1
0
Fork
You've already forked discord-auth
0
A OIDC provider for Discord that checks the user is part of a given guild without requiring to give up their entire guild list...
  • Rust 98.5%
  • Just 1.5%
2025年11月05日 14:14:57 +01:00
src Removing the session and nonce + additional logging 2025年11月03日 14:49:37 +01:00
.gitignore Adding initial project setup 2025年11月01日 12:18:52 +01:00
Cargo.lock Removing the session and nonce + additional logging 2025年11月03日 14:49:37 +01:00
Cargo.toml Removing the session and nonce + additional logging 2025年11月03日 14:49:37 +01:00
justfile Adding a build task for justfile that creates a statically linked binary 2025年11月01日 22:23:53 +01:00
README.md Adding OIDC client configuration with bookstack example 2025年11月05日 14:14:57 +01:00

Private Discord OpenID Provider

A simple OpenID Provider authentication system that uses Discord and checks that the given member is part of a specific guild.

Warning

: This system is kind of experimental and was made specifically to work with BookStack, it does not fully implements the OIDC protocol. It should however work fine with many other services than Bookstack though. If it doesn't, feel free to open an issue.

Features

  • Very lightweight, the full statically-linked binary weights ~2MB
  • Requires very little personal information (only process the user id and profile picture)
    • So there is no email or list of guild taken
  • Standard authentication using OpenID Connect protocol
  • Unlike Discord OAuth2, is only restricted to the members of a given Discord server

Installation

Before actually installing this project, we need to create a new application in Discord

  1. Create a new application on Discord Dev
  2. Go into the "OAuth2" tab, and retrieve the Client ID and Client Secret and add a new redirect URL in the format of https://auth.yourwebsite.com/callback
  3. Go into the "Bot" tab and click on Reset Token to retrieve the bot token
  4. Go into the "Installation" tab, add bot into the guild install scopes then copy the installation link and paste it in your browser to invite the bot to the right server.
  5. Finally you can also setup things like a description, profile picture and pretty name for your application...

Then, download the binary from the release.

mkdir -p /srv/discord_auth
wget https://codeberg.org/SnowCode/discord-auth/releases/download/latest/x86_64-discord_auth -O /srv/discord_auth/discord_auth
chmod +x /srv/discord_auth/discord_auth

Fill and add the following configuration into /srv/discord_auth/.env

# Get those information from the https://discord.dev website
DISCORD_CLIENT_ID=
DISCORD_CLIENT_SECRET=
DISCORD_BOT_TOKEN=
# Right click on the Discord server you've invited your bot to, and click on "Copy Server ID" (it requires you've enabled "Developer Mode" in your "Advanced" personal settings)
DISCORD_GUILD_ID=
# For Bookstack, set https://your.bookstack.instance/oidc/callback as REDIRECT_URL
REDIRECT_URL=
# Choose any value you want for CLIENT_ID and CLIENT_SECRET but make sure CLIENT_SECRET is random
CLIENT_ID=
CLIENT_SECRET=
# The base URL of this project, for instance https://auth.yourwebsite.com
BASE_URL=

Generate a private RSA key in PKCS#1 format

openssl genrsa -traditional -out /srv/discord_auth/keypair.pem 2048

Now create a user to restrict the access to the service directory

useradd discord_auth
chown -R discord_auth:discord_auth /srv/discord_auth
chmod 700 /srv/discord_auth

Create a systemd service to run the project to make it run in the background automatically. Add the following content into /etc/systemd/system/discord_auth.service

[Unit]
Description=discord_auth
After=network.target
[Service]
Type=simple
Restart=always
ExecStart=/srv/discord_auth/discord_auth
WorkingDirectory=/srv/discord_auth
User=discord_auth
Group=discord_auth
[Install]
WantedBy=multi-user.target

Reload systemd, then start and enable the service

systemctl daemon-reload
systemctl enable --now discord_auth.service

Finally you can setup the reverse proxy to point to the authentication system. Here's an example of it using Caddy. Make sure your reverse proxy setup HTTPS for the site as well.

auth.yourwebsite.com {
 reverse_proxy :3000
}

OIDC Client Configuration

Once you've setup the OIDC server, youcan now setup the OIDC client. Here's an example configuration with Boosktack:

AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=true
OIDC_NAME=SSO
OIDC_DISPLAY_NAME_CLAIMS=name
OIDC_CLIENT_ID=YOUR-CLIENT-ID
OIDC_CLIENT_SECRET=YOUR-CLIENT-SECRET
OIDC_ISSUER=https://auth.yoursite.com
OIDC_FETCH_AVATAR=true
OIDC_ISSUER_DISCOVER=true

If the client doesn't support automatic discovery and requires you manually set the authorize, token and jwks URLs, here there are:

  • Authorize endoint: https://auth.yoursite.com/authorize
  • Token endoint: https://auth.yoursite.com/token
  • JWKS endoint: https://auth.yoursite.com/jwks

Limitations: This system currently doesn't support Nonce, and doesn't implement PKCE code exchange either. Meaning there is currently no protection against stolen authorization codes. Also there is no userinfo endpoint either, meaning it's expected that the client only gets its information based on the ID token.