mirror of
https://git.nolog.cz/NoLog.cz/anon.git
synced 2025-01-31 13:13:35 +01:00
39 lines
1.3 KiB
Markdown
39 lines
1.3 KiB
Markdown
# ^NON \[anon\]
|
|
|
|
Extremely rudimentary OIDC provider. Users hold account codes from which
|
|
their identities are derived on-demand.
|
|
|
|
Each identity is separate for different services, but can be accessed from a
|
|
single account code. ^NON does not have a database of the users, so nobody
|
|
can correlate user information across services.
|
|
|
|
## Installation
|
|
|
|
1. build binary with `cargo`
|
|
|
|
2. fill out `config.yml.sample`. The server expects a file called
|
|
`config.yml` in its working directory.
|
|
|
|
3. Generate the keypair for signing JWT tokens with:
|
|
```bash
|
|
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 | \
|
|
openssl pkcs8 -topk8 -nocrypt -outform der > rsa-key.pk8
|
|
```
|
|
|
|
4. Enjoy :)
|
|
|
|
Alternatively you can use the pre-built docker image:
|
|
```
|
|
git.nolog.cz/nolog.cz/anon:latest
|
|
```
|
|
|
|
## Deployment notes
|
|
|
|
When deploying, you should be aware of the potential of a birthday attack on
|
|
the system. For `v1` of the account code, we should expect a collision after
|
|
about `2^36` unique accounts, which means that, without rate-limiting, there is
|
|
the potential to brute-force an account / accidentally log into someone else's
|
|
account. You should consider the amount of users which will use the system, and
|
|
set up a rate-limiter.
|
|
|
|
Improbable things happen all the time, so better safe than sorry :)
|