Skip to content

ethaxon/securitydept

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.github/workflows
.github/workflows
 
 
.vscode
.vscode
 
 
apps
apps
 
 
assets/icons
assets/icons
 
 
data
data
 
 
docs
docs
 
 
packages
packages
 
 
.aiexclude
.aiexclude
 
 
.cursorignore
.cursorignore
 
 
.cursorrules
.cursorrules
 
 
.dockerignore
.dockerignore
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
.markdownlint.json
.markdownlint.json
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
AGENTS.md
AGENTS.md
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CLAUDE.md
CLAUDE.md
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
Dockerfile
Dockerfile
 
 
GEMINI.md
GEMINI.md
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
biome.jsonc
biome.jsonc
 
 
config.example.toml
config.example.toml
 
 
custom-claims-check.mts
custom-claims-check.mts
 
 
docker-compose.traefik-override.yml
docker-compose.traefik-override.yml
 
 
docker-compose.yml
docker-compose.yml
 
 
justfile
justfile
 
 
mise.toml
mise.toml
 
 
package.json
package.json
 
 
pnpm-lock.yaml
pnpm-lock.yaml
 
 
pnpm-workspace.yaml
pnpm-workspace.yaml
 
 
rust-toolchain.toml
rust-toolchain.toml
 
 
rustfmt.toml
rustfmt.toml
 
 
tsconfig.base.json
tsconfig.base.json
 
 
tsconfig.json
tsconfig.json
 
 
tsconfig.scripts.json
tsconfig.scripts.json
 
 

Repository files navigation

logo
SecurityDept

Standalone auth service and reusable Rust crates for OIDC + credential auth. Includes OIDC login, local basic/token entries with groups, and forward-auth endpoints for reverse proxies (Traefik, Nginx). File-based config and data, no database.

Status: v0.1.1 release-ready — Core flows are implemented across API, CLI, and Web UI. Docker image build and GHCR publish workflow are in place. See Roadmap for next milestones.

What it does

  • Login: External OIDC (authorization code, optional PKCE); optional claims-check script (JS in Boa).
  • Entries & groups: Basic auth and token auth entries, grouped by name; CRUD via REST API and CLI.
  • Forward-auth: GET /api/forwardauth/traefik/:group and /api/forwardauth/nginx/:group — validate Authorization against group entries; no session.
  • Config: TOML + env (Figment); single JSON data file for entries and groups.
  • Reusable crates: securitydept-core re-exports sub-crates with feature flags for aligned versions; securitydept-oidc and securitydept-creds can also be used directly.

Workspace Crates

  • securitydept-oidc: OIDC client, config model, claims check flow, pending OAuth store abstractions.
  • securitydept-creds: Basic/bearer parsing, Argon2/SHA-256 primitives, credential traits, validator traits/helpers.
  • securitydept-creds-manage: File-backed store + models for entries/groups, app-level auth helpers, session manager.
  • securitydept-utils: Shared URL/HTTP utility helpers.
  • securitydept-core: Aggregator crate that re-exports internal crates via features to keep downstream versions aligned.
  • securitydept-server: HTTP server (Axum) wiring all crates into APIs/forward-auth endpoints.
  • securitydept-cli: Local management CLI using the same store/config model.

Quick Start

Copy config.example.toml to config.toml and edit it.

wget https://raw.githubusercontent.com/ethaxon/securitydept/refs/heads/main/config.example.toml -O config.toml

Then create a docker-compose.yml (see below), and start it with docker compose up -d:

name: securitydept

services:
  securitydept-server:
    # build: .
    image: ghcr.io/ethaxon/securitydept:latest
    ports:
      - 7021:7021
    environment:
      - SECURITYDEPT_CONFIG=/app/config.toml
    volumes:
      - ./config.toml:/app/config.toml
      - ./data:/app/data
      # - ./claims-script-check.mts:/app/claims-script-check.mts # for custom claims check
      # - ./webui:/app/webui # for custom webui

For Developer

Stack: Rust (Axum, OpenID Connect, Figment, Snafu) · TypeScript + Vite + React (TanStack, Tailwind, shadcn/ui) · mise · just · pnpm · cargo

cp config.toml.example config.toml   # edit as needed
just dev-server              # dev server
just dev-webui               # dev webui

Docs

Doc Content
Overview Goals, tech stack, index
Architecture Layout, config/data model, request flow
Features Implemented capabilities and code locations
Roadmap Done, gaps, suggested priorities

License

MIT

About

Standalone auth service: OIDC login, manage local basic/token entries and groups, with forward-auth endpoints for reverse proxies (Traefik, Nginx). File-based config and data, no database.

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages