CloudNebulaProject/barycenter
1
0
Fork 0
mirror of https://github.com/CloudNebulaProject/barycenter.git synced 2026-04-10 13:10:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
An OpenID Connect Identity Provider implementing OAuth 2.0 Authorization Code flow with PKCE - mirror
80 commits 2 branches 23 tags 1.4 MiB
Find a file
Till Wegmueller 8d835e240b
chore: Add book/build to gitignore 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 18:16:36 +01:00
.claude Add Claude settings 2026-02-08 18:58:06 +01:00
.config Initial commit: Barycenter OpenID Connect Identity Provider 2025-11-29 12:17:01 +01:00
.github/workflows ci: Add GitHub Actions workflow for deploying docs to Pages 2026-02-14 18:00:48 +01:00
book fix: Add Mermaid diagram rendering support to mdbook 2026-02-14 18:15:20 +01:00
client-wasm WIP Passkey implementation. Needs fixing storage.rs and more tests 2025-12-07 13:18:22 +01:00
deploy Add Kubernetes deployment support for authorization policy service 2026-02-08 18:55:54 +01:00
docs Add original research document and claude settings 2026-02-08 18:34:42 +01:00
migration Implement device flow and client autoregistration 2026-01-06 22:24:09 +01:00
src Run Clippy fix 2026-02-08 20:31:48 +01:00
static Implement consent workflow 2026-01-06 16:49:49 +01:00
tests Implement consent workflow 2026-01-06 16:49:49 +01:00
.dockerignore fix: commit Cargo.lock for reproducible builds 2025-11-29 16:14:39 +01:00
.gitignore chore: Add book/build to gitignore 2026-02-14 18:16:36 +01:00
Cargo.lock chore: Release 2026-02-14 17:11:08 +01:00
Cargo.toml chore: Release 2026-02-14 17:11:08 +01:00
CHANGELOG.md ci: add automated release workflow with Docker image publishing 2025-11-29 15:49:52 +01:00
CLAUDE.md WIP Passkey implementation. Needs fixing storage.rs and more tests 2025-12-07 13:18:22 +01:00
config.toml WIP Passkey implementation. Needs fixing storage.rs and more tests 2025-12-07 13:18:22 +01:00
CONTRIBUTING.md build(ci): switch to cargo nextest for testing 2025-11-29 14:01:26 +01:00
DEPLOYMENT.md refactor: update crabidp references to barycenter and add Gateway API support 2025-11-29 15:38:07 +01:00
docker-compose.yml refactor: update crabidp references to barycenter and add Gateway API support 2025-11-29 15:38:07 +01:00
Dockerfile Add Kubernetes deployment support for authorization policy service 2026-02-08 18:55:54 +01:00
README.md ci: add automated release workflow with Docker image publishing 2025-11-29 15:49:52 +01:00
RELEASE.md ci: add automated release workflow with Docker image publishing 2025-11-29 15:49:52 +01:00
users.json.example feat: add admin GraphQL API, background jobs, and user sync CLI 2025-11-30 18:06:50 +01:00

README.md

Barycenter

An OpenID Connect Identity Provider (IdP) implementing OAuth 2.0 Authorization Code flow with PKCE.

Overview

Barycenter is a lightweight, standards-compliant OpenID Connect Identity Provider written in Rust. It implements the OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (PKCE), making it suitable for modern web and mobile applications.

Features

  • OAuth 2.0 Authorization Code Flow with PKCE (S256)
  • Dynamic Client Registration - RFC 7591 compliant
  • Token Endpoint - Multiple authentication methods (client_secret_basic, client_secret_post)
  • ID Token Signing - RS256 with proper at_hash and nonce support
  • UserInfo Endpoint - Bearer token authentication
  • Discovery - OpenID Connect Discovery and JWKS publication
  • Property Storage - Simple key-value storage for user properties

Technology Stack

  • Language: Rust
  • Web Framework: axum
  • Database: SQLite via SeaORM
  • Cryptography: josekit for JOSE/JWT operations
  • Configuration: config-rs with TOML support

Quick Start

Prerequisites

  • Rust 1.70 or later
  • SQLite 3

Installation

# Clone the repository
git clone https://github.com/CloudNebulaProject/barycenter.git
cd barycenter

# Build the project
cargo build --release

Configuration

Create a config.toml file (see config.toml for example):

[server]
host = "127.0.0.1"
port = 8080
public_base_url = "http://localhost:8080"

[database]
connection_string = "sqlite://barycenter.db?mode=rwc"

[keys]
jwks_path = "data/jwks.json"
private_key_path = "data/private_key.pem"
signing_algorithm = "RS256"

Running

# Run with default config
cargo run

# Run with custom config
cargo run -- --config path/to/config.toml

# Run with debug logging
RUST_LOG=debug cargo run

Development

Building

# Debug build
cargo build

# Release build
cargo build --release

# Check without building
cargo check

Testing

This project uses cargo-nextest for running tests.

# Install nextest (one-time setup)
cargo install cargo-nextest

# Run all tests
cargo nextest run

# Run tests with logging
RUST_LOG=debug cargo nextest run

Logging

Set the RUST_LOG environment variable to control logging levels:

# Debug level for all modules
RUST_LOG=debug cargo run

# Trace level for barycenter only
RUST_LOG=barycenter=trace cargo run

API Endpoints

Discovery

  • GET /.well-known/openid-configuration - OpenID Provider metadata
  • GET /.well-known/jwks.json - Public signing keys

OAuth/OIDC

  • GET /authorize - Authorization endpoint
  • POST /token - Token endpoint
  • GET /userinfo - UserInfo endpoint
  • POST /connect/register - Dynamic client registration

Properties (Non-standard)

  • GET /properties/:owner/:key - Get property value
  • PUT /properties/:owner/:key - Set property value

Project Status

This is an early-stage implementation. See docs/next-iteration-plan.md for planned features and docs/oidc-conformance.md for OpenID Connect compliance details.

Currently Implemented:

  • Authorization Code flow with PKCE (S256)
  • Dynamic client registration
  • Token issuance and validation
  • ID Token generation with RS256 signing
  • UserInfo endpoint

Pending Implementation:

  • User authentication and session management
  • Consent flow
  • Refresh tokens
  • Token revocation and introspection
  • OpenID Federation support

Deployment

Barycenter supports multiple deployment platforms:

  • Docker: Pre-built images available at ghcr.io/[owner]/barycenter
  • Kubernetes: Helm chart with Ingress and Gateway API support
  • Linux: systemd service with security hardening
  • FreeBSD: rc.d init script
  • illumos/Solaris: SMF manifest

See DEPLOYMENT.md for detailed installation instructions for each platform.

Quick Start with Docker

docker pull ghcr.io/[owner]/barycenter:latest
docker run -p 8080:8080 -v barycenter-data:/app/data ghcr.io/[owner]/barycenter:latest

Quick Start with Helm

helm install barycenter ./deploy/helm/barycenter \
  --namespace barycenter \
  --create-namespace

Releases

For maintainers: see RELEASE.md for the release process.

To create a new release:

cargo install cargo-release
cargo release minor --execute  # Bumps version and creates release

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, development workflow, and the process for submitting pull requests.

License

[Add your license here]

Acknowledgments

Built with support from the OpenID Connect and OAuth 2.0 communities.