Skip to content

Latest commit

 

History

History
109 lines (93 loc) · 4.45 KB

README.md

File metadata and controls

109 lines (93 loc) · 4.45 KB

lsso

lsso is a SSO middleware written in Lua to sit between Nginx and server endpoints.

lsso uses client-side cookies alongside a Redis database of session hashes to track session. In our setup, we use a fork of Osiris with a Redis token store as an OAuth endpoint.

Features:

  • OAuth authentication
  • Raven / Sentry support
  • Cross-domain-authentication
  • Backend session store in Redis
  • Auth and session event logging to Redis
  • CLI management tool, lssoctl (In Progress!)
  • Management API (In Progress!)
  • Temporary access token generation
  • 2FA Support

Requirements

Installation

  • Clone this repo..
  • Copy external/* to your lua5.1 package dir (/usr/local/share/lua/5.1/ or similar)
  • Use the file from nginx/sso-init.conf to set up the main nginx conf.
    • Make sure to adjust the request rate limit to your desire.
  • Use the template from nginx/sso-site.conf to set up your SSO endpoint.
    • Adjust any endpoints as you wish, but make sure to update config.lua as well.
  • Grab the src/config.lua, configure it, and stick it where you want
  • Change config_path in src/init.lua to point to your newly configured config.lua.
  • Insert access_by_lua_file /path/to/lsso/src/access.lua; in any location, server block, etc, that you want to protect.
  • Restart nginx.
  • Done! (?)

Roadmap

  • Authentication:
    • HTTP Basic authentication support for endpoints.
      • Stage: Researching
    • Implement SAML 2.0 authentication
      • Stage: Researching & implementing
    • Implement U2F Registration / Authentication process
      • Stage: Researching
    • Use JWT cookie instead of unsigned client cookies (? | lua-resty-jwt)
      • Stage: Researching
    • Per-location auth scoping (customizable scopes for each protected location: set $lsso_location_scope 'admin'; before access_by_lua_file)
  • API:
    • API access tokens
      • Inherently different from regular access tokens, but possibly managed/requested through the same endpoint?
      • If using a different endpoint, possibly /api/auth (?).
    • Some user-facing endpoints for managing sessions:
      • /auth/logout - kill the active user session, if any.
    • API for token requests, management, health, etc.
      • /api/_health - simple status
      • /api/token/request - request access token
      • Log access endpoints
        • /log/api - api event log
        • /log/auth - authentication event log
        • /log/session - session event log
        • ...
      • ...
  • Metadata:
    • Metadata store implementation
      • Required for U2F and other 2FA implementations
      • Should be an ephemeral data store, possibly key-value or record-based
      • Implementation language does not need to be Lua...
      • Should be simplistic, have an HTTP API, HTTP client
      • Should not depend on a temporal data store such as Redis (unless configured as persistent store)
      • Stage: Researching
  • Miscellaneous:
    • More documentation!
    • Stats collection for info about user sessions, login attempts, page accesses (?)
      • Stats export via statsd for aggregation (?)
    • Status portal (with content_by_lua_file and lustache)
  • Multi-Factor Auth:
    • Implement base for 2FA...
    • Major 2FA types:
      • Authy
        • Stage: Researching & implementation
      • U2F
        • Stage: Researching

Contributing

Pull requests and issues are more than welcome! I need as much feedback on this as possible to continue improving the SSO.

To discuss code or anything else, you can find us on IRC at irc.maio.me in #dev.

Licensing

This project is licensed under the MIT License. You can view the full terms of the license in /LICENSE.txt.