WitchAuth

Small IAM server.

Why?

WitchAuth is currently an excersize but I believe its best to have a target. In that scope, this project tries to empower small communities and groups to have an identity provider for easy management and better security through SSO.

I believe this can be achieved by chasing two buzzwords: - Easy to deploy: Trivial to run in a container or as a system service (supervised by s6, systemd etc.) - Easy to manage: Uses SQLite to remove database administration work. Stream it with litestream and restart the service when needed.

Roadmap

• [ ] Passable OIDC support with minimum JWT nonsense

  • [ ] OAuth 2.0
  • [ ] OIDC Core
  • [ ] OIDC Discovery

• [ ] At least bare minimum security effort

  • [ ] Somewhat basic login page protection
  • [ ] TOTP
  • [ ] WebAuthn maybe?

• [ ] Smooth Management

  • [ ] Easy to admin via CLI
  • [ ] Easy to admin via API
  • [ ] Easy to admin via a basic panel

• [ ] Alternative storage?

  • [ ] PostgreSQL?
  • [ ] FoundationDB?

Future Work

HSM (yubihsm maybe?) and/or Vault support would be really nice.

SAML? (oh god please no)

Dependency Tracking

Things to look for in the project's dependencies

• Check when rsa uses crypto-bigint

  • Will take some time, AFAIK DynResidue and its friends aren't up to task.

• Find a way to get rid of ahash

License

``` Copyright (C) 2023 Aydin Mercan aydin@mercan.dev

This repository is licensed under the EUPL 1.2. The English version of the text is included in the LICENSE file. Please refer to https://joinup.ec.europa.eu/community/eupl/og_page/eupl for more information. ```