{"id":48296422,"url":"https://github.com/univention/crudeoauth","last_synced_at":"2026-04-04T23:35:18.700Z","repository":{"id":221171469,"uuid":"753612636","full_name":"univention/crudeoauth","owner":"univention","description":"CrudeOAuth -  A SASL plugin and PAM implementation of OAUTHBEARER","archived":false,"fork":false,"pushed_at":"2025-05-05T10:09:32.000Z","size":204,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-05-05T11:26:31.500Z","etag":null,"topics":["oauth2","oauthbearer","openldap","pam","sasl","slapd"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/univention.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-02-06T13:21:04.000Z","updated_at":"2025-05-05T10:09:36.000Z","dependencies_parsed_at":"2025-05-05T11:24:04.098Z","dependency_job_id":"7c3b2ea5-c86f-4aa1-9214-8299e51391ee","html_url":"https://github.com/univention/crudeoauth","commit_stats":null,"previous_names":["univention/crudeoauth"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/univention/crudeoauth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Fcrudeoauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Fcrudeoauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Fcrudeoauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Fcrudeoauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/univention","download_url":"https://codeload.github.com/univention/crudeoauth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Fcrudeoauth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31419537,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T20:09:54.854Z","status":"ssl_error","status_checked_at":"2026-04-04T20:09:44.350Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["oauth2","oauthbearer","openldap","pam","sasl","slapd"],"created_at":"2026-04-04T23:35:18.123Z","updated_at":"2026-04-04T23:35:18.685Z","avatar_url":"https://github.com/univention.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# crudeoauth - A SASL plugin and PAM implementation of OAUTHBEARER\n\nThis is `crudeoauth`, a PAM and SASL plugin implementation of [RFC 7628](https://datatracker.ietf.org/doc/rfc7628/) OAUTHBEARER.\n\nThe artifacts can be used\n* by user facing services:\n    * to validate OAuth 2.0 access tokens using PAM\n    * to perform SASL binds using the OAUTHBEARER mechanism, sending an OAuth 2.0 access token\n* by protected resources:\n    * to accept SASL binds using the OUTHBEARER mechanism and validate OAuth 2.0 access tokens.\n\nIn [UCS](https://www.univention.com/products/ucs/) the user facing service could be the Univention Management Console and\nthe protected resource could be the OpenLDAP slapd.\n\nConfiguration of the SASL plugin is done via a sasl.conf file (e.g. `/etc/ldap/sasl2/slapd.conf` in UCS/Debian).\nConfiguration of the PAM is done via parameters of the library call in the PAM stack.\n\nThe implementation has been tested with Keycloak 23.0.x.\nThe PAM and SASL plugin check the `aud` claim as requested by\n[RFC 9068](https://datatracker.ietf.org/doc/html/rfc9068).\nKeycloak 23 currently doesn't automatically put `aud` into the access token.\n\nThe PAM and SASL plugin can additionally check the `azp` claim if configured accordingly.\n\n## User notes\n\nThe repository also holds Debian maintainer files in the `debian/` folder, which\ncan be used to build the binary packages `libpam-oauthbearer` and `libsasl2-modules-oauthbearer`.\n\nThe SASL plugin is suitable to be used the openldap server via the\n`/etc/ldap/sasl2/slapd.conf` configuration file.\nIt provides configuration options like:\n```\nmech_list: … OAUTHBEARER\noauthbearer_grace: 3\noauthbearer_userid: preferred_username\noauthbearer_trusted_jwks0: /usr/share/oidc/file_containing_the_authorization_server_certificates_as.jwks\noauthbearer_trusted_iss0: https://sso.example.org/realms/master\noauthbearer_trusted_aud0: ldaps://example.org/\n# oauthbearer_trusted_azp0: https:/client.example.org/oidc/\n# oauthbearer_required_scope0: openid\n# oauthbearer_no_tls: 0\n```\nThe `azp` and `scope` checks are optional and may provide additional security or be otherwise useful.\n\nThe username is read from the access token and used as `authcid`.\nA optional `authzid` might be provided, and is used if the LDAP server allows it.\n\nAfter successfull SASL bind e.g. to OpenLDAP slapd\nthe user arrives with a bind DN that is specific to the SASL bind mechanism.\nIn OpenLDAP it can be mapped to some DN in a DIT by putting\na `authz-regexp` statement to the `slapd.conf` as usual:\n```\nauthz-regexp\n    uid=([^,]*),cn=oauthbearer,cn=auth\n    ldap:///dc=example,dc=org??sub?uid=$1\n```\n\nThe PAM library `pam_oauthbearer.so` is provided by the package `libpam-oauthbearer`,\ndoing the same validations and having equivalent configuration options via the PAM stack definition.\n```\nauth sufficient pam_oauthbearer.so grace=3 userid=preferred_username \\\n    iss=https://sso.example.org/realms/master \\\n    jwks=/usr/share/oidc/file_containing_the_authorization_server_certificates_as.jwks \\\n    trusted_aud=ldaps://example.org/ trusted_azp=https:/client.example.org/oidc/ \\\n    required_scope=openid\n```\n\nAgain, the `trusted_azp` and `required_scope` checks are optional and may provide additional security.\n\n## Developer notes\n\nThe code is currently maintained [here](https://github.com/univention/univention-corporate-server/tree/5.0-6/oidc/crudeoauth) in the [Univention Corporate Server](https://www.univention.com/products/ucs/) (UCS) product mono repository.\n\nThe code uses the [rhonabwy](https://babelouest.github.io/rhonabwy/) library\nfor handling of JWT and JWKS structures.\n\nThe project name `crudeoauth` has been chosen as tribute to the project [crudesaml](https://github.com/univention/crudesaml),\nwhich provided a blueprint for creating a combined PAM and SASL plugin.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funivention%2Fcrudeoauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funivention%2Fcrudeoauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funivention%2Fcrudeoauth/lists"}