- Rust 91%
- Dockerfile 8.2%
- HTML 0.8%
| .forgejo/workflows | ||
| .idea | ||
| .media | ||
| src | ||
| .dockerignore | ||
| .gitignore | ||
| .noai | ||
| Cargo.lock | ||
| Cargo.toml | ||
| Dockerfile | ||
| LICENSE.txt | ||
| README.md | ||
Warning
This software has not yet been audited for security.
Use at your own risk!
Description
Sojuauth is a basic HTTP web server which can be used as authentication provider for Soju in
auth http mode to allow the provisioning of bouncer users via OpenID Connect.
The first time an user accesses Sojuauth, they are prompted to log in via the configured OpenID Connect provider, and
then a new pair of credentials associated with their
sub claim, with their preferred_username claim becoming their username and a random secure password being generated.
The user can then use those credentials to log into Soju and also use its filehost capabilities.
If the user attempts to access Sojuauth again, their password is reset, but since Soju forbids changing username once
an user is created, their original username is maintained via matching their previous
sub claim, even if their preferred_username claim is now different.
Requirements
Database
Sojuauth stores its data in a Redis database, so it must receive access to one to function.
Configuration
Sojuauth
Sojuauth is configured via environment variables, and requires the following to be set.
| Variable | Description | Example |
|---|---|---|
SITE_URL |
The URL at which Sojuauth will be available at. | https://sojuauth.example.org |
AXUM_BIND |
The socket address which Sojuauth should bind to. | 0.0.0.0:8080 |
REDIS_URL |
The URL at which Redis is available at, in fred format. |
redis://localhost:6379/2 |
REDIS_POOL_SIZE |
The number of connections to make to Redis. | 4 |
REDIS_RECONNECT_DELAY_S |
How many seconds are added to the back-off delay if connection fails. | 1 |
REDIS_RECONNECT_MAXDELAY_S |
The maximum amount of seconds that the back-off delay can reach. | 60 |
OIDC_ISSUER |
The URL of the OpenID Connect issuer, to which .well-known/oidc-configuration will be appended. |
https://idm.example.org/oauth2/openid/sojuauthdebug |
OIDC_CLIENT_ID |
The client ID provided to you by the OIDC issuer. | sojuauthdebug |
OIDC_CLIENT_SECRET |
The client secret provided to you by the OIDC issuer. | redacted |
AUTH_EXPIRATION_S |
How long you can stay on the OIDC authorization page for before the auth request data is deleted. | 900 |
Soju
To use Soju with Sojuauth, add the following to your Soju settings.
enable-user-on-auth true
auth http https://sojuauth.example.org/soju