Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

Overview

Casdoor

Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

Online demo

Casdoor

Casdoor is the authentication server. It serves both the web UI and the login requests from the application users.

Global admin login:

  • Username: admin
  • Password: 123

Web application

Casbin-OA is one of our applications that use Casdoor as authentication.

Architecture

Casdoor contains 2 parts:

Name Description Language Source code
Frontend Web frontend UI for Casdoor Javascript + React https://github.com/casbin/casdoor/tree/master/web
Backend RESTful API backend for Casdoor Golang + Beego + MySQL https://github.com/casbin/casdoor

Installation

  • Get code via go get:

    go get github.com/casbin/casdoor

    or git clone:

    git clone https://github.com/casbin/casdoor

Run through Docker

Run (Dev Environment)

  • Run backend (in port 8000):

    go run main.go
  • Run frontend (in the same machine's port 7001):

    cd web
    ## npm
    npm install
    npm run start
    ## yarn
    yarn install
    yarn run start
  • Open browser:

    http://localhost:7001/

Run (Production Environment)

  • build static pages:

    cd web
    ## npm
    npm run build
    ## yarn
    yarn run build
    ## back to casdoor directory
    cd ..
    
  • build and run go code:

    go build
    ./casdoor
    

Now, Casdoor is running on port 8000. You can access Casdoor pages directly in your browser, or you can setup a reverse proxy to hold your domain name, SSL, etc.

Config

  • Setup database (MySQL):

    Casdoor will store its users, nodes and topics informations in a MySQL database named: casdoor, will create it if not existed. The DB connection string can be specified at: https://github.com/casbin/casdoor/blob/master/conf/app.conf

    db = mysql
    dataSourceName = root:[email protected](localhost:3306)/
    dbName = casdoor
  • Setup database (Postgres):

    Since we must choose a database when opening Postgres with xorm, you should prepare a database manually before running Casdoor. Let's assume that you have already prepared a database called casdoor, then you should specify app.conf like this:

    db = postgres
    dataSourceName = "user=postgres password=xxx sslmode=disable dbname="
    dbName = casdoor

    Please notice: You can add Postgres parameters in dataSourceName, but please make sure that dataSourceName ends with dbname=. Or database adapter may crash when you launch Casdoor.

    Casdoor uses XORM to connect to DB, so all DBs supported by XORM can also be used.

  • Github corner

    We added a Github icon in the upper right corner, linking to your Github repository address. You could set ShowGithubCorner to hidden it.

    Configuration (web/src/commo/Conf.js):

    export const ShowGithubCorner = true
    
    export const GithubRepo = "https://github.com/casbin/casdoor" //your github repository
Comments
  • Grafana Redirect URI error

    Grafana Redirect URI error

    Casdoor Grafana has configured the redirect url, but when logging in, casdoor reports that the url of localhost is not in the redirect list,after add localhost to the redirect url list, it will jump to localhost, change localhost to domain of grafana, it is working , the database record is right

    image

    invalid 
    opened by serialt 19
  • localhost dev mode can't access backend api because of cors

    localhost dev mode can't access backend api because of cors

    i follow the https://casdoor.org/docs/basic/server-installation for local dev .then i got this cors error. image image image

    my app.conf file content

    appname = casdoor
    httpport = 8000
    runmode = dev
    copyrequestbody = true
    driverName = mysql
    dataSourceName = root:[email protected](127.0.0.1:3306)/
    dbName = casdoor
    tableNamePrefix =
    showSql = true
    redisEndpoint =
    defaultStorageProvider = 
    isCloudIntranet = false
    authState = "casdoor"
    socks5Proxy = "127.0.0.1:10082"
    verificationCodeTimeout = 10
    initScore = 2000
    logPostOnly = false
    origin = "http://localhost:7001"
    staticBaseUrl = "https://cdn.casbin.org"
    isDemoMode = false
    batchSize = 100
    ldapServerPort = 389
    languages = en,zh,es,fr,de,ja,ko,ru
    quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
    
    question 
    opened by SealinGp 15
  • Retrieve password error: unknown authentication type (not password or provider)

    Retrieve password error: unknown authentication type (not password or provider)

    Hello, everyone!

    I am just a beginner with casdoor. I am trying to test a retrieve password, but received this error:

    unknown authentication type (not password or provider), form = {
    	"type": "login",
    	"organization": "org",
    	"username": "",
    	"password": "",
    	"name": "",
    	"email": "",
    	"phone": "",
    	"affiliation": "",
    	"idCard": "",
    	"region": "",
    	"application": "socbazar",
    	"provider": "",
    	"code": "38316",
    	"state": "",
    	"redirectUri": "",
    	"method": "",
    	"emailCode": "",
    	"phoneCode": "",
    	"phonePrefix": "7",
    	"autoSignin": false,
    	"relayState": "",
    	"samlResponse": ""
    }
    

    The username is found and the email substituted in the form field, but they are not sent to the server. Email provider is configured and working.

    What I am doing wrong?

    bug released 
    opened by Kalinin-Andrey 14
  • fix: some minor bugs and make Dockerfile more productive.

    fix: some minor bugs and make Dockerfile more productive.

    These are some very minor changes, so no demos are provided.

    Make Dockerfile more productive.

    • Build all-in-one image:
    docker build --target ALLINONE -t casbin/casdoor-all-in-one:latest .
    
    • Build standard image:
    docker build --target STANDARD -t casbin/casdoor:latest .
    

    Solve the problem that the PermissionList page jumped abnormally when clicking the permission name in the list.

    • Insert the owner into the url when jumping to the permissions details page.

    Fix incorrect SignupApplication field value in initBuiltInUser.

    • Wrong SignupApplication value causes exceptions in multiple functions for the first admin user, such as uploading avatars, user detail pages, etc.
    released 
    opened by atompi 13
  • The certs page is displayed incorrectly

    The certs page is displayed incorrectly

    The contents of the public key field are actually the contents of the certificate, not the public key.

    Consider changing the name of the field to "certificate" or the contents of the field to the public key.

    The Python SDK recently use the certificate to generate public key automaticly, but the PHP SDK still need to convert manually.

    enhancement 
    opened by epis2048 13
  • After updating the user, how to get a token with these updates?

    After updating the user, how to get a token with these updates?

    Hi all!

    I have a small question on using sdk (golang).

    After updating the user, how to get a token with these updates?

    Steps:

    1. Get token
    token, err := auth.GetOAuthToken(code, state)
    
    1. Parse JWT token
    jwtClaims, err := auth.ParseJwtToken(token.AccessToken)
    
    1. Change jwtClaims.User

    2. Update user

    ok, err := auth.UpdateUserForColumns(&jwtClaims.User, []string{"properties"})
    
    1. How to get AccessToken string (JWT token) with an updated user?
    question 
    opened by Kalinin-Andrey 13
  • Docker Compose | Environment variables as config

    Docker Compose | Environment variables as config

    Hello 👋

    I'm using casdoor v1.103.0 with docker compose, and I want to pass the environment variables from the docs to the container.

    Example:

    version: '3.9'
    
    services:
      casdoor:
        image: casbin/casdoor:${CASDOOR_IMAGE_VERSION}
        restart: 'no'
        entrypoint: /bin/sh -c './server --createDatabase=true'
        environment:
          RUNNING_IN_DOCKER: "true"
          APPNAME: ${CASDOOR_APP_NAME}
          HTTPPORT: ${CASDOOR_HTTP_PORT}
          RUNMODE: ${CASDOOR_RUN_MODE}
          SESSIONON: ${CASDOOR_SESSION_ON}
          COPYREQUESTBODY: ${CASDOOR_COPY_REQUEST_BODY}
          DRIVERNAME: ${DATABASE_HOST}
          DATASOURCENAME: ${DATABASE_USER}:${DATABASE_USER_PASSWORD}@tcp(${DATABASE_HOST}:${DATABASE_PORT})/
          DBNAME: ${DATABASE_NAME}
          TABLENAMEPREFIX: ${CASDOOR_TABLE_NAME_PREFIX}
          SHOWSQL: ${CASDOOR_SHOW_SQL}
          REDISENDPOINT: ${CASDOOR_REDIS_ENDPOINT}
          DEFAULTSTORAGEPROVIDER: ${CASDOOR_DEFAULT_STORAGE_PROVIDER}
          ISCLOUDINTRANET: ${CASDOOR_IS_CLOUD_INTRANET}
          AUTHSTATE: ${CASDOOR_AUTH_STATE}
          SOCKS5PROXY: ${CASDOOR_SOCKS5_PROXY}
          VERIFICATIONCODETIMEOUT: ${CASDOOR_VERIFICATION_CODE_TIMEOUT}
          INITSCORE: ${CASDOOR_INIT_SCORE}
          LOGPOSTONLY: ${CASDOOR_LOG_POST_ONLY}
          ORIGIN: ${CASDOOR_ORIGIN}
          STATICBASEURL: ${CASDOOR_STATIC_BASE_URL}
        depends_on:
          - mysql
    

    It is possible to make this feature?

    Thanks in advance.

    question 
    opened by ToshY 12
  • Sign in with open_oidc  front return blank in arm

    Sign in with open_oidc front return blank in arm

    in arm ,i use casdoor Administration is ok ,

    图片

    but i use open_oidc sign with my app ,the front is blank 图片

    and the log is

    2022/08/09 09:24:06.886 [D]  |   192.168.68.1| 200 |   1.252743ms| nomatch| GET      /login/oauth/authorize
    
    

    i use the gitea example, The result is the same

    Same parameter configuration in amd64 is ok 图片

    question 
    opened by WarlockFish 12
  • Develop a Casdoor plugin for APISIX

    Develop a Casdoor plugin for APISIX

    Here are two plugins can be used as references:

    1. KeyCloak: https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/
    2. Casbin: https://apisix.apache.org/docs/apisix/plugins/authz-casbin

    The new plugin auth-casdoor will be added by making PR to APISIX's repo like how it's done for authz-casbin: https://github.com/apache/apisix/pull/4710

    We can choose to make a casdoor-lua-sdk first or not, based on how the developer decide it.

    There is some existing work to connect APISIX with Casdoor via OIDC: https://github.com/casdoor/casdoor/issues?q=apisix , but plugin is a better and easier solution. So a plugin is also important as well.

    enhancement 
    opened by hsluoyz 12
  • Act as an OAuth 2.0 + OIDC server

    Act as an OAuth 2.0 + OIDC server

    Currently, Casdoor uses a home-made logging-in mechanism: https://github.com/casbin/casdoor/blob/master/controllers/account.go

    It's not standard and it's unsafe, the password is transmitted over the network.

    Finally, we will move to OAuth 2.0 + OIDC. It means that applications like Casbin OA (both JS client and Go backend) will talk to Casdoor via the OAuth 2.0 + OIDC protocols.

    We can use: https://github.com/go-oauth2/oauth2 to implement our OAuth 2.0 + OIDC server-side.

    The existing code:

    • Casdoor JS client SDK: https://github.com/casbin/casbin-oa/tree/master/web/src/auth (currently for agile development, we put the code inside Casbin-OA, so we don't need to publish to NPM then import it in dependency file. In future, when the API is stablized, we will separate the Casdoor JS client code into a new repo and release to NPM)
    • Casdoor Go SDK: not available yet, because currently Casbin-OA doesn't involve any server-side code to talk to Casdoor, only client does. This is NOT correct. So we will formulate a Go SDK in the Casbin-OA Go code.

    Some reference about this topic: https://github.com/casbin/casdoor/issues/10

    enhancement 
    opened by hsluoyz 12
  • OIDC endpoint is always https

    OIDC endpoint is always https

    • env: docker with image casdoor-all-in-one
    • OIDC Discovery shows that issuer and other endpoints are start with https not http, not config any tls for this environment and do not find any configuration to change https to http.
    • when use OIDC, it always redirect to https, and it's not work.(http works perfectly)
    invalid 
    opened by fukco 11
  • docker-compose beego error

    docker-compose beego error

    I try to run casdoor with Makefile and tried also with docker-compose and get always same error:

    casdoor-casdoor-1 exited with code 2 casdoor-casdoor-1 | panic: prefix should has path casdoor-casdoor-1 | casdoor-casdoor-1 | goroutine 1 [running]: casdoor-casdoor-1 | github.com/beego/beego.(*Tree).addtree(0x0, {0x2b42ae0, 0x174ef40, 0xc000a0e4e8}, 0x1, {0x0, 0x0, 0xc000a0e018}, {0x0, 0x0}) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/tree.go:58 +0x1185 casdoor-casdoor-1 | github.com/beego/beego.(*Tree).AddTree(0x174ef40, {0x0, 0xc000040430}, 0x3) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/tree.go:53 +0x54 casdoor-casdoor-1 | github.com/beego/beego.(*Namespace).Namespace(0xc0000ae828, {0xc00035b278, 0x1, 0x1}) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/namespace.go:212 +0x205 casdoor-casdoor-1 | github.com/beego/beego.NSNamespace.func1(0x30) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/namespace.go:387 +0x5a casdoor-casdoor-1 | github.com/beego/beego.NewNamespace({0x19eb591, 0x1}, {0xc00035bce0, 0x2, 0x1}) casdoor-casdoor-1 | /go/src/casdoor/vendor/github.com/beego/beego/namespace.go:42 +0x104 casdoor-casdoor-1 | github.com/casdoor/casdoor/routers.initAPI() casdoor-casdoor-1 | /go/src/casdoor/routers/router.go:33 +0x1a7 casdoor-casdoor-1 | github.com/casdoor/casdoor/routers.init.1() casdoor-casdoor-1 | /go/src/casdoor/routers/router.go:29 +0x17

    bug 
    opened by stefanwuthrich 8
  • feat: destroy session after delete user

    feat: destroy session after delete user

    close: #1141

    1. For delete the specified user's session, we need to maintain a table that store the userId and all the sessionIds. When deleting the user by admin, Casdoor can get the sessionId by userId then destroy the session to implement the function.
    2. Other effect, further study about single logout. For example, if we want to implement multiple device log out in the same time. We also need to maintain a table to store all sessionIds about this user. When user logout, we can get all sessionId of the user by query the table. Then destroy sessions to logout in multiple device.
    opened by leo220yuyaodog 2
  • After registration, remind that the binding function is abnormal

    After registration, remind that the binding function is abnormal

    In the registry, check the phone number needs to be registered after the alert binding, in actual use, Oauth registration and direct registration, did not achieve this function, registration completed directly into the home page

    image bug 
    opened by 1307super 1
  • Add all remaining Goth providers to Casdoor OAuth login

    Add all remaining Goth providers to Casdoor OAuth login

    Should add all providers here: https://github.com/markbates/goth#supported-providers to Casdoor

    Similar as one provider (Line): https://github.com/casdoor/casdoor/pull/1413

    enhancement 
    opened by hsluoyz 1
Releases(v1.205.0)
Owner
Casbin
Casbin authorization library and the official middlewares
Casbin
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

sso See our launch blog post for more information! Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadma

BuzzFeed 3k Jan 5, 2023
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

Nguyen Lam 1 May 10, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Paul Greenberg 697 Jan 8, 2023
Demonstration of sharing secret data between an OAuth/OIDC client and an Identity Providers web client.

OAuth / OIDC Cubbyhole Share secret data between client applications. This is mostly a demonstration of some of the work I've been evaluating at Storj

mya 3 Mar 21, 2022
A collection of authentication Go packages related to OIDC, JWKs and Distributed Claims.

cap (collection of authentication packages) provides a collection of related packages which enable support for OIDC, JWT Verification and Distributed Claims.

HashiCorp 341 Dec 7, 2022
A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

yinhuanyi 1 Nov 17, 2021
The Single Sign-On Multi-Factor portal for web apps

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications

Authelia 15.2k Jan 8, 2023
Basic Single Sign-On with Go

Basic Single Sign-On (SSO) This is a basic project to implement SSO with Go. List Structure Configuration Database Implement Register Request Check Us

Milad Poshtdari 0 Nov 5, 2021
BK-IAM is a centralized permission management service provided by The Tencent BlueKing; based on ABAC

(English Documents Available) Overview 蓝鲸权限中心(BK-IAM)是蓝鲸智云提供的集中权限管理服务,支持基于蓝鲸开发框架的SaaS和企业第三方系统的权限控制接入,以及支持细粒度的权限管理。 架构设计 代码目录 Features 蓝鲸权限中心是基于 ABAC 强

腾讯蓝鲸 47 Nov 16, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Bartlomiej Mika 0 Jan 4, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 34 Sep 29, 2022
Minting OIDC tokens from GitHub Actions for use with OpenFaaS

minty Experiment for minting OIDC tokens from GitHub Actions for use with OpenFaaS Why would you want this? Enable third-parties to deploy to your ope

Alex Ellis 9 Oct 31, 2021
Small library to make it easier to get a OIDC configuration

OIDC Discovery client This package covers two needs: Get the discovery document from some authority Get certificates from that authority Usage package

Martin Klingenberg 0 Nov 28, 2021
Jwtex - A serverless JWT exchanger and OIDC IdP

jwtex *This README is a work in progress jwtex is a serverless application that

Aidan Steele 28 Nov 17, 2022
A Go library for doing header-based OAuth over HTTP or HTTPS.

Installation goinstall github.com/alloy-d/goauth Usage import ( "github.com/alloy-d/goauth" "os" ) func someFuncThatDoesStuffWithOAuth() (er

Adam Lloyd 24 Sep 2, 2020
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
A simple passwordless authentication middleware that uses only email as the authentication provider

email auth A simple passwordless authentication middleware that uses only email as the authentication provider. Motivation I wanted to restrict access

Miroslav Šedivý 5 Jul 27, 2022
Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Dinesh Bhattarai 0 Aug 5, 2022