- Rust 98.5%
- Just 1.5%
| src | Removing the session and nonce + additional logging | |
| .gitignore | Adding initial project setup | |
| Cargo.lock | Removing the session and nonce + additional logging | |
| Cargo.toml | Removing the session and nonce + additional logging | |
| justfile | Adding a build task for justfile that creates a statically linked binary | |
| README.md | Adding OIDC client configuration with bookstack example | |
Private Discord OpenID Provider
A simple OpenID Provider authentication system that uses Discord and checks that the given member is part of a specific guild.
Warning
: This system is kind of experimental and was made specifically to work with BookStack, it does not fully implements the OIDC protocol. It should however work fine with many other services than Bookstack though. If it doesn't, feel free to open an issue.
Features
- Very lightweight, the full statically-linked binary weights ~2MB
- Requires very little personal information (only process the user id and profile picture)
- So there is no email or list of guild taken
- Standard authentication using OpenID Connect protocol
- Unlike Discord OAuth2, is only restricted to the members of a given Discord server
Installation
Before actually installing this project, we need to create a new application in Discord
- Create a new application on Discord Dev
- Go into the "OAuth2" tab, and retrieve the Client ID and Client Secret and add a new redirect URL in the format of
https://auth.yourwebsite.com/callback - Go into the "Bot" tab and click on Reset Token to retrieve the bot token
- Go into the "Installation" tab, add
botinto the guild install scopes then copy the installation link and paste it in your browser to invite the bot to the right server. - Finally you can also setup things like a description, profile picture and pretty name for your application...
Then, download the binary from the release.
mkdir -p /srv/discord_auth
wget https://codeberg.org/SnowCode/discord-auth/releases/download/latest/x86_64-discord_auth -O /srv/discord_auth/discord_auth
chmod +x /srv/discord_auth/discord_auth
Fill and add the following configuration into /srv/discord_auth/.env
# Get those information from the https://discord.dev website
DISCORD_CLIENT_ID=
DISCORD_CLIENT_SECRET=
DISCORD_BOT_TOKEN=
# Right click on the Discord server you've invited your bot to, and click on "Copy Server ID" (it requires you've enabled "Developer Mode" in your "Advanced" personal settings)
DISCORD_GUILD_ID=
# For Bookstack, set https://your.bookstack.instance/oidc/callback as REDIRECT_URL
REDIRECT_URL=
# Choose any value you want for CLIENT_ID and CLIENT_SECRET but make sure CLIENT_SECRET is random
CLIENT_ID=
CLIENT_SECRET=
# The base URL of this project, for instance https://auth.yourwebsite.com
BASE_URL=
Generate a private RSA key in PKCS#1 format
openssl genrsa -traditional -out /srv/discord_auth/keypair.pem 2048
Now create a user to restrict the access to the service directory
useradd discord_auth
chown -R discord_auth:discord_auth /srv/discord_auth
chmod 700 /srv/discord_auth
Create a systemd service to run the project to make it run in the background automatically. Add the following content into /etc/systemd/system/discord_auth.service
[Unit]
Description=discord_auth
After=network.target
[Service]
Type=simple
Restart=always
ExecStart=/srv/discord_auth/discord_auth
WorkingDirectory=/srv/discord_auth
User=discord_auth
Group=discord_auth
[Install]
WantedBy=multi-user.target
Reload systemd, then start and enable the service
systemctl daemon-reload
systemctl enable --now discord_auth.service
Finally you can setup the reverse proxy to point to the authentication system. Here's an example of it using Caddy. Make sure your reverse proxy setup HTTPS for the site as well.
auth.yourwebsite.com {
reverse_proxy :3000
}
OIDC Client Configuration
Once you've setup the OIDC server, youcan now setup the OIDC client. Here's an example configuration with Boosktack:
AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=true
OIDC_NAME=SSO
OIDC_DISPLAY_NAME_CLAIMS=name
OIDC_CLIENT_ID=YOUR-CLIENT-ID
OIDC_CLIENT_SECRET=YOUR-CLIENT-SECRET
OIDC_ISSUER=https://auth.yoursite.com
OIDC_FETCH_AVATAR=true
OIDC_ISSUER_DISCOVER=true
If the client doesn't support automatic discovery and requires you manually set the authorize, token and jwks URLs, here there are:
- Authorize endoint:
https://auth.yoursite.com/authorize - Token endoint:
https://auth.yoursite.com/token - JWKS endoint:
https://auth.yoursite.com/jwks
Limitations: This system currently doesn't support Nonce, and doesn't implement PKCE code exchange either. Meaning there is currently no protection against stolen authorization codes. Also there is no userinfo endpoint either, meaning it's expected that the client only gets its information based on the ID token.