Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

Overview

Casdoor

Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

Online demo

Casdoor

Casdoor is the authentication server. It serves both the web UI and the login requests from the application users.

Global admin login:

  • Username: admin
  • Password: 123

Web application

Casbin-OA is one of our applications that use Casdoor as authentication.

Architecture

Casdoor contains 2 parts:

Name Description Language Source code
Frontend Web frontend UI for Casdoor Javascript + React https://github.com/casbin/casdoor/tree/master/web
Backend RESTful API backend for Casdoor Golang + Beego + MySQL https://github.com/casbin/casdoor

Installation

  • Get code via go get:

    go get github.com/casbin/casdoor

    or git clone:

    git clone https://github.com/casbin/casdoor

Run through Docker

Run (Dev Environment)

  • Run backend (in port 8000):

    go run main.go
  • Run frontend (in the same machine's port 7001):

    cd web
    ## npm
    npm install
    npm run start
    ## yarn
    yarn install
    yarn run start
  • Open browser:

    http://localhost:7001/

Run (Production Environment)

  • build static pages:

    cd web
    ## npm
    npm run build
    ## yarn
    yarn run build
    ## back to casdoor directory
    cd ..
    
  • build and run go code:

    go build
    ./casdoor
    

Now, Casdoor is running on port 8000. You can access Casdoor pages directly in your browser, or you can setup a reverse proxy to hold your domain name, SSL, etc.

Config

  • Setup database (MySQL):

    Casdoor will store its users, nodes and topics informations in a MySQL database named: casdoor, will create it if not existed. The DB connection string can be specified at: https://github.com/casbin/casdoor/blob/master/conf/app.conf

    db = mysql
    dataSourceName = root:[email protected](localhost:3306)/
    dbName = casdoor
  • Setup database (Postgres):

    Since we must choose a database when opening Postgres with xorm, you should prepare a database manually before running Casdoor. Let's assume that you have already prepared a database called casdoor, then you should specify app.conf like this:

    db = postgres
    dataSourceName = "user=postgres password=xxx sslmode=disable dbname="
    dbName = casdoor

    Please notice: You can add Postgres parameters in dataSourceName, but please make sure that dataSourceName ends with dbname=. Or database adapter may crash when you launch Casdoor.

    Casdoor uses XORM to connect to DB, so all DBs supported by XORM can also be used.

  • Github corner

    We added a Github icon in the upper right corner, linking to your Github repository address. You could set ShowGithubCorner to hidden it.

    Configuration (web/src/commo/Conf.js):

    export const ShowGithubCorner = true
    
    export const GithubRepo = "https://github.com/casbin/casdoor" //your github repository
Issues
  • Retrieve password error: unknown authentication type (not password or provider)

    Retrieve password error: unknown authentication type (not password or provider)

    Hello, everyone!

    I am just a beginner with casdoor. I am trying to test a retrieve password, but received this error:

    unknown authentication type (not password or provider), form = {
    	"type": "login",
    	"organization": "org",
    	"username": "",
    	"password": "",
    	"name": "",
    	"email": "",
    	"phone": "",
    	"affiliation": "",
    	"idCard": "",
    	"region": "",
    	"application": "socbazar",
    	"provider": "",
    	"code": "38316",
    	"state": "",
    	"redirectUri": "",
    	"method": "",
    	"emailCode": "",
    	"phoneCode": "",
    	"phonePrefix": "7",
    	"autoSignin": false,
    	"relayState": "",
    	"samlResponse": ""
    }
    

    The username is found and the email substituted in the form field, but they are not sent to the server. Email provider is configured and working.

    What I am doing wrong?

    bug released 
    opened by Kalinin-Andrey 14
  • After updating the user, how to get a token with these updates?

    After updating the user, how to get a token with these updates?

    Hi all!

    I have a small question on using sdk (golang).

    After updating the user, how to get a token with these updates?

    Steps:

    1. Get token
    token, err := auth.GetOAuthToken(code, state)
    
    1. Parse JWT token
    jwtClaims, err := auth.ParseJwtToken(token.AccessToken)
    
    1. Change jwtClaims.User

    2. Update user

    ok, err := auth.UpdateUserForColumns(&jwtClaims.User, []string{"properties"})
    
    1. How to get AccessToken string (JWT token) with an updated user?
    question 
    opened by Kalinin-Andrey 13
  • Act as an OAuth 2.0 + OIDC server

    Act as an OAuth 2.0 + OIDC server

    Currently, Casdoor uses a home-made logging-in mechanism: https://github.com/casbin/casdoor/blob/master/controllers/account.go

    It's not standard and it's unsafe, the password is transmitted over the network.

    Finally, we will move to OAuth 2.0 + OIDC. It means that applications like Casbin OA (both JS client and Go backend) will talk to Casdoor via the OAuth 2.0 + OIDC protocols.

    We can use: https://github.com/go-oauth2/oauth2 to implement our OAuth 2.0 + OIDC server-side.

    The existing code:

    • Casdoor JS client SDK: https://github.com/casbin/casbin-oa/tree/master/web/src/auth (currently for agile development, we put the code inside Casbin-OA, so we don't need to publish to NPM then import it in dependency file. In future, when the API is stablized, we will separate the Casdoor JS client code into a new repo and release to NPM)
    • Casdoor Go SDK: not available yet, because currently Casbin-OA doesn't involve any server-side code to talk to Casdoor, only client does. This is NOT correct. So we will formulate a Go SDK in the Casbin-OA Go code.

    Some reference about this topic: https://github.com/casbin/casdoor/issues/10

    enhancement 
    opened by hsluoyz 12
  • OIDC endpoint is always https

    OIDC endpoint is always https

    • env: docker with image casdoor-all-in-one
    • OIDC Discovery shows that issuer and other endpoints are start with https not http, not config any tls for this environment and do not find any configuration to change https to http.
    • when use OIDC, it always redirect to https, and it's not work.(http works perfectly)
    invalid 
    opened by fukco 11
  • feat: support LDAP

    feat: support LDAP

    Fix: https://github.com/casbin/casdoor/issues/139

    Sync users from LDAP server

    Deployed at: https://door.leviatan.cn

    Admin: admin Password: 123

    LDAP server deployed at: leviatan.cn:389 phpLDAPadmin deployed at: https://pla.leviatan.cn Admin: cn=admin,dc=leviatan,dc=cn Password: leviatanpasswd

    Signed-off-by: WindSpiritSR [email protected]

    opened by WindSpiritSR 11
  • feat: add implicit flow support

    feat: add implicit flow support

    1. add implicit flow support access /login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=token&scope=openid+email+profile&state=1233 to get accesstoken and redirect to REDIRECT_URI/#token=ACCESS_TOKEN
    2. add id_token response_type support access /login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=id_token&scope=openid+email+profile&state=1233 to get accesstoken and redirect to REDIRECT_URI/#id_token=ID_TOKEN Fix: https://github.com/casdoor/casdoor/issues/514

    Signed-off-by: Steve0x2a [email protected]

    released 
    opened by Steve0x2a 10
  • Prebuilt docker image from a registry

    Prebuilt docker image from a registry

    As a server admin I would not like to build an application for myself but would like to consume a finished image. This would make it much easier to deploy the application.

    The most known registry I know is Docker Hub where it should be easy to integrate an automatic rebuilt of the image on certain conditions. Also possible would be the Container Registry from GitHub.

    enhancement 
    opened by SchoolGuy 10
  • fix: improve i18n and add some translation

    fix: improve i18n and add some translation

    Fix: #108

    Signed-off-by: turbodog [email protected]

    added(fixed) translations:

    code changes:

    • I found some blocks like "token:Application", but there're no "token" section in en.json or zh.json files. so I edited them to be like "general:Application", and add their translation into the two .json files.
    • I merged all statements in the two .json files that include "code" into one section named "code".
    released 
    opened by turbodog03 10
  • Recommend that users of any organization be allowed to log in in the built-in application

    Recommend that users of any organization be allowed to log in in the built-in application

    When attempting to log in to an account of another organization (like organization A) in the Built-in application, A message is displayed indicating that the account does not exist. However, in fact, after logging in to the account of Organization A through the application of Organization A, accessing the built-in application again will automatically log in to CasDoor system, and you can only modify your own account information.

    In fact, we want every user to be able to directly log into CasDoor and modify their personal information (like password). Rather than logging into a different system and then automatically logging into the CasDoor app.

    enhancement 
    opened by epis2048 9
  • Does it support Token Introspection api for resource server?

    Does it support Token Introspection api for resource server?

    Does it support token introspection restful api for resource server? Can't find related docs. search nothing. 支不支持Oauth2.0 Resource Server使用的token introspection接口? 没找到相关文档,用 Introspection 关键字在仓库内也没搜到相关内容。 refer: https://oauth.net/2/token-introspection/

    enhancement released 
    opened by LeonDevLifeLog 9
  • Upgrade to Swagger UI 4.x for Casdoor API docs, and fix the Swagger tags

    Upgrade to Swagger UI 4.x for Casdoor API docs, and fix the Swagger tags

    Casdoor uses Beego, which helps automatically generate API docs at /swagger path (https://beego.me/docs/advantage/docs.md) like: https://door.casbin.com/swagger/

    image

    Based on a user request: https://v2ex.com/t/803669#r_11042731 , we are still using Swagger UI 3.x and we need to upgrade to Swagger UI 4.x, which is just released several days ago. We need to find a way to upgrade it. I have raised an issue here: https://github.com/beego/bee/issues/809

    Meanwhile, we should also show correct tags in the Swagger UI page, like under "organization" tag will list all organization-related APIs. The following Beego code is used to control the swagger.json generating behavior. We should tune it to make it right. (see: https://github.com/beego/bee/issues/618)

    https://github.com/casbin/casdoor/blob/9e920181d20ada684b0c01c3a306ab55d3b6bbe6/routers/router.go#L32-L41

    Here's an example of Swagger UI 4.x: http://petstore.swagger.io/

    image

    enhancement 
    opened by hsluoyz 9
  • Support desktop app OAuth login like JetBrains Toolbox

    Support desktop app OAuth login like JetBrains Toolbox

    JetBrains Toolbox: https://www.jetbrains.com/toolbox-app/

    It can redirect to a web browser for login, after the browser approved, then desktop app is successfully logged in.

    image

    We can:

    1. Create a desktop SDK (e.g., C#, C++, QT, Electron, etc.) to support this flow
    2. Modify Casdoor server-side code to support it.
    enhancement 
    opened by nomeguy 1
  • Issue setting up Google provider

    Issue setting up Google provider

    Followed the instructions found here https://casdoor.org/docs/provider/oauth/google/

    When I try to login with the provider it seems to connect to google correctly but in the cabin app the login endpoint returns the following. I'm using the latest Docker image

    casdoor:pq: column "Google" of relation "user" does not exist
    Stack
    /usr/local/go/src/runtime/panic.go:1038
    /go/src/casdoor/object/user_util.go:85
    /go/src/casdoor/object/user.go:488
    /go/src/casdoor/controllers/auth.go:398
    /usr/local/go/src/reflect/value.go:543
    /usr/local/go/src/reflect/value.go:339
    /go/pkg/mod/github.com/astaxie/[email protected]/router.go:897
    /usr/local/go/src/net/http/server.go:2879
    /usr/local/go/src/net/http/server.go:1930
    /usr/local/go/src/runtime/asm_amd64.s:1581
    
    beego 1.12.3 (beego framework)
    golang version: go1.17.5
    
    question 
    opened by akeemphilbert 3
  • fix: before click the

    fix: before click the "Save & Exit" button , items has been saved

    fix: #738 At present, I just changed the permissions page. demo link: http://172.24.62.137:7001. My thoughts are as follows:

    1. On the list page, delete PermissionBackend.addPermission()
    2. Pass initialization parameters to edit page
    3. On the edit page, judge whether the return value is null in the getpermission()
    4. On the edit page, judge whether the mode is add or edit in the submitPermissionEdit(), to Send different requests to the back end In this way,I tried permissions page and roles page, and they succeed. But Users page fail, display missing some parameters.

    So, I want to konw my way is ok?

    opened by ziliangyu 2
  • Signup page not loading and Social Signup buttons now showing on the signup page

    Signup page not loading and Social Signup buttons now showing on the signup page

    • Using the casbin/casdoor:latest docker image, fresh install. When social providers are added to the application, the sign-in page is showing the social login options, but the signup page is not (please refer below screenshot)

    image

    • Also when the "test signup page" button is clicked or the signup url of the application is pasted in the browser, it is redirecting to the casdoor home instead of showing the signup page

    • On the Signin page the signup link button is also taking to the casdoor home instead of the signup page of the application. image

    All values are in their default, no special changes have been made. Wondering what is the issue and how to make the signup page load correctly. image

    question 
    opened by KrishnaPG 8
Releases(v1.60.1)
Owner
Casbin
Casbin authorization library and the official middlewares
Casbin
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

sso See our launch blog post for more information! Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadma

BuzzFeed 2.9k Jun 21, 2022
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

Nguyen Lam 1 May 10, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Paul Greenberg 432 Jun 25, 2022
Demonstration of sharing secret data between an OAuth/OIDC client and an Identity Providers web client.

OAuth / OIDC Cubbyhole Share secret data between client applications. This is mostly a demonstration of some of the work I've been evaluating at Storj

mya 3 Mar 21, 2022
A collection of authentication Go packages related to OIDC, JWKs and Distributed Claims.

cap (collection of authentication packages) provides a collection of related packages which enable support for OIDC, JWT Verification and Distributed Claims.

HashiCorp 327 Jun 26, 2022
A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

yinhuanyi 1 Nov 17, 2021
The Single Sign-On Multi-Factor portal for web apps

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications

Authelia 13.5k Jun 26, 2022
Basic Single Sign-On with Go

Basic Single Sign-On (SSO) This is a basic project to implement SSO with Go. List Structure Configuration Database Implement Register Request Check Us

Milad Poshtdari 0 Nov 5, 2021
BK-IAM is a centralized permission management service provided by The Tencent BlueKing; based on ABAC

(English Documents Available) Overview 蓝鲸权限中心(BK-IAM)是蓝鲸智云提供的集中权限管理服务,支持基于蓝鲸开发框架的SaaS和企业第三方系统的权限控制接入,以及支持细粒度的权限管理。 架构设计 代码目录 Features 蓝鲸权限中心是基于 ABAC 强

腾讯蓝鲸 38 Jun 23, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Bartlomiej Mika 0 Jan 4, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 33 Jun 3, 2022
Minting OIDC tokens from GitHub Actions for use with OpenFaaS

minty Experiment for minting OIDC tokens from GitHub Actions for use with OpenFaaS Why would you want this? Enable third-parties to deploy to your ope

Alex Ellis 9 Oct 31, 2021
Small library to make it easier to get a OIDC configuration

OIDC Discovery client This package covers two needs: Get the discovery document from some authority Get certificates from that authority Usage package

Martin Klingenberg 0 Nov 28, 2021
Jwtex - A serverless JWT exchanger and OIDC IdP

jwtex *This README is a work in progress jwtex is a serverless application that

Aidan Steele 26 Jun 8, 2022
A Go library for doing header-based OAuth over HTTP or HTTPS.

Installation goinstall github.com/alloy-d/goauth Usage import ( "github.com/alloy-d/goauth" "os" ) func someFuncThatDoesStuffWithOAuth() (er

Adam Lloyd 24 Sep 2, 2020
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
A simple passwordless authentication middleware that uses only email as the authentication provider

email auth A simple passwordless authentication middleware that uses only email as the authentication provider. Motivation I wanted to restrict access

Miroslav Šedivý 4 Jan 31, 2022
Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Dinesh Bhattarai 0 Jan 30, 2022