3
0
Fork
You've already forked idp
0
reperfect OIDC identity provider — WASI component (guest) + login/admin SPAs; deploys onto baas, dogfoods platform auth
  • Rust 39.5%
  • Svelte 29.7%
  • TypeScript 27%
  • CSS 1.9%
  • Shell 1.1%
  • Other 0.8%
2026年07月11日 15:31:16 +02:00
guest feat(idp): gate baas:admin scope behind is_admin (platform-operator entitlement for baas S10) 2026年07月11日 15:31:16 +02:00
migrations/idp Initial commit: reperfect OIDC IdP extracted from baas 2026年07月11日 14:49:01 +02:00
scripts Initial commit: reperfect OIDC IdP extracted from baas 2026年07月11日 14:49:01 +02:00
web Initial commit: reperfect OIDC IdP extracted from baas 2026年07月11日 14:49:01 +02:00
.gitignore Initial commit: reperfect OIDC IdP extracted from baas 2026年07月11日 14:49:01 +02:00
AGENTS.md Initial commit: reperfect OIDC IdP extracted from baas 2026年07月11日 14:49:01 +02:00
baas.toml Initial commit: reperfect OIDC IdP extracted from baas 2026年07月11日 14:49:01 +02:00
README.md Initial commit: reperfect OIDC IdP extracted from baas 2026年07月11日 14:49:01 +02:00
rust-toolchain.toml Initial commit: reperfect OIDC IdP extracted from baas 2026年07月11日 14:49:01 +02:00

idp — reperfect OIDC identity provider

The first app that deploys onto baas, and the one that dogfoods platform auth: baas authenticates its own operators against this IdP, with the out-of-band BAAS_ADMIN_TOKEN as the break-glass path when the IdP is down.

The function renders no UI. guest/ is a pure JSON API (a WASI 0.3 component, wasi:http/handler); the two SPAs are static single-page apps that talk to it over CORS.

Parts

  • guest/ — the IdP JSON API as a wasm32-wasip3 component. Its own Cargo workspace; depends on the guest SDK faas by git dep (codeberg.org/reperfect/faas). Endpoints and behaviour: AGENTS.md.
  • web/login/ — the login SPA (Svelte 5 + Tailwind v4 + TS, Bun). This is the OIDC authorization_endpoint: it reads the OAuth request from its query, POSTs credentials to the API /login, and navigates the browser to the returned redirect_uri. Serves at 127.0.0.1:5173 in dev.
  • web/admin/ — the management console SPA. An OAuth client of the IdP (public, PKCE-only); drives the /admin/* JSON API. Serves at 127.0.0.1:5174 in dev.
  • baas.toml — the deploy manifest (project idp, one postgres resource, the signing_seed secret, the / HTTP trigger).
  • migrations/idp/*.sql — schema, applied by baas migrate idp. schema/idp.sql is the derived pg_dump snapshot (never source of truth).

Build

Guest (needs the wasm32-wasip3 sysroot — run scripts/setup-wasip3.sh once per toolchain install):

cargo build --manifest-path guest/Cargo.toml --target wasm32-wasip3 --release
# -> guest/target/wasm32-wasip3/release/guest_idp.wasm

SPAs:

cd web/login && bun install && bun run check && bun run build
cd web/admin && bun install && bun run check && bun run build

@reperfect/brand (Martian Mono + design tokens) is a git dep of each SPA; bun install copies it into node_modules, so the dev server serves the font with no fs.allow override.

Deploy onto baas

The baas CLI comes from the platform repo. From this repo root:

  1. Apply the schema: baas migrate idp --env dev
  2. Set the signing key (vault, not the manifest): baas secret set idp/dev/idp signing_seed=<32B base64url> --control-db <url>
  3. Serve locally, or push the component and deploy by digest:
    • local: baas serve --env dev --addr 127.0.0.1:8100 --control-db <url>
    • published: baas push idp --registry <repo> prints oci://...@sha256:...; set that as the component source and baas serve / baas deploy.

The issuer must equal the serve --addr. authorize_url points at the login SPA; cors_origins allowlists the browser origins (both SPA ports) permitted to call credentialed endpoints. Host the SPAs and the API on the same registrable domain, or third-party-cookie blocking breaks the SSO session cookie.

Admin API

Contract (auth model, endpoints, error codes) is in AGENTS.md under "Admin API".