\n - Backend session store in Redis\n - Auth and session event logging to Redis\n - CLI management tool, [lssoctl](https://github.com/maiome-development/lssoctl) (*In Progress!*)\n - Management API (*In Progress!*)\n - Temporary access token generation\n - 2FA Support\n\nRequirements\n============\n\n- Lua51 (nginx-lua requirement)\n- LuaSec \u003e= 0.5\n- Raven-Lua (modified version included in external/raven.lua; includes HTTPS support for Sentry)\n- Nginx-resty-cookie (included in external/resty/)\n- lua-cjson (https://github.com/efelix/lua-cjson)\n- redis-lua (https://github.com/nrk/redis-lua)\n- OAuth server (recommended: https://github.com/pirogoeth/osiris; has been tested)\n- authy-lua (required for authy-2fa; pkg: authy-lua \u003e= 0.1.0-4, src: https://github.com/pirogoeth/authy-lua)\n  - lua-resty-http (required for authy-2fa; pkg: lua-resty-http 0.07-0, src: https://github.com/pintsized/lua-resty-http)\n\nInstallation\n=============\n\n- Clone this repo..\n- Copy external/\\* to your lua5.1 package dir (/usr/local/share/lua/5.1/ or similar)\n- Use the file from `nginx/sso-init.conf` to set up the main nginx conf.\n  - Make sure to adjust the request rate limit to your desire.\n- Use the template from `nginx/sso-site.conf` to set up your SSO endpoint.\n  - Adjust any endpoints as you wish, but make sure to update `config.lua` as well.\n- Grab the src/config.lua, configure it, and stick it where you want\n- Change `config_path` in src/init.lua to point to your newly configured config.lua.\n- Insert `access_by_lua_file /path/to/lsso/src/access.lua;` in any location, server block, etc, that you want to protect.\n- Restart nginx.\n- Done! (?)\n\n\nRoadmap\n=======\n\n- Authentication:\n  - [ ] HTTP Basic authentication support for endpoints.\n    - _Stage_: Researching\n  - [ ] Implement SAML 2.0 authentication\n    - _Stage_: Researching \u0026 implementing\n  - [ ] Implement U2F Registration / Authentication process\n    - _Stage_: Researching\n  - [ ] Use JWT cookie instead of unsigned client cookies (? | [lua-resty-jwt](https://github.com/SkyLothar/lua-resty-jwt))\n    - _Stage_: Researching\n  - [X] Per-location auth scoping (customizable scopes for each protected location: `set $lsso_location_scope 'admin';` before `access_by_lua_file`)\n- API:\n  - [ ] API access tokens\n    - Inherently different from regular access tokens, but possibly managed/requested through the same endpoint?\n    - If using a different endpoint, possibly `/api/auth` (?).\n  - [ ] Some user-facing endpoints for managing sessions:\n    - [ ] /auth/logout - kill the active user session, if any.\n  - [ ] API for token requests, management, health, etc.\n    - [X] /api/\\_health - simple status\n    - [X] /api/token/request - request access token\n    - [X] Log access endpoints\n      - [X] /log/api - api event log\n      - [X] /log/auth - authentication event log\n      - [X] /log/session - session event log\n      - ...\n    - ...\n- Metadata:\n  - [ ] Metadata store implementation\n    - Required for U2F and other 2FA implementations\n    - Should be an ephemeral data store, possibly key-value or record-based\n    - Implementation language does not need to be Lua...\n    - Should be simplistic, have an HTTP API, HTTP client\n    - Should *not* depend on a temporal data store such as Redis (unless configured as persistent store)\n    - _Stage_: Researching\n- Miscellaneous:\n  - [ ] More documentation!\n  - [ ] Stats collection for info about user sessions, login attempts, page accesses (?)\n    - [ ] Stats export via statsd for aggregation (?)\n  - [ ] Status portal (with *content_by_lua_file* and [lustache](https://github.com/Olivine-Labs/lustache))\n- Multi-Factor Auth:\n  - [ ] Implement base for 2FA...\n  - Major 2FA types:\n    - [ ] Authy\n      - _Stage_: Researching \u0026 implementation\n    - [ ] U2F\n      - _Stage_: Researching\n\nContributing\n============\n\nPull requests and issues are more than welcome! I need as much feedback on this as possible to continue improving the SSO.\n\nTo discuss code or anything else, you can find us on IRC at irc.maio.me in #dev.\n\n\nLicensing\n=========\n\nThis project is licensed under the MIT License. You can view the full terms of the license in `/LICENSE.txt`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpirogoeth%2Flsso","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpirogoeth%2Flsso","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpirogoeth%2Flsso/lists"}