{"id":18950054,"url":"https://github.com/salesforce/pam_oidc","last_synced_at":"2025-04-15T23:31:38.377Z","repository":{"id":41954219,"uuid":"355690448","full_name":"salesforce/pam_oidc","owner":"salesforce","description":"pam_oidc authenticates users with an OpenID Connect (OIDC) token.","archived":false,"fork":false,"pushed_at":"2023-12-18T23:45:48.000Z","size":40,"stargazers_count":45,"open_issues_count":2,"forks_count":8,"subscribers_count":11,"default_branch":"main","last_synced_at":"2024-04-08T00:13:10.697Z","etag":null,"topics":["oidc","openid-connect","pam","pam-module"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salesforce.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null}},"created_at":"2021-04-07T21:47:53.000Z","updated_at":"2024-03-30T23:01:07.000Z","dependencies_parsed_at":"2023-09-24T16:57:11.253Z","dependency_job_id":null,"html_url":"https://github.com/salesforce/pam_oidc","commit_stats":{"total_commits":11,"total_committers":4,"mean_commits":2.75,"dds":"0.36363636363636365","last_synced_commit":"16780808529e48d8c71e244890f88814a541cdd1"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpam_oidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpam_oidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpam_oidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpam_oidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salesforce","download_url":"https://codeload.github.com/salesforce/pam_oidc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223689756,"owners_count":17186494,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["oidc","openid-connect","pam","pam-module"],"created_at":"2024-11-08T13:20:30.549Z","updated_at":"2024-11-08T13:20:31.252Z","avatar_url":"https://github.com/salesforce.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pam\\_oidc\n\n**pam_oidc** authenticates users with an OpenID Connect (OIDC) token.\n\nLinux-PAM extensions are used, so currently the module only supports Linux. Contributions to support other operating systems are welcomed.\n\n## Example Usage\n\nIn `/etc/pam.d/service`:\n\n```\nauth required pam_oidc.so \u003coptions\u003e\n```\n\nExample for Google:\n\n```\nauth required pam_oidc.so issuer=https://accounts.google.com aud=12345-v12345.apps.googleusercontent.com\n```\n\n### Options\n\n#### issuer\n\nRequired.\n\nThe issuer URL. The OpenID configuration should be available at _issuer_/.well-known/openid-configuration\n\n#### aud\n\nRequired.\n\nThe audience value to expect. Tokens signed by the issuer but for a different audience will be rejected. This prevents tokens issued for a different purpose from being used for authentication.\n\n#### user\\_template\n\nDefault: `{{.Subject}}`\n\nA Go [text/template](http://pkg.go.dev/text/template) that, when rendered with the JWT/OIDC claims, provides the expected username.\n\nFor example, `{{.Subject}}` would mean that users are expected to authenticate with the JWT `sub` claim as their username.\n\nThe `trimPrefix` and `trimSuffix` functions are available. For example `{{.Subject | trimSuffix \"@example.com\"}}` would mean a user whose token subject is `jdoe@example.com` would authenticate as `jdoe`.\n\n#### groups\\_claim\\_key\n\nDefault: `groups`\n\nThe name of the key within the token claims that specifies which groups a user is a member of.\n\nIf the token uses a key other than `groups` (e.g., `{\"roles\":[\"a\", \"b\", \"c\"]}`), specifies `groups_claim_key=roles`.\n\n#### authorized\\_groups\n\nDefault: (no value)\n\nIf specified, a comma-separated list of groups required for authentication to pass. A user must be a member of _at least_ one of the groups in the list, if specified.\n\n#### require\\_acr\n\nDefault: (no value)\n\nIf specified, the required value of the `acr` claim in the token for authentication to pass.\n\n#### require\\_acrs\n\nDefault: (no value)\n\nIf specified, a comma-separated list of acrs one of which must match the `acr` claim in the token for authentication to pass.\n\n#### http\\_proxy\n\nDefault: (no value)\n\nIf specified, an HTTP proxy used to connect to the issuer to discover OpenID Connect parameters.\n\n## Local Testing\n\nA Vagrant VM is available for local testing:\n\n```\nvagrant up\n```\n\nBy default, PAM is setup with Percona Server to accept OpenID Connect tokens from the Google Cloud SDK using email address as the username:\n\n```\ngcloud auth login\ngcloud auth print-identity-token\n```\n\nWithin the VM, create a database user to authenticate using PAM:\n\n```\nvagrant ssh\n\n# within the Vagrant VM\nsudo mysql -u root\n\n# within the MySQL monitor\nCREATE USER 'jdoe@gmail.com'@'%' IDENTIFIED WITH auth_pam;\n```\n\nWith the token from `gcloud auth print-identity-token`, attempt to login:\n\n```\nTOKEN=\"...\" # paste from `gcloud auth print-identity-token`\n\n# The token must be specified using --password=... because it is too long for\n# MySQL to accept interactively\nmysql --user=\"jdoe@gmail.com\" --password=\"$TOKEN\"\n```\n\nTo debug failures, check the auth logs:\n\n```\nsudo tail -f /var/log/auth.log\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalesforce%2Fpam_oidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalesforce%2Fpam_oidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalesforce%2Fpam_oidc/lists"}