A UI-first centralized authentication / Single-Sign-On (SSO) platform supporting OAuth 2.0 / OIDC

📦 ⚡️ Casdoor

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

semantic-release docker pull casbin/casdoor GitHub Workflow Status (branch) GitHub Release Docker Image Version (latest semver)

Go Report Card license GitHub issues GitHub stars GitHub forks Crowdin Gitter

Online demo

Deployed site: https://door.casbin.com/

Quick Start

Run your own casdoor program in a few minutes.

Download

There are two methods, get code via go subcommand get:

go get github.com/casbin/casdoor

or git:

git clone https://github.com/casbin/casdoor

Finally, change directory:

cd casdoor/

We provide two start up methods for all kinds of users.

Manual

Simple configuration

Casdoor requires a running Relational database to be operational.Thus you need to modify configuration to point out the location of database.

Edit conf/app.conf, modify dataSourceName to correct database info, which follows this format:

username:[email protected](database_ip:database_port)/

Run

Casdoor provides two run modes, the difference is binary size and user prompt.

Dev Mode

Edit conf/app.conf, set runmode=dev. Firstly build front-end files:

cd web/ && yarn && yarn run start

❗ A word of caution ❗ : Casdoor's front-end is built using yarn. You should use yarn instead of npm. It has a potential failure during building the files if you use npm.

Then build back-end binary file, change directory to root(Relative to casdoor):

go run main.go

That's it! Try to visit http://127.0.0.1:7001/. 🛩️
But make sure you always request the backend port 8000 when you are using SDKs.

Production Mode

Edit conf/app.conf, set runmode=prod. Firstly build front-end files:

cd web/ && yarn && yarn run build

Then build back-end binary file, change directory to root(Relative to casdoor):

go build main.go && sudo ./main

Notice, you should visit back-end port, default 8000. Now try to visit http://SERVER_IP:8000/

Docker

Casdoor provide 2 kinds of image:

  • casbin/casdoor-all-in-one, in which casdoor binary, a mysql database and all necessary configurations are packed up. This image is for new user to have a trial on casdoor quickly. With this image you can start a casdoor immediately with one single command (or two) without any complex configuration. Note: we DO NOT recommend you to use this image in productive environment

  • casbin/casdoor: normal & graceful casdoor image with only casdoor and environment installed.

This method requires docker and docker-compose to be installed first.

Start casdoor with casbin/casdoor-all-in-one

if the image is not pulled, pull it from dockerhub

docker pull casbin/casdoor-all-in-one

Start it with

docker run -p 8000:8000 casbin/casdoor-all-in-one

Now you can visit http://localhost:8000 and have a try. Default account and password is 'admin' and '123'. Go for it!

Start casdoor with casbin/casdoor

modify the configurations

For the convenience of your first attempt, docker-compose.yml contains commands to start a database via docker.

Thus edit conf/app.conf to point out the location of database(db:3306), modify dataSourceName to the fixed content:

dataSourceName = root:[email protected](db:3306)/

If you need to modify conf/app.conf, you need to re-run docker-compose up.

Run

docker-compose up

That's it! Try to visit http://localhost:8000/. 🛩️

Detailed documentation

We also provide a complete document as a reference.

Other examples

These all use casdoor as a centralized authentication platform.

  • Casnode: Next-generation forum software based on React + Golang.
  • Casbin-OA: A full-featured OA(Office Assistant) system.
  • ......

Contribute

For casdoor, if you have any questions, you can give Issues, or you can also directly start Pull Requests(but we recommend giving issues first to communicate with the community).

I18n notice

If you are contributing to casdoor, please note that we use Crowdin as translating platform and i18next as translating tool. When you add some words using i18next in the web/ directory, please remember to add what you have added to the web/src/locales/en/data.json file.

License

Apache-2.0

Owner
Casdoor
A web-based single-sign-on (SSO) platform and the official client SDKs
Casdoor
Comments
  • Grafana Redirect URI error

    Grafana Redirect URI error

    Casdoor Grafana has configured the redirect url, but when logging in, casdoor reports that the url of localhost is not in the redirect list,after add localhost to the redirect url list, it will jump to localhost, change localhost to domain of grafana, it is working , the database record is right

    image

  • localhost dev mode can't access backend api because of cors

    localhost dev mode can't access backend api because of cors

    i follow the https://casdoor.org/docs/basic/server-installation for local dev .then i got this cors error. image image image

    my app.conf file content

    appname = casdoor
    httpport = 8000
    runmode = dev
    copyrequestbody = true
    driverName = mysql
    dataSourceName = root:[email protected](127.0.0.1:3306)/
    dbName = casdoor
    tableNamePrefix =
    showSql = true
    redisEndpoint =
    defaultStorageProvider = 
    isCloudIntranet = false
    authState = "casdoor"
    socks5Proxy = "127.0.0.1:10082"
    verificationCodeTimeout = 10
    initScore = 2000
    logPostOnly = false
    origin = "http://localhost:7001"
    staticBaseUrl = "https://cdn.casbin.org"
    isDemoMode = false
    batchSize = 100
    ldapServerPort = 389
    languages = en,zh,es,fr,de,ja,ko,ru
    quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
    
  • Retrieve password error: unknown authentication type (not password or provider)

    Retrieve password error: unknown authentication type (not password or provider)

    Hello, everyone!

    I am just a beginner with casdoor. I am trying to test a retrieve password, but received this error:

    unknown authentication type (not password or provider), form = {
    	"type": "login",
    	"organization": "org",
    	"username": "",
    	"password": "",
    	"name": "",
    	"email": "",
    	"phone": "",
    	"affiliation": "",
    	"idCard": "",
    	"region": "",
    	"application": "socbazar",
    	"provider": "",
    	"code": "38316",
    	"state": "",
    	"redirectUri": "",
    	"method": "",
    	"emailCode": "",
    	"phoneCode": "",
    	"phonePrefix": "7",
    	"autoSignin": false,
    	"relayState": "",
    	"samlResponse": ""
    }
    

    The username is found and the email substituted in the form field, but they are not sent to the server. Email provider is configured and working.

    What I am doing wrong?

  • fix: some minor bugs and make Dockerfile more productive.

    fix: some minor bugs and make Dockerfile more productive.

    These are some very minor changes, so no demos are provided.

    Make Dockerfile more productive.

    • Build all-in-one image:
    docker build --target ALLINONE -t casbin/casdoor-all-in-one:latest .
    
    • Build standard image:
    docker build --target STANDARD -t casbin/casdoor:latest .
    

    Solve the problem that the PermissionList page jumped abnormally when clicking the permission name in the list.

    • Insert the owner into the url when jumping to the permissions details page.

    Fix incorrect SignupApplication field value in initBuiltInUser.

    • Wrong SignupApplication value causes exceptions in multiple functions for the first admin user, such as uploading avatars, user detail pages, etc.
  • The certs page is displayed incorrectly

    The certs page is displayed incorrectly

    The contents of the public key field are actually the contents of the certificate, not the public key.

    Consider changing the name of the field to "certificate" or the contents of the field to the public key.

    The Python SDK recently use the certificate to generate public key automaticly, but the PHP SDK still need to convert manually.

  • After updating the user, how to get a token with these updates?

    After updating the user, how to get a token with these updates?

    Hi all!

    I have a small question on using sdk (golang).

    After updating the user, how to get a token with these updates?

    Steps:

    1. Get token
    token, err := auth.GetOAuthToken(code, state)
    
    1. Parse JWT token
    jwtClaims, err := auth.ParseJwtToken(token.AccessToken)
    
    1. Change jwtClaims.User

    2. Update user

    ok, err := auth.UpdateUserForColumns(&jwtClaims.User, []string{"properties"})
    
    1. How to get AccessToken string (JWT token) with an updated user?
  • Docker Compose | Environment variables as config

    Docker Compose | Environment variables as config

    Hello 👋

    I'm using casdoor v1.103.0 with docker compose, and I want to pass the environment variables from the docs to the container.

    Example:

    version: '3.9'
    
    services:
      casdoor:
        image: casbin/casdoor:${CASDOOR_IMAGE_VERSION}
        restart: 'no'
        entrypoint: /bin/sh -c './server --createDatabase=true'
        environment:
          RUNNING_IN_DOCKER: "true"
          APPNAME: ${CASDOOR_APP_NAME}
          HTTPPORT: ${CASDOOR_HTTP_PORT}
          RUNMODE: ${CASDOOR_RUN_MODE}
          SESSIONON: ${CASDOOR_SESSION_ON}
          COPYREQUESTBODY: ${CASDOOR_COPY_REQUEST_BODY}
          DRIVERNAME: ${DATABASE_HOST}
          DATASOURCENAME: ${DATABASE_USER}:${DATABASE_USER_PASSWORD}@tcp(${DATABASE_HOST}:${DATABASE_PORT})/
          DBNAME: ${DATABASE_NAME}
          TABLENAMEPREFIX: ${CASDOOR_TABLE_NAME_PREFIX}
          SHOWSQL: ${CASDOOR_SHOW_SQL}
          REDISENDPOINT: ${CASDOOR_REDIS_ENDPOINT}
          DEFAULTSTORAGEPROVIDER: ${CASDOOR_DEFAULT_STORAGE_PROVIDER}
          ISCLOUDINTRANET: ${CASDOOR_IS_CLOUD_INTRANET}
          AUTHSTATE: ${CASDOOR_AUTH_STATE}
          SOCKS5PROXY: ${CASDOOR_SOCKS5_PROXY}
          VERIFICATIONCODETIMEOUT: ${CASDOOR_VERIFICATION_CODE_TIMEOUT}
          INITSCORE: ${CASDOOR_INIT_SCORE}
          LOGPOSTONLY: ${CASDOOR_LOG_POST_ONLY}
          ORIGIN: ${CASDOOR_ORIGIN}
          STATICBASEURL: ${CASDOOR_STATIC_BASE_URL}
        depends_on:
          - mysql
    

    It is possible to make this feature?

    Thanks in advance.

  • Sign in with open_oidc  front return blank in arm

    Sign in with open_oidc front return blank in arm

    in arm ,i use casdoor Administration is ok ,

    图片

    but i use open_oidc sign with my app ,the front is blank 图片

    and the log is

    2022/08/09 09:24:06.886 [D]  |   192.168.68.1| 200 |   1.252743ms| nomatch| GET      /login/oauth/authorize
    
    

    i use the gitea example, The result is the same

    Same parameter configuration in amd64 is ok 图片

  • Develop a Casdoor plugin for APISIX

    Develop a Casdoor plugin for APISIX

    Here are two plugins can be used as references:

    1. KeyCloak: https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/
    2. Casbin: https://apisix.apache.org/docs/apisix/plugins/authz-casbin

    The new plugin auth-casdoor will be added by making PR to APISIX's repo like how it's done for authz-casbin: https://github.com/apache/apisix/pull/4710

    We can choose to make a casdoor-lua-sdk first or not, based on how the developer decide it.

    There is some existing work to connect APISIX with Casdoor via OIDC: https://github.com/casdoor/casdoor/issues?q=apisix , but plugin is a better and easier solution. So a plugin is also important as well.

  • Act as an OAuth 2.0 + OIDC server

    Act as an OAuth 2.0 + OIDC server

    Currently, Casdoor uses a home-made logging-in mechanism: https://github.com/casbin/casdoor/blob/master/controllers/account.go

    It's not standard and it's unsafe, the password is transmitted over the network.

    Finally, we will move to OAuth 2.0 + OIDC. It means that applications like Casbin OA (both JS client and Go backend) will talk to Casdoor via the OAuth 2.0 + OIDC protocols.

    We can use: https://github.com/go-oauth2/oauth2 to implement our OAuth 2.0 + OIDC server-side.

    The existing code:

    • Casdoor JS client SDK: https://github.com/casbin/casbin-oa/tree/master/web/src/auth (currently for agile development, we put the code inside Casbin-OA, so we don't need to publish to NPM then import it in dependency file. In future, when the API is stablized, we will separate the Casdoor JS client code into a new repo and release to NPM)
    • Casdoor Go SDK: not available yet, because currently Casbin-OA doesn't involve any server-side code to talk to Casdoor, only client does. This is NOT correct. So we will formulate a Go SDK in the Casbin-OA Go code.

    Some reference about this topic: https://github.com/casbin/casdoor/issues/10

  • OIDC endpoint is always https

    OIDC endpoint is always https

    • env: docker with image casdoor-all-in-one
    • OIDC Discovery shows that issuer and other endpoints are start with https not http, not config any tls for this environment and do not find any configuration to change https to http.
    • when use OIDC, it always redirect to https, and it's not work.(http works perfectly)
  • fix: convert line endings to LF on checkout for all envs

    fix: convert line endings to LF on checkout for all envs

    Fix #1447

    The fix is similar to https://github.com/kubernetes-up-and-running/kuard/issues/30

    Fix line endings for windows users. Do not allow user core.autocrlf to change the line endings for *.sh files. This will fix issues building the container by removing the line endings on the shebang of the copied bash files.

    References: https://github.com/kubernetes-up-and-running/kuard/issues/30 https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings#per-repository-settings

  • docker-compose ./build.sh: not found error on Win 10

    docker-compose ./build.sh: not found error on Win 10

    Trying to run docker-compose would result in ./build.sh: not found error on Win 10. Tried it on different windows machines and confirmed that it is a general problem. Have found a solution and I will PR to solve this.

    image

  • docker-compose beego error

    docker-compose beego error

    I try to run casdoor with Makefile and tried also with docker-compose and get always same error:

    casdoor-casdoor-1 exited with code 2 casdoor-casdoor-1 | panic: prefix should has path casdoor-casdoor-1 | casdoor-casdoor-1 | goroutine 1 [running]: casdoor-casdoor-1 | github.com/beego/beego.(*Tree).addtree(0x0, {0x2b42ae0, 0x174ef40, 0xc000a0e4e8}, 0x1, {0x0, 0x0, 0xc000a0e018}, {0x0, 0x0}) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/tree.go:58 +0x1185 casdoor-casdoor-1 | github.com/beego/beego.(*Tree).AddTree(0x174ef40, {0x0, 0xc000040430}, 0x3) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/tree.go:53 +0x54 casdoor-casdoor-1 | github.com/beego/beego.(*Namespace).Namespace(0xc0000ae828, {0xc00035b278, 0x1, 0x1}) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/namespace.go:212 +0x205 casdoor-casdoor-1 | github.com/beego/beego.NSNamespace.func1(0x30) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/namespace.go:387 +0x5a casdoor-casdoor-1 | github.com/beego/beego.NewNamespace({0x19eb591, 0x1}, {0xc00035bce0, 0x2, 0x1}) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/namespace.go:42 +0x104 casdoor-casdoor-1 | github.com/casdoor/casdoor/routers.initAPI() casdoor-casdoor-1 | /go/src/casdoor/routers/router.go:33 +0x1a7 casdoor-casdoor-1 | github.com/casdoor/casdoor/routers.init.1() casdoor-casdoor-1 | /go/src/casdoor/routers/router.go:29 +0x17

  • fix: destroy session after delete user

    fix: destroy session after delete user

    close: #1141

    1. For delete the specified user's session, we need to maintain a table that store the userId and all the sessionIds. When deleting the user by admin, Casdoor can get the sessionId by userId then destroy the session to implement the function.
    2. Other effect, further study about single logout. For example, if we want to implement multiple device log out in the same time. We also need to maintain a table to store all sessionIds about this user. When user logout, we can get all sessionId of the user by query the table. Then destroy sessions to logout in multiple device.
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

sso See our launch blog post for more information! Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadma

Jan 5, 2023
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

May 10, 2022
Demonstration of sharing secret data between an OAuth/OIDC client and an Identity Providers web client.

OAuth / OIDC Cubbyhole Share secret data between client applications. This is mostly a demonstration of some of the work I've been evaluating at Storj

Mar 21, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Jan 8, 2023
A collection of authentication Go packages related to OIDC, JWKs and Distributed Claims.

cap (collection of authentication packages) provides a collection of related packages which enable support for OIDC, JWT Verification and Distributed Claims.

Dec 7, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Mar 7, 2022
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Jan 4, 2022
The Single Sign-On Multi-Factor portal for web apps
The Single Sign-On Multi-Factor portal for web apps

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications

Jan 8, 2023
Basic Single Sign-On with Go

Basic Single Sign-On (SSO) This is a basic project to implement SSO with Go. List Structure Configuration Database Implement Register Request Check Us

Nov 5, 2021
A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

Nov 17, 2021
BK-IAM is a centralized permission management service provided by The Tencent BlueKing; based on ABAC

(English Documents Available) Overview 蓝鲸权限中心(BK-IAM)是蓝鲸智云提供的集中权限管理服务,支持基于蓝鲸开发框架的SaaS和企业第三方系统的权限控制接入,以及支持细粒度的权限管理。 架构设计 代码目录 Features 蓝鲸权限中心是基于 ABAC 强

Nov 16, 2022
Minting OIDC tokens from GitHub Actions for use with OpenFaaS

minty Experiment for minting OIDC tokens from GitHub Actions for use with OpenFaaS Why would you want this? Enable third-parties to deploy to your ope

Oct 31, 2021
Small library to make it easier to get a OIDC configuration

OIDC Discovery client This package covers two needs: Get the discovery document from some authority Get certificates from that authority Usage package

Nov 28, 2021
Jwtex - A serverless JWT exchanger and OIDC IdP

jwtex *This README is a work in progress jwtex is a serverless application that

Nov 17, 2022
Authelia: an open-source authentication and authorization server providing two-factor authentication
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Jan 5, 2022
A simple passwordless authentication middleware that uses only email as the authentication provider
A simple passwordless authentication middleware that uses only email as the authentication provider

email auth A simple passwordless authentication middleware that uses only email as the authentication provider. Motivation I wanted to restrict access

Jul 27, 2022
Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Aug 5, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Sep 29, 2022
Makes dealing with AWS SSO Logins an ease

go-aws-sso Make working with AWS SSO on local machines an ease. What is it about? Choose and retrieve short-living role credentials from all of your S

Jan 3, 2023