bain/anon
1
0
Fork 0
mirror of https://git.nolog.cz/NoLog.cz/anon.git synced 2025-01-31 05:03:35 +01:00
Code Issues Projects Releases Packages Wiki Activity
Anonymous OIDC provider
24 commits 1 branch 0 tags 266 KiB
Rust 54%
HTML 42.2%
CSS 3.8%
Find a file
bain 278fc65b2a
use upstream tide-serve-dir-macro
2024-09-13 23:07:22 +02:00
src update localisation 2024-07-07 22:29:29 +02:00
static refactor, rethink, rewrite 2024-06-01 22:44:32 +02:00
.gitignore initial commit 2024-02-25 18:59:24 +01:00
Cargo.lock use upstream tide-serve-dir-macro 2024-09-13 23:07:22 +02:00
Cargo.toml use upstream tide-serve-dir-macro 2024-09-13 23:07:22 +02:00
config.yml.sample correct config file in readme 2024-06-01 23:06:41 +02:00
LICENSE add NoLog to license 2024-07-07 23:16:29 +02:00
README.md correct config file in readme 2024-06-01 23:06:41 +02:00

README.md

^NON [anon]

Extremely rudimentary OIDC provider. Users hold account codes from which their identities are derived on-demand.

Each identity is separate for different services, but can be accessed from a single account code. ^NON does not have a database of the users, so nobody can correlate user information across services.

Installation

  1. build binary with cargo

  2. fill out config.yml.sample. The server expects a file called config.yml in its working directory.

  3. Generate the keypair for signing JWT tokens with:

    openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 | \
   openssl pkcs8 -topk8 -nocrypt -outform der > rsa-key.pk8

  4. Enjoy :)

Alternatively you can use the pre-built docker image:

git.nolog.cz/nolog.cz/anon:latest

Deployment notes

When deploying, you should be aware of the potential of a birthday attack on the system. For v1 of the account code, we should expect a collision after about 2^36 unique accounts, which means that, without rate-limiting, there is the potential to brute-force an account / accidentally log into someone else's account. You should consider the amount of users which will use the system, and set up a rate-limiter.

Improbable things happen all the time, so better safe than sorry :)