{"id":17250278,"url":"https://github.com/sorah/himari","last_synced_at":"2026-06-03T14:00:39.233Z","repository":{"id":143647240,"uuid":"616395089","full_name":"sorah/himari","owner":"sorah","description":"OIDC IdP for Small Team. Backed by Omniauth.","archived":false,"fork":false,"pushed_at":"2026-05-29T07:07:55.000Z","size":380,"stargazers_count":25,"open_issues_count":3,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-29T07:30:15.217Z","etag":null,"topics":["identity-provider","idp","oidc","omniauth","serverless"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sorah.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"ko_fi":"sorah","github":["sorah"]}},"created_at":"2023-03-20T10:01:53.000Z","updated_at":"2026-05-29T07:07:59.000Z","dependencies_parsed_at":"2025-04-13T09:15:54.364Z","dependency_job_id":null,"html_url":"https://github.com/sorah/himari","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/sorah/himari","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fhimari","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fhimari/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fhimari/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fhimari/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sorah","download_url":"https://codeload.github.com/sorah/himari/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fhimari/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33867802,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["identity-provider","idp","oidc","omniauth","serverless"],"created_at":"2024-10-15T06:46:44.641Z","updated_at":"2026-06-03T14:00:39.197Z","avatar_url":"https://github.com/sorah.png","language":"Ruby","funding_links":["https://ko-fi.com/sorah","https://github.com/sponsors/sorah"],"categories":[],"sub_categories":[],"readme":"# Himari - OIDC IdP for Small Team\n\nHimari is a Rack application acts as a OIDC IdP. Identities are all externally sourced through Omniauth. This app aims to provide a common IdP for small team, where not suitable to have a full-suite IdP.\n\nFor instance, this app should fit for a team like: a team with individual collaborators, a team with members from multiple organizations. This app should enable OIDC for such teams using existing their own identities, without forcing them to manage new credentials for small purpose.\n\nIf your team can use full-suite IdP such as Azure AD, Okta or Google Workspace, then this app may not be for you.\n\nWhile this app does not aim to be a replacement, but you can consider this as a cheaper alternative against Dex (dexidp), by deploying this to AWS Lambda.\n\n## Setup\n\n\u003ci\u003eSee [./himari-aws/lambda/terraform/](./himari-aws/lambda/terraform/) for quick deployment on Lambda using Terraform modules.\u003c/i\u003e\n\nDeploy as a Rack application:\n\n```ruby\n# Gemfile\nsource 'https://rubygems.org'\ngem 'himari'\ngem 'himari-aws' # for AWS Secrets Manager integration and DynamoDB storage backend\n\ngem 'nokogiri' # for himari-aws\ngem 'rack-session'\n```\n\nWrite policy and configuration in config.ru. Then run as a Rack application:\n\n```ruby\n# config.ru\nrequire 'himari'\nrequire 'json'\nrequire 'omniauth'\nrequire 'open-uri'\nrequire 'rack/session/cookie'\n\nuse(Rack::Session::Cookie,\n  path: '/',\n  expire_after: 3600,\n  secure: true,\n  secret: ENV.fetch('SECRET_KEY_BASE'),\n)\n\nuse OmniAuth::Builder do\n  provider :github\nend\n\nuse(Himari::Middlewares::Config,\n  issuer: 'https://idp.example.net',\n  providers: [\n    { name: :github, button: 'Log in with GitHub' },\n  ],\n  storage: Himari::Storages::Filesystem.new('/var/lib/himari/data'),\n)\n\n# add signing key. multiple keys can be added for rotation\nuse(Himari::Middlewares::SigningKey,\n  kid: 'key1',\n  pkey: OpenSSL::PKey::RSA.new(File.read('key.pem'), ''),\n)\n\n# Add clients as many as you need\nuse(Himari::Middlewares::Client,\n  name: 'awsalb',\n  id: '...',\n  secret_hash: '...', # sha384 hexdigest of secret\n  # secret: '...' # or in cleartext\n  redirect_uris: %w(https://app.example.net/oauth2/idpresponse),\n\n      # skip_consent: false # requires consent. default to true\n\n  # scopes: %w(openid offline_access), # (default) recognised scopes. Requested scopes outside\n  #   this list are dropped before consent/grant; openid and offline_access are always recognised.\n\n  # Entries are matched by simple string comparison. A Regexp entry is matched\n  # with #match? against the request redirect_uri instead, e.g.\n  #   redirect_uris: [%r{\\Ahttps://app\\.example\\.net/oauth2/[^/]+\\z}]\n  # ignore_localhost_redirect_uri_port: true, # (default) allow any port for loopback\n  #   redirect_uris (http/https on localhost, 127.0.0.1, [::1]) per RFC 8252 §7.3, so native\n  #   apps using an ephemeral port match. Set false to require exact port matching.\n)\n\n# Generate claims from omniauth authentication result\nuse(Himari::Middlewares::ClaimsRule, name: 'github-initialize') do |context, decision|\n  next decision.skip!(\"provider not in scope\") unless context.provider == 'github'\n\n  decision.initialize_claims!(\n    sub: \"github_#{context.auth[:uid]}\",\n    name: context.auth[:info][:nickname],\n    preferred_username: context.auth[:info][:nickname],\n    email: context.auth[:info][:email],\n  )\n  decision.user_data[:provider] = 'github'\n\n  decision.continue!\nend\n\n# Select who can be authenticated through Himari. Authn rules run during omniauth callback\nuse(Himari::Middlewares::AuthenticationRule, name: 'allow-github-known-members') do |context, decision|\n  next decision.skip!(\"provider not in scope\") unless context.provider == 'github'\n\n  known_logins = %w(chihiro maki hare kotama himari)\n  if known_logins.include?(context.claims[:preferred_username])\n    next decision.allow!\n  end\n\n  decision.skip!\nend\n\n# Authorization policies during OIDC request process from clients. Authz rules run during oidc authorization\nuse(Himari::Middlewares::AuthorizationRule, name: 'default') do |context, decision|\n  clients_available_for_everyone = %w(wiki)\n\n  # You can add custom_claim per client\n  decision.claims[:custom_claim1] = 'foo'\n  decision.allowed_claims.push(:custom_claim)\n\n  if clients_available_for_everyone.include?(context.client.name)\n    next decision.allow!\n  end\n\n  # context.scopes carries the recognised scopes requested for this authorization (already\n  # filtered by the client's scopes allow-list), so rules can gate on them.\n  next decision.deny!(\"admin scope not permitted here\") if context.scopes.include?('admin')\n\n  # Issue the access token as a signed RFC 9068 JWT (at+jwt) for relying parties that validate\n  # it themselves; Himari still validates it against storage. Opaque by default.\n  decision.mint_jwt_access_token = true if context.client.name == 'api'\n\n  decision.skip!\nend\n# we can have many rules\nuse(Himari::Middlewares::AuthorizationRule, name: 'ban-something') do |context, decision|\n  if context.request.ip == '192.0.2.9'\n    next decision.deny!(\"explicit deny for some banned ip\")\n  end\n\n  decision.skip!\nend\n\n# Run!\nrun Himari::App\n```\n\n## Plugins\n\n- [./himari-aws](./himari-aws) for AWS Lambda, DynamoDB and Secrets Manager integration\n\n## Examples\n\n- [./examples/config.details.ru](./examples/config.details.ru): Rule API details\n- [./examples/config.github.ru](./examples/config.github.ru): GitHub Team list API example, with refresh token revalidation\n- [./himari-aws](./himari-aws) for AWS Lambda, DynamoDB and Secrets Manager integration\n\n## Documentation\n\n- [docs/refresh-tokens.md](./docs/refresh-tokens.md): Enabling the refresh token grant and revalidating sessions on refresh\n- [docs/dynamic-client-registrations.md](./docs/dynamic-client-registrations.md): RFC 7591 Dynamic Client Registration — let clients register themselves at runtime\n- [docs/metadata-client-registrations.md](./docs/metadata-client-registrations.md): Client ID Metadata Document — accept an https URL `client_id` pointing to a hosted metadata document\n\n## Usage\n\nHimari acts as an OIDC OpenID Provider. OIDC discovery metadata served at `/.well-known/openid-configuration`.\n\n- Authorize Endpoint: `/oidc/authorize`\n- Token Endpoint: `/public/oidc/token`\n- Userinfo Endpoint: `/public/oidc/userinfo`\n- JWK Set Endpoint: `/public/jwks`\n\n## Caveats\n\n- Acts on the `openid` and `offline_access` scopes; any other requested scope is recognised only when listed in a client's `scopes`, and otherwise dropped from the request.\n- Implements Authorization Code Grant Flow and [Refresh Token Grant Flow](./docs/refresh-tokens.md) only. Public clients should use the same flow with PKCE.\n\n## Development\n\nAfter checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.\n\nTo install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org]().\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at https://github.com/sorah/himari.\n\n## License\n\nThe gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsorah%2Fhimari","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsorah%2Fhimari","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsorah%2Fhimari/lists"}