Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/thape-cn/oauth2id

Self-hosting SSO Portal, support Oauth2, Open ID Connect and SAML 2.0
https://github.com/thape-cn/oauth2id

identity oauth2 oauth2-provider oauth2id openid-connect openid-connect-provider

Last synced: about 2 months ago
JSON representation

Self-hosting SSO Portal, support Oauth2, Open ID Connect and SAML 2.0

Awesome Lists containing this project

README

        

[![Circle CI](https://circleci.com/gh/thape-cn/oauth2id.svg?style=svg)](https://circleci.com/gh/thape-cn/oauth2id) [![Gitlab CI](https://git.thape.com.cn/Eric-Guo/oauth2id/badges/main/pipeline.svg)](https://git.thape.com.cn/Eric-Guo/oauth2id/-/commits/main)[![Docker Images](https://img.shields.io/badge/Docker%20Images-blue.svg)](https://hub.docker.com/r/ericguo/oauth2id/tags)

# Oauth2id

SSO Portal based on oauth2 id protocol

# Self-Hosting

Before proceeding with Oauth2id installation, ensure you meet the following prerequisites:

* A server with [Docker](https://www.docker.com/) installed: Oauth2id is designed to be self-hosted with Docker.
* Rails master key, which is used to decrypt the credentials file. If you don't have one, ask for it from the project maintainer.

## Docker Run

To set up Oauth2id using `docker run`, execute the following one command to start Oauth2id:

1. Select a suitable directory as your application directory, and create a directory to store the Oauth2id database file:

```
mkdir -p /opt/oauth2id/storage
```

This step makes sure that storage directory is created and owned by the current user.

2. Run the following command to start Oauth2id:

```
cd /opt/oauth2id
docker run -p 3000:3000 -d --restart always --name oauth2id --env RAILS_MASTER_KEY=YourMasterKey -v ./storage:/rails/storage ericguo/oauth2id:main
```
This command starts Oauth2id in the background, and exposes the Oauth2id web interface on port 3000. The `--env RAILS_MASTER_KEY=YourMasterKey` option is used to pass the Rails master key to the container. The `-v ./storage:/rails/storage` option is used to mount the storage directory on the host to the container. This is necessary to persist the Oauth2id database file.

# Quickly Start

```bash
cp config/database.yml.sample config/database.yml
# or ask for master.key
rm config/credentials.yml.enc
export EDITOR=vim
# paste credentials.yml.sample or skip
bin/rails credentials:edit
bin/rails test:all
```

# Build & Run in docker mode

```bash
docker build --tag ericguo/oauth2id:main .
# or `docker pull ericguo/oauth2id:main` to using existing images
docker run -p 3000:3000 -d --restart always --name oauth2id --env RAILS_MASTER_KEY=YourMasterKey -v ./storage:/rails/storage ericguo/oauth2id:main
# If can not start in above, do the debug.
docker run --env RAILS_MASTER_KEY=YourMasterKey -v ./storage:/rails/storage -it ericguo/oauth2id:main bash
# After success, push manually.
docker push ericguo/oauth2id:main
```

# Dev env setup

Setup the puma-dev to support https in local.

```
brew install puma/puma/puma-dev
sudo puma-dev -setup
puma-dev -install
cd ~/.puma-dev
ln -s /Users//git/oauth2id oauth2id
```

Then visit the `https://oauth2id.test` and accept the invalid https certificate, for higher version MacOS, need opening Keychain Access and moving the Puma-dev CA certificate into the System column under keychains then restarting the browser, [it's a known issue](https://github.com/puma/puma-dev/issues/84#issuecomment-252339375)

In order to make sure Faraday running in local also works well in https, we also need to add Puma-dev CA in OpenSSL library trust list as well, the OpenSSL CA is by default at `/usr/local/etc/openssl/cert.pem`, since we already have valid MacOS Pumda-dev CA in system, we can use [openssl-osx-ca](https://github.com/raggi/openssl-osx-ca) to regenerate the `cert.pem` file so just installs and regenerate `cert.pem` file.

In order to make [httpclient](https://github.com/nahi/httpclient/issues/335) also works well in https, need copy generated cert.pem to httpclient folder. There is two `pem` files in httpclient currently, but Puma-dev CA is 1024, so safe to overwrite.

```bash
# or /usr/local/etc/[email protected]/cert.pem depend on versions
cp /usr/local/etc/openssl/cert.pem /usr/local/lib/ruby/gems/3.0.0/gems/httpclient-2.8.3/lib/httpclient/cacert.pem
```

For Monterey running Apple Silicon on Ruby 3.2

```bash
cp /opt/homebrew/etc/openssl\@1.1/cert.pem /opt/homebrew/lib/ruby/gems/3.2.0/gems/httpclient-2.8.3/lib/httpclient/cacert.pem
cp /opt/homebrew/etc/openssl\@1.1/cert.pem /opt/homebrew/etc/ca-certificates/cert.pem
```

## About UI

Oauth2id using [vali-admin](https://github.com/pratikborsadiya/vali-admin) UI v2.4.1 which based on the Bootstrap 4 and support *IE 11*.

Please visit UI document via:

```
cd node_modules/vali-admin/docs/
thin -A file -c . -p 3001 start
open http://localhost:3001/index.html
```

# Generate signing key

## Open ID Connect

Just following [doorkeeper-openid_connect gem readme](https://github.com/doorkeeper-gem/doorkeeper-openid_connect#configuration):

```bash
openssl genpkey -algorithm RSA -out oauth2id_oidc_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in oauth2id_oidc_private_key.pem -out oauth2id_oidc_public_key.pem
```

Notice replace oauth2id with your new site name, notice you can get public key from [/oauth/discovery/keys](https://oauth2id.dev/oauth/discovery/keys) as well.

Also make sure the scope setting at least contain `openid` as it's the spec requirement. (Oauth2 can leave scope blank.)

## SAML 2.0

```bash
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout oauth2id_saml_key.key -out oauth2id_saml_cert.crt
# Show SHA1 Fingerprint
openssl x509 -in oauth2id_saml_cert.crt -noout -sha256 -fingerprint
```

## Generate RS256 for asymmetric JWT

```bash
openssl genpkey -algorithm RSA -out oauth2id_jwt_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in oauth2id_jwt_private_key.pem -out oauth2id_jwt_public_key.pem
```

## Generate initial data

```bash
bin/setup
```

## To migrate MySQL to Postgresql

Get db_converter.py from below:

https://github.com/bhmj/mysql-postgresql-converter

```bash
mysqldump --set-gtid-purged=OFF --no-tablespaces --compatible=postgresql --default-character-set=utf8 -r databasename.mysql -u thape_sso_prod thape_sso_prod -p
python ./mysql-postgresql-converter/db_converter.py databasename.mysql databasename.psql
zip -9 databasename.zip databasename.psql
```

Copy the databasename.psql and import via below.

```bat
psql -d postgres
```

```psql
DROP DATABASE thape_sso_dev;
CREATE DATABASE thape_sso_dev WITH ENCODING='UTF8' OWNER='guochunzhong';
\q
```

```bat
psql -d thape_sso_dev -f databasename.psql
```

May replace ' datetime(6) ' with ' timestamp(6) without time zone '.

## Notes to using thape production data

Need running below to make production sign-in success.

```ruby
u=User.find 4431 # it's me
u.confirm
```