barycenter/README.md

# Barycenter

An OpenID Connect Identity Provider (IdP) implementing OAuth 2.0 Authorization Code flow with PKCE.

## Overview

Barycenter is a lightweight, standards-compliant OpenID Connect Identity Provider written in Rust. It implements the OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (PKCE), making it suitable for modern web and mobile applications.

## Features

- **OAuth 2.0 Authorization Code Flow** with PKCE (S256)
- **Dynamic Client Registration** - RFC 7591 compliant
- **Token Endpoint** - Multiple authentication methods (client_secret_basic, client_secret_post)
- **ID Token Signing** - RS256 with proper at_hash and nonce support
- **UserInfo Endpoint** - Bearer token authentication
- **Discovery** - OpenID Connect Discovery and JWKS publication
- **Property Storage** - Simple key-value storage for user properties

## Technology Stack

- **Language**: Rust
- **Web Framework**: [axum](https://github.com/tokio-rs/axum)
- **Database**: SQLite via [SeaORM](https://www.sea-ql.org/SeaORM/)
- **Cryptography**: [josekit](https://github.com/hidekatsu-izuno/josekit-rs) for JOSE/JWT operations
- **Configuration**: [config-rs](https://github.com/mehcode/config-rs) with TOML support

## Quick Start

### Prerequisites

- Rust 1.70 or later
- SQLite 3

### Installation

```bash
# Clone the repository
git clone https://github.com/CloudNebulaProject/barycenter.git
cd barycenter

# Build the project
cargo build --release
```

### Configuration

Create a `config.toml` file (see `config.toml` for example):

```toml
[server]
host = "127.0.0.1"
port = 8080
public_base_url = "http://localhost:8080"

[database]
connection_string = "sqlite://barycenter.db?mode=rwc"

[keys]
jwks_path = "data/jwks.json"
private_key_path = "data/private_key.pem"
signing_algorithm = "RS256"
```

### Running

```bash
# Run with default config
cargo run

# Run with custom config
cargo run -- --config path/to/config.toml

# Run with debug logging
RUST_LOG=debug cargo run
```

## Development

### Building

```bash
# Debug build
cargo build

# Release build
cargo build --release

# Check without building
cargo check
```

### Testing

**This project uses [cargo-nextest](https://nexte.st/) for running tests.**

```bash
# Install nextest (one-time setup)
cargo install cargo-nextest

# Run all tests
cargo nextest run

# Run tests with logging
RUST_LOG=debug cargo nextest run
```

### Logging

Set the `RUST_LOG` environment variable to control logging levels:

```bash
# Debug level for all modules
RUST_LOG=debug cargo run

# Trace level for barycenter only
RUST_LOG=barycenter=trace cargo run
```

## API Endpoints

### Discovery
- `GET /.well-known/openid-configuration` - OpenID Provider metadata
- `GET /.well-known/jwks.json` - Public signing keys

### OAuth/OIDC
- `GET /authorize` - Authorization endpoint
- `POST /token` - Token endpoint
- `GET /userinfo` - UserInfo endpoint
- `POST /connect/register` - Dynamic client registration

### Properties (Non-standard)
- `GET /properties/:owner/:key` - Get property value
- `PUT /properties/:owner/:key` - Set property value

## Project Status

This is an early-stage implementation. See `docs/next-iteration-plan.md` for planned features and `docs/oidc-conformance.md` for OpenID Connect compliance details.

**Currently Implemented:**
- Authorization Code flow with PKCE (S256)
- Dynamic client registration
- Token issuance and validation
- ID Token generation with RS256 signing
- UserInfo endpoint

**Pending Implementation:**
- User authentication and session management
- Consent flow
- Refresh tokens
- Token revocation and introspection
- OpenID Federation support

## Deployment

Barycenter supports multiple deployment platforms:

- **Docker**: Pre-built images available at `ghcr.io/[owner]/barycenter`
- **Kubernetes**: Helm chart with Ingress and Gateway API support
- **Linux**: systemd service with security hardening
- **FreeBSD**: rc.d init script
- **illumos/Solaris**: SMF manifest

See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed installation instructions for each platform.

### Quick Start with Docker

```bash
docker pull ghcr.io/[owner]/barycenter:latest
docker run -p 8080:8080 -v barycenter-data:/app/data ghcr.io/[owner]/barycenter:latest
```

### Quick Start with Helm

```bash
helm install barycenter ./deploy/helm/barycenter \
  --namespace barycenter \
  --create-namespace
```

## Releases

For maintainers: see [RELEASE.md](RELEASE.md) for the release process.

To create a new release:
```bash
cargo install cargo-release
cargo release minor --execute  # Bumps version and creates release
```

## Contributing

Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, development workflow, and the process for submitting pull requests.

## License

[Add your license here]

## Acknowledgments

Built with support from the OpenID Connect and OAuth 2.0 communities.
docs: add README and contributing guidelines Add comprehensive project documentation including: - README.md with project overview, features, and quick start guide - CONTRIBUTING.md with Conventional Commits and Gitflow workflow The contributing guide establishes development standards: - Gitflow branching model (main, develop, feature/, release/, hotfix/*) - Conventional Commits specification for commit messages - Pull request process and code style guidelines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 12:21:58 +01:00			`# Barycenter`

			`An OpenID Connect Identity Provider (IdP) implementing OAuth 2.0 Authorization Code flow with PKCE.`

			`## Overview`

			`Barycenter is a lightweight, standards-compliant OpenID Connect Identity Provider written in Rust. It implements the OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (PKCE), making it suitable for modern web and mobile applications.`

			`## Features`

			`- OAuth 2.0 Authorization Code Flow with PKCE (S256)`
			`- Dynamic Client Registration - RFC 7591 compliant`
			`- Token Endpoint - Multiple authentication methods (client_secret_basic, client_secret_post)`
			`- ID Token Signing - RS256 with proper at_hash and nonce support`
			`- UserInfo Endpoint - Bearer token authentication`
			`- Discovery - OpenID Connect Discovery and JWKS publication`
			`- Property Storage - Simple key-value storage for user properties`

			`## Technology Stack`

			`- Language: Rust`
			`- Web Framework: [axum](https://github.com/tokio-rs/axum)`
			`- Database: SQLite via [SeaORM](https://www.sea-ql.org/SeaORM/)`
			`- Cryptography: [josekit](https://github.com/hidekatsu-izuno/josekit-rs) for JOSE/JWT operations`
			`- Configuration: [config-rs](https://github.com/mehcode/config-rs) with TOML support`

			`## Quick Start`

			`### Prerequisites`

			`- Rust 1.70 or later`
			`- SQLite 3`

			`### Installation`

			```bash
			`# Clone the repository`
			`git clone https://github.com/CloudNebulaProject/barycenter.git`
			`cd barycenter`

			`# Build the project`
			`cargo build --release`
			```

			`### Configuration`

			Create a `config.toml` file (see `config.toml` for example):

			```toml
			`[server]`
			`host = "127.0.0.1"`
			`port = 8080`
			`public_base_url = "http://localhost:8080"`

			`[database]`
refactor: update crabidp references to barycenter and add Gateway API support Replace all remaining references to "crabidp" with "barycenter" across: - Source code (error diagnostics, CLI name, comments) - Configuration files and defaults - Environment variable prefixes (CRABIDP__ → BARYCENTER__) - Documentation (CLAUDE.md, README.md, DEPLOYMENT.md) - Deployment configurations (Docker Compose, Helm, systemd, FreeBSD, illumos) - Database filenames (crabidp.db → barycenter.db) Add Kubernetes Gateway API support to Helm chart: - New HTTPRoute template for Gateway API - Configurable parentRefs, hostnames, filters, and weights - Support for advanced traffic management features - Gateway API as modern alternative to traditional Ingress - Documentation and examples in DEPLOYMENT.md Benefits of Gateway API: - More expressive and extensible routing - Role-oriented design with separation of concerns - Better vendor portability - Advanced traffic management capabilities The Helm chart now supports both traditional Ingress and Gateway API, allowing users to choose based on their cluster capabilities and requirements. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 15:38:07 +01:00			`connection_string = "sqlite://barycenter.db?mode=rwc"`
docs: add README and contributing guidelines Add comprehensive project documentation including: - README.md with project overview, features, and quick start guide - CONTRIBUTING.md with Conventional Commits and Gitflow workflow The contributing guide establishes development standards: - Gitflow branching model (main, develop, feature/, release/, hotfix/*) - Conventional Commits specification for commit messages - Pull request process and code style guidelines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 12:21:58 +01:00
			`[keys]`
			`jwks_path = "data/jwks.json"`
			`private_key_path = "data/private_key.pem"`
			`signing_algorithm = "RS256"`
			```

			`### Running`

			```bash
			`# Run with default config`
			`cargo run`

			`# Run with custom config`
			`cargo run -- --config path/to/config.toml`

			`# Run with debug logging`
			`RUST_LOG=debug cargo run`
			```

			`## Development`

			`### Building`

			```bash
			`# Debug build`
			`cargo build`

			`# Release build`
			`cargo build --release`

			`# Check without building`
			`cargo check`
			```

			`### Testing`

build(ci): switch to cargo nextest for testing Problem: - cargo test runs integration tests in parallel in the same process - This causes port conflicts when multiple tests try to start servers - CI tests were failing with "Server failed to start within timeout" Solution: - Switch to cargo-nextest which runs tests in separate processes - This provides better test isolation and prevents port conflicts Changes: - CI: Install and use cargo-nextest instead of cargo test - README.md: Document nextest usage with installation instructions - CONTRIBUTING.md: Add prominent note about using nextest - CLAUDE.md: Add critical reminder section about nextest requirement Why nextest: - Tests run in separate processes (no port conflicts) - Better test isolation and reliability - Cleaner output and better performance - Industry best practice for Rust integration testing 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 14:01:26 +01:00			`This project uses [cargo-nextest](https://nexte.st/) for running tests.`

docs: add README and contributing guidelines Add comprehensive project documentation including: - README.md with project overview, features, and quick start guide - CONTRIBUTING.md with Conventional Commits and Gitflow workflow The contributing guide establishes development standards: - Gitflow branching model (main, develop, feature/, release/, hotfix/*) - Conventional Commits specification for commit messages - Pull request process and code style guidelines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 12:21:58 +01:00			```bash
build(ci): switch to cargo nextest for testing Problem: - cargo test runs integration tests in parallel in the same process - This causes port conflicts when multiple tests try to start servers - CI tests were failing with "Server failed to start within timeout" Solution: - Switch to cargo-nextest which runs tests in separate processes - This provides better test isolation and prevents port conflicts Changes: - CI: Install and use cargo-nextest instead of cargo test - README.md: Document nextest usage with installation instructions - CONTRIBUTING.md: Add prominent note about using nextest - CLAUDE.md: Add critical reminder section about nextest requirement Why nextest: - Tests run in separate processes (no port conflicts) - Better test isolation and reliability - Cleaner output and better performance - Industry best practice for Rust integration testing 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 14:01:26 +01:00			`# Install nextest (one-time setup)`
			`cargo install cargo-nextest`

docs: add README and contributing guidelines Add comprehensive project documentation including: - README.md with project overview, features, and quick start guide - CONTRIBUTING.md with Conventional Commits and Gitflow workflow The contributing guide establishes development standards: - Gitflow branching model (main, develop, feature/, release/, hotfix/*) - Conventional Commits specification for commit messages - Pull request process and code style guidelines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 12:21:58 +01:00			`# Run all tests`
build(ci): switch to cargo nextest for testing Problem: - cargo test runs integration tests in parallel in the same process - This causes port conflicts when multiple tests try to start servers - CI tests were failing with "Server failed to start within timeout" Solution: - Switch to cargo-nextest which runs tests in separate processes - This provides better test isolation and prevents port conflicts Changes: - CI: Install and use cargo-nextest instead of cargo test - README.md: Document nextest usage with installation instructions - CONTRIBUTING.md: Add prominent note about using nextest - CLAUDE.md: Add critical reminder section about nextest requirement Why nextest: - Tests run in separate processes (no port conflicts) - Better test isolation and reliability - Cleaner output and better performance - Industry best practice for Rust integration testing 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 14:01:26 +01:00			`cargo nextest run`
docs: add README and contributing guidelines Add comprehensive project documentation including: - README.md with project overview, features, and quick start guide - CONTRIBUTING.md with Conventional Commits and Gitflow workflow The contributing guide establishes development standards: - Gitflow branching model (main, develop, feature/, release/, hotfix/*) - Conventional Commits specification for commit messages - Pull request process and code style guidelines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 12:21:58 +01:00
			`# Run tests with logging`
build(ci): switch to cargo nextest for testing Problem: - cargo test runs integration tests in parallel in the same process - This causes port conflicts when multiple tests try to start servers - CI tests were failing with "Server failed to start within timeout" Solution: - Switch to cargo-nextest which runs tests in separate processes - This provides better test isolation and prevents port conflicts Changes: - CI: Install and use cargo-nextest instead of cargo test - README.md: Document nextest usage with installation instructions - CONTRIBUTING.md: Add prominent note about using nextest - CLAUDE.md: Add critical reminder section about nextest requirement Why nextest: - Tests run in separate processes (no port conflicts) - Better test isolation and reliability - Cleaner output and better performance - Industry best practice for Rust integration testing 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 14:01:26 +01:00			`RUST_LOG=debug cargo nextest run`
docs: add README and contributing guidelines Add comprehensive project documentation including: - README.md with project overview, features, and quick start guide - CONTRIBUTING.md with Conventional Commits and Gitflow workflow The contributing guide establishes development standards: - Gitflow branching model (main, develop, feature/, release/, hotfix/*) - Conventional Commits specification for commit messages - Pull request process and code style guidelines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 12:21:58 +01:00			```

			`### Logging`

			Set the `RUST_LOG` environment variable to control logging levels:

			```bash
			`# Debug level for all modules`
			`RUST_LOG=debug cargo run`

			`# Trace level for barycenter only`
			`RUST_LOG=barycenter=trace cargo run`
			```

			`## API Endpoints`

			`### Discovery`
			- `GET /.well-known/openid-configuration` - OpenID Provider metadata
			- `GET /.well-known/jwks.json` - Public signing keys

			`### OAuth/OIDC`
			- `GET /authorize` - Authorization endpoint
			- `POST /token` - Token endpoint
			- `GET /userinfo` - UserInfo endpoint
			- `POST /connect/register` - Dynamic client registration

			`### Properties (Non-standard)`
			- `GET /properties/:owner/:key` - Get property value
			- `PUT /properties/:owner/:key` - Set property value

			`## Project Status`

			This is an early-stage implementation. See `docs/next-iteration-plan.md` for planned features and `docs/oidc-conformance.md` for OpenID Connect compliance details.

			`Currently Implemented:`
			`- Authorization Code flow with PKCE (S256)`
			`- Dynamic client registration`
			`- Token issuance and validation`
			`- ID Token generation with RS256 signing`
			`- UserInfo endpoint`

			`Pending Implementation:`
			`- User authentication and session management`
			`- Consent flow`
			`- Refresh tokens`
			`- Token revocation and introspection`
			`- OpenID Federation support`

ci: add automated release workflow with Docker image publishing Add comprehensive release automation: GitHub Actions Release Workflow: - Triggers on version tags (v..) - Builds multi-platform Docker images (amd64, arm64) - Publishes to GitHub Container Registry (ghcr.io) - Creates GitHub Releases with auto-generated changelogs - Generates build provenance attestations for supply chain security - Semantic versioning with tag variants (v1.0.0, 1.0, 1) cargo-release Configuration:* - Automated version bumping in Cargo.toml - Updates CHANGELOG.md with version and date - Syncs Helm chart versions (Chart.yaml) - Creates git tags and commits - Pushes to remote automatically - Enforces main branch releases Release Documentation: - RELEASE.md with complete release process guide - CHANGELOG.md following Keep a Changelog format - Updated README.md with deployment and release sections - Instructions for patch, minor, and major releases - Dry-run support for testing - Hotfix and rollback procedures Usage: To create a release, simply run: cargo install cargo-release cargo release minor --execute This will: 1. Bump version in all relevant files 2. Update changelog 3. Create git tag 4. Trigger Docker image build and publish 5. Create GitHub Release with notes Docker images will be available at: ghcr.io/[owner]/barycenter:v1.0.0 ghcr.io/[owner]/barycenter:1.0 ghcr.io/[owner]/barycenter:1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 15:49:52 +01:00			`## Deployment`

			`Barycenter supports multiple deployment platforms:`

			- Docker: Pre-built images available at `ghcr.io/[owner]/barycenter`
			`- Kubernetes: Helm chart with Ingress and Gateway API support`
			`- Linux: systemd service with security hardening`
			`- FreeBSD: rc.d init script`
			`- illumos/Solaris: SMF manifest`

			`See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed installation instructions for each platform.`

			`### Quick Start with Docker`

			```bash
			`docker pull ghcr.io/[owner]/barycenter:latest`
			`docker run -p 8080:8080 -v barycenter-data:/app/data ghcr.io/[owner]/barycenter:latest`
			```

			`### Quick Start with Helm`

			```bash
			`helm install barycenter ./deploy/helm/barycenter \`
			`--namespace barycenter \`
			`--create-namespace`
			```

			`## Releases`

			`For maintainers: see [RELEASE.md](RELEASE.md) for the release process.`

			`To create a new release:`
			```bash
			`cargo install cargo-release`
			`cargo release minor --execute # Bumps version and creates release`
			```

docs: add README and contributing guidelines Add comprehensive project documentation including: - README.md with project overview, features, and quick start guide - CONTRIBUTING.md with Conventional Commits and Gitflow workflow The contributing guide establishes development standards: - Gitflow branching model (main, develop, feature/, release/, hotfix/*) - Conventional Commits specification for commit messages - Pull request process and code style guidelines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 12:21:58 +01:00			`## Contributing`

			`Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, development workflow, and the process for submitting pull requests.`

			`## License`

			`[Add your license here]`

			`## Acknowledgments`

			`Built with support from the OpenID Connect and OAuth 2.0 communities.`