OIDC manager for Soju https://i.starshard.space
  • Rust 91%
  • Dockerfile 8.2%
  • HTML 0.8%
Find a file
2026-05-27 16:41:21 +02:00
.forgejo/workflows ci: Specify container image target platforms 2026-05-04 00:47:25 +02:00
.idea docs(readme): Restore soft-wrap 2026-05-03 17:43:07 +02:00
.media docs: Add icon and include it in README 2026-05-03 06:05:54 +02:00
src fix: Configure ReconnectPolicy 2026-05-27 16:32:37 +02:00
.dockerignore dist(container): Add Dockerfile 2026-05-03 18:40:06 +02:00
.gitignore Create basic project structure 2026-04-30 04:31:20 +02:00
.noai docs(noai): Fix typo 2026-05-03 17:18:15 +02:00
Cargo.lock chore: Bump version to 0.2.1 2026-05-27 16:35:45 +02:00
Cargo.toml chore: Bump version to 0.2.1 2026-05-27 16:35:45 +02:00
Dockerfile Fix org.opencontainers.image.url 2026-05-20 13:37:43 +00:00
LICENSE.txt legal: License under EUPL-1.2 2026-05-03 23:51:08 +02:00
README.md docs(readme): Document REDIS_RECONNECT_DELAY_S and REDIS_RECONNECT_MAXDELAY_S. 2026-05-27 16:41:21 +02:00

Sojuauth

OpenID Connect shim for Soju

Warning

This software has not yet been audited for security.

Use at your own risk!

Description

Sojuauth is a basic HTTP web server which can be used as authentication provider for Soju in auth http mode to allow the provisioning of bouncer users via OpenID Connect.

The first time an user accesses Sojuauth, they are prompted to log in via the configured OpenID Connect provider, and then a new pair of credentials associated with their sub claim, with their preferred_username claim becoming their username and a random secure password being generated.

The user can then use those credentials to log into Soju and also use its filehost capabilities.

If the user attempts to access Sojuauth again, their password is reset, but since Soju forbids changing username once an user is created, their original username is maintained via matching their previous sub claim, even if their preferred_username claim is now different.

Requirements

Database

Sojuauth stores its data in a Redis database, so it must receive access to one to function.

Configuration

Sojuauth

Sojuauth is configured via environment variables, and requires the following to be set.

Variable Description Example
SITE_URL The URL at which Sojuauth will be available at. https://sojuauth.example.org
AXUM_BIND The socket address which Sojuauth should bind to. 0.0.0.0:8080
REDIS_URL The URL at which Redis is available at, in fred format. redis://localhost:6379/2
REDIS_POOL_SIZE The number of connections to make to Redis. 4
REDIS_RECONNECT_DELAY_S How many seconds are added to the back-off delay if connection fails. 1
REDIS_RECONNECT_MAXDELAY_S The maximum amount of seconds that the back-off delay can reach. 60
OIDC_ISSUER The URL of the OpenID Connect issuer, to which .well-known/oidc-configuration will be appended. https://idm.example.org/oauth2/openid/sojuauthdebug
OIDC_CLIENT_ID The client ID provided to you by the OIDC issuer. sojuauthdebug
OIDC_CLIENT_SECRET The client secret provided to you by the OIDC issuer. redacted
AUTH_EXPIRATION_S How long you can stay on the OIDC authorization page for before the auth request data is deleted. 900

Soju

To use Soju with Sojuauth, add the following to your Soju settings.

enable-user-on-auth true
auth http https://sojuauth.example.org/soju