{"id":13521060,"url":"https://github.com/sebadob/rauthy","last_synced_at":"2025-12-11T18:32:26.431Z","repository":{"id":177770873,"uuid":"660887351","full_name":"sebadob/rauthy","owner":"sebadob","description":"Single Sign-On Identity \u0026 Access Management via OpenID Connect, OAuth 2.0 and PAM","archived":false,"fork":false,"pushed_at":"2025-09-01T11:13:52.000Z","size":430243,"stargazers_count":721,"open_issues_count":8,"forks_count":53,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-09-01T13:26:11.690Z","etag":null,"topics":["authentication","fido2","jwt","keycloak","mfa","oidc","oidc-provider","openid-connect","pam","passkey","rust","scim","server","single-sign-on","sso","webauthn"],"latest_commit_sha":null,"homepage":"https://sebadob.github.io/rauthy/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sebadob.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"sebadob","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2023-07-01T05:53:39.000Z","updated_at":"2025-09-01T11:13:55.000Z","dependencies_parsed_at":"2023-10-21T10:33:00.498Z","dependency_job_id":"75de9d30-4da6-4702-a733-82a03867ea62","html_url":"https://github.com/sebadob/rauthy","commit_stats":null,"previous_names":["sebadob/rauthy"],"tags_count":59,"template":false,"template_full_name":null,"purl":"pkg:github/sebadob/rauthy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebadob%2Frauthy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebadob%2Frauthy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebadob%2Frauthy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebadob%2Frauthy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sebadob","download_url":"https://codeload.github.com/sebadob/rauthy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebadob%2Frauthy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274397763,"owners_count":25277400,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-09T02:00:10.223Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","fido2","jwt","keycloak","mfa","oidc","oidc-provider","openid-connect","pam","passkey","rust","scim","server","single-sign-on","sso","webauthn"],"created_at":"2024-08-01T06:00:27.648Z","updated_at":"2025-12-11T18:32:26.422Z","avatar_url":"https://github.com/sebadob.png","language":"Rust","funding_links":["https://github.com/sponsors/sebadob"],"categories":["Rust","Applications"],"sub_categories":["General"],"readme":"![Rauthy Logo](https://github.com/sebadob/rauthy/blob/a89a8e9712c567551cb2d25b9da8823e35794f0a/logo/rauthy_grey_small.png)\n\n# Rauthy\n\nRauthy - Single Sign-On Identity \u0026 Access Management via OpenID Connect, OAuth 2.0 and PAM\n\n\u003e [!NOTE]\n\u003e This application received an independent security audit\n\u003e\nfrom [Radically Open Security](https://www.radicallyopensecurity.com/) ([Frank Plattel](https://github.com/Sp0Q1)\nand [Morgan Hill](https://github.com/pcwizz)) as part of the [NGI Zero Core](https://nlnet.nl/core)\nfunding. There were some findings, that were addressed in `v0.32.1`. The full report can be\nfound [here](https://raw.githubusercontent.com/sebadob/rauthy/refs/heads/main/assets/security_audit_report_v0.32.pdf).\n\n## What it is\n\nRauthy is a lightweight and easy to use Identity Provider supporting OpenID Connect, OAuth 2.0 and\nPAM. It aims to be simple to both set up and operate, with very secure defaults and lots of config\noptions, if you need the flexibility. It puts heavy emphasis on Passkeys and a very strong security\nin general. The project is written in Rust to be as memory efficient, secure and fast as possible,\nand it can run on basically any hardware. If you need Single Sign-On support for IoT or headless CLI\ntools, it's got you covered as well.  \nYou get High-Availability, client branding, UI translation, a nice Admin UI, Events and Auditing,\nand many more features. By default, it runs on top of [Hiqlite](https://github.com/sebadob/hiqlite)\nand does not depend on an external database (Postgres as an alternative) to make it even simpler to\noperate, while scaling up to millions of users easily.\n\n### Secure by default\n\nIt tries to be as secure as possible by default while still providing all the options needed to be\ncompatible with older systems. For instance, if you create a new OIDC client, it activates `ed25519`\nas the default algorithm for token signing and S256 PKCE flow. This will not work with clients,\nwhich do not support it, but you can of course deactivate this to your liking.\n\n### MFA and Passwordless Login\n\n**Option 1:**  \nPassword + Security Key (without User Verification):  \nRauthy provides FIDO 2 / Webauthn login flows. If you once logged in on a new client with your\nusername + password, you will get an encrypted cookie which will allow you to log in without a\npassword from that moment on. You only need to have a FIDO compliant Passkey being registered for\nyour account.\n\n**Option 2:**  \nPasskey-Only Accounts:  \nRauthy supports Passkey-Only-Accounts: you basically just provide your E-Mail address and log in\nwith your FIDO 2 Passkey. Your account will not even have / need a password. This login flow is\nrestricted though to only those passkeys, that can provide User Verification (UV) to always have at\nleast 2FA security.\n\n\u003e [!TIP]\n\u003e Discoverable credentials are discouraged with Rauthy (for good reason). This means you will need\n\u003e to enter your E-Mail for the login (which will be autofilled after the first one), but Rauthy\n\u003e passkeys do not use any storage on your device. For instance when you have a Yubikey which can\n\u003e store 25 passkeys, it will not use a single slot there even having full support.\n\n### Fast and efficient\n\nThe main goal was to provide an SSO solution like Keycloak and others while using a way lower\nfootprint and being more efficient with resources. For instance, Rauthy can easily run a fully blown\nSSO provider on just a Raspberry Pi. It makes extensive use of caching for everything used in the\nauthentication chain to be as fast as possible. Most things are even cached for several hours and\nspecial care has been taken into account in case of cache eviction and invalidation.\n\nRauthy comes with two database options:\n\n- with embedded [Hiqlite](https://github.com/sebadob/hiqlite), which is the default setting\n- or you can optionally use a Postgres as your database, if you already have an instance running\n  anyway.\n\nThe resource usage depends a lot on your setup (Hiqlite, Postgres, HA deployment, amount of\nusers, ...), but for a small set of users, it is usually below 100mb of memory even with the very\naggressive, in-memory caching Rauthy uses, and in some cases even below 50mb.\n\n### Highly Available\n\nEven though it makes extensive use of caching, you can run it in HA\nmode. [Hiqlite](https://github.com/sebadob/hiqlite) creates its own embedded HA cache and\npersistence layer. Such a deployment is possible with\nboth [Hiqlite](https://github.com/sebadob/hiqlite) and Postgres.\n\n### Admin UI + User Account Dashboard\n\nRauthy does have an Admin UI which can be used to basically do almost any operation you might need\nto administrate the whole application and its users. There is also an account dashboard for each\nindividual user, where users will get a basic overview over their account and can self-manage som\nvalues, password, passkeys, and so on.\n\n![Admin UI](https://github.com/sebadob/rauthy/blob/a89a8e9712c567551cb2d25b9da8823e35794f0a/frontend/screenshots/users.png)\n\n![Account Dashboard](https://github.com/sebadob/rauthy/blob/a89a8e9712c567551cb2d25b9da8823e35794f0a/frontend/screenshots/account.png)\n\n### Client Branding\n\nYou have a simple way to create a branding or stylized look for the Login page for each client. The\nwhole color theme can be changed and each client can have its own custom logo. Additionally, if you\nmodify the branding for the default `rauthy` client, it will not only change the look for the Login\npage, but also for the Account and Admin page.\n\n![Client Branding](https://github.com/sebadob/rauthy/blob/c10e9421e65f386718528b15e3d0ace37aff1158/frontend/screenshots/branding.png)\n\n### Events and Auditing\n\nRauthy comes with an Event- and Alerting-System. Events are generated in all kinds of scenarios.\nThey can be sent via E-Mail, Matrix or Slack, depending on the severity and the configured level.\nYou will see them in the Admin UI in real-time, or you can subscribe to the events stream and\nexternally handle them depending on your own business logic.\n\n### Brute-Force and basic DoS protection\n\nRauthy has brute-force and basic DoS protection for the login endpoint. The timeout will be\nartificially delayed after enough invalid logins. It auto-blacklists IPs that exceeded too many\ninvalid logins, with automatic expiry of the blacklisting. You can, if you like, manually blacklist\ncertain IPs as well via the Admin UI.\n\n### IoT Ready\n\nWith the possibility to run on devices with very limited resources and having compatibility for the\nOAuth Device Authorization Grant `device_code` flow, Rauthy would be a very good choice for IoT\nprojects. The IdP itself can easily run on a Raspberry Pi and all headless devices can be\nauthenticated via the `device_code` flow. The `rauthy-client` has everything built-in and ready, if\nyou want to use Rust on the IoT devices as well. It has not been checked in a `no_std` environment\nyet, but the client implementation is pretty simple.\n\n### PAM Logins\n\nOIDC / OAuth covers almost all web apps, and for those that don't have any support, Rauthy comes\nwith `forward_auth` support. To not need an additional LDAP / AD / something similar for your\nbackend and workstations, Rauthy comes with its own custom PAM module. It does not just use JWT\nTokens for logging in, but you can actually manage all your Linux hosts, groups and users in\ndifferent ways. You have the option to secure local logins to workstations via Yubikey (only USB\nPasskeys supported, no QR-code / software keys), and all SSH logins can be done with ephemeral,\nauto-expiring passwords, that you can generate via your Account dashboard, if an Admin has created a\nPAM user for you. This means you basically have MFA-secured SSH logins without the need for any\nmodifications or additional software on your local SSH client, and you can use any SSH client from\nany machine securely, even if it's not your own.\n\nIn addition to the PAM module, you get an NSS module and an NSS proxy that runs on each machine. You\ncan dynamically log in to any machine an Admin has given you access to. Users and groups are not\nadded to local files, but will be resolved via the network.\n\nThis module is published in a separate repo to avoid licensing issues, since it relies on some GPLv3\ndependencies. You can take a look at it\nhere: [rauthy-pam-nss](https://github.com/sebadob/rauthy-pam-nss).\n\n### Scales to millions of users\n\nRauthy has no issue handling even millions of users. Everything keeps being fast and responsive,\napart from the search function for users in der Admin UI when you reach the 10+ million users, where\nsearching usually takes ~3 seconds (depending on your server of course).   \nThe only limiting factor at that point will be your configuration and needs for password hashing\nsecurity. It really depends on how many resources you want to use for hashing (more resources ==\nmore secure) and how many concurrent logins at the exact same time you need to support.\n\n### Features List\n\n- [x] Fully working OIDC / OAuth 2.0 provider\n- [x] PAM logins via custom PAM + NSS modules\n- [x] [Hiqlite](https://github.com/sebadob/hiqlite) or Postgres as database\n- [x] Fast and efficient with low footprint\n- [x] Secure default values\n- [x] Highly configurable\n- [x] High-Availability\n- [x] True passwordless accounts with E-Mail + Magic Link + Passkey\n- [x] Dedicated Admin UI\n- [x] Account dashboard UI for each user with self-service\n- [x] OpenID Connect Dynamic Client Registration\n- [x] OpenID Connect RP Initiated Logout\n- [x] OpenID Connect Backchannel Logout\n- [x] OAuth 2.0 Device Authorization Grant flow\n- [x] Upstream Authentication Providers (Login with ...)\n- [x] DPoP tokens for decentralized login flows\n- [x] Ephemeral, dynamic clients for decentralized login flows\n- [x] SCIM v2 for downstream clients\n- [x] All End-User facing sites support i18n server-side translation\n  with the possibility to add more languages\n- [x] Simple per client branding for the login page\n- [x] Custom roles\n- [x] Custom groups\n- [x] Custom scopes\n- [x] Custom user attributes\n- [x] User attribute binding to custom scopes\n- [x] Optional user-editable custom attributes\n- [x] Configurable password policy\n- [x] Admin API Keys with fine-grained access rights\n- [x] Events and alerting system\n- [x] Optional event persistence\n- [x] Dedicated `forward_auth` endpoint, in addition to the existing userinfo,\n  with support for configurable trusted auth headers\n- [x] Optional event notifications via: E-Mail, Matrix, Slack\n- [x] Optional Force MFA for the Admin UI\n- [x] Optional Force MFA for each individual client\n- [x] Additional encryption inside the database for the most critical entries\n- [x] Automatic database backups with configurable retention and\n  auto-cleanup ([Hiqlite](https://github.com/sebadob/hiqlite) only)\n- [x] auto-encrypted backups ([Hiqlite](https://github.com/sebadob/hiqlite) only)\n- [x] Ability to push [Hiqlite](https://github.com/sebadob/hiqlite) backups to S3 storage\n- [x] auto-restore [Hiqlite](https://github.com/sebadob/hiqlite) backups from file or s3\n- [x] Username enumeration prevention\n- [x] Login / Password hashing rate limiting\n- [x] Session client peer IP binding\n- [x] IP blacklisting feature\n- [x] Auto-IP blacklisting for login endpoints\n- [x] Argon2ID with config helper UI utility\n- [x] Housekeeping schedulers and cron jobs\n- [x] JSON Web Key Set (JWKS) autorotation feature\n- [x] Account conversions between traditional password and Passkey only\n- [x] Optional open user registration\n- [x] Optional user registration domain restriction\n- [x] App version update checker\n- [x] SwaggerUI documentation\n- [x] Configurable E-Mail templates for NewPassword + ResetPassword events\n- [x] Prometheus `/metrics` endpoint on separate port\n- [x] No-Setup migrations between different databases (Yes, even\n  between [Hiqlite](https://github.com/sebadob/hiqlite)\n  and Postgres)\n- [x] Hot-Reload TLS certificates without restart\n- [x] Can serve a basic `webid` document\n- [x] Experimental FedCM support\n\n## Getting Started\n\nEither just take a look at the [Rauthy Book](https://sebadob.github.io/rauthy/), or start directly\nby taking a look at the application yourself with docker on your localhost. Rauthy comes with a\nsetting for very quick and easy local testing and taking a first look. By setting `LOCAL_TEST=true`,\na demo config is being loaded at startup.\n\n```\ndocker run -it --rm -e LOCAL_TEST=true -p 8443:8443 ghcr.io/sebadob/rauthy:0.33.1\n```\n\n\u003e [!CAUTION]\n\u003e Some browsers like Firefox do not allow the registration of Passkeys when using self-signed TLS\n\u003e certificates. To be able to do this during testing, you would need to add the generated CA\n\u003e certificate to your trust store.\n\n\u003e [!IMPORTANT]\n\u003e This command starts an HTTPS server with self-signed certificates.  \n\u003e Make sure to add the `https://` scheme if you open the URL manually.\n\n## Support\n\nIf you need professional (paid) support for Rauthy, please feel free to contact me at\n`mail@sebadob.dev`. Otherwise, please use the Discussions Q\u0026A section. Opened issues, which are\nactually just support requests, will most probably not be answered at all. I am working on this\nproject mostly in my free time.\n\n## Contributing\n\nIf you want to contribute to this repository, please take a look at\n[CONTRIBUTING.md](https://github.com/sebadob/rauthy/blob/main/CONTRIBUTING.md)\n\n## Funding\n\nThis project is funded through [NGI Zero Core](https://nlnet.nl/core), a fund established\nby [NLnet](https://nlnet.nl) with financial support from the European\nCommission's [Next Generation Internet](https://ngi.eu) program. Learn more at\nthe [NLnet project page](https://nlnet.nl/project/Rauthy).\n\n[\u003cimg src=\"https://nlnet.nl/logo/banner.png\" alt=\"NLnet foundation logo\" width=\"20%\" /\u003e](https://nlnet.nl)  \n[\u003cimg src=\"https://nlnet.nl/image/logos/NGI0_tag.svg\" alt=\"NGI Zero Logo\" width=\"20%\" /\u003e](https://nlnet.nl/core)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsebadob%2Frauthy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsebadob%2Frauthy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsebadob%2Frauthy/lists"}