CAUTION:
There has not been any third party security audit for this project.
Use this software at your own risk!
INFO:
This project is currently pre v1.0, which means, even though it is not expected, breaking changes might come
with new versions.
Rauthy will be changed to an Apache 2.0 with the next release.
This will make the integration with other projects a lot easier.
Rauthy is an OpenID Connect (OIDC) Provider and Single Sign-On solution written in Rust.
Secure by default
It tries to be as secure as possible by default while still providing all the options needed to be compatible with
older systems. For instance, if you create a new OIDC client, it activates ed25519 as the default algorithm for
token signing and S256 PKCE flow. This will not work with old clients, which do not support it, but you can of course
deactivate this to your liking.
MFA and Passwordless Login
- Option: Password + Security Key (without User Verification):
Rauthy provides FIDO 2 / Webauthn login flows. If you once logged in on a new client with your username + password, you will get an encrypted cookie which will allow you to log in without a password from that moment on. You only need to have a FIDO compliant Passkey being registered for your account. - Option: Passkey-Only Accounts:
Since v0.16, Rauthy supports Passkey-Only-Accounts. You basically just provide your E-Mail address and log in with your FIDO 2 Passkey. Your account will not even have / need a password. This login flow is restricted though to only those passkeys, that can provide User Verification (UV) to always have at least 2FA security.
Fast and efficient
The main goal was to provide an SSO solution like Keycloak and others while using a way lower footprint
and being more efficient with resources. For instance, Rauthy can easily run a fully blown SSO provider on just a
Raspberry Pi. It makes extensive use of caching to be as fast as possible in cases where your database is further
away or just a bit slower, because it is maybe running on an SBC from an SD card. Most things are even cached
for several hours (config options will come in the future) and special care has been taken into account in case of cache
eviction and invalidation.
A Rauthy deployment with the embedded SQLite, filled caches and a small set of clients and users configured typically
only uses between 15 and 20 MB of memory! This is pretty awesome when comparing it to other existing solutions
out there. If a password from a login is hashed, the memory consumption will of course go up way higher than this
depending on your configured Argon2ID parameters, which you got fully under control. If you use it with an external
Postgres, the memory consumption of Rauthy itself will even be a bit lower, since it does not need to care about SQLite.
For achieving this speed and efficiency, some additional design tradeoffs werde made. For instance, some things you
configure statically via config file and not dynamically via UI, while most of them are configured once and then never
touched again.
Highly Available
Even though it makes extensive use of caching, you can run it in HA mode. It uses its own embedded distributed HA cache
called redhac, which cares about cache eviction on remote hosts.
You can choose between a SQLite for single instance deployments and a Postgres, if you need HA. MySQL support might
come in the future.
Nice UI
Unlike many other options, rauthy does have a nice Admin UI which can be used to basically do almost any operation you
might need to administrate the whole application and its users. Some Screenshots and further introduction will follow
in the future.
Client Branding
You have a simple way to create some kind of branding or stylized look for the Login page for each client.
The whole color theme can be changed and each client can have its own custom logo.
Additionally, if you modify the branding for the default rauthy client, it will not only change the look for the Login
page, but also for the Account and Admin page.
Events and Auditing
Since v0.17, Rauthy implements an Event-System. Events are generated in all kinds of scenarios. They can be sent via
E-Mail, Matrix or Slack, depending on the severity and the configured level. You will see them in the Admin UI in real
time, or you can subscribe to the events stream and externally handle them depending on your own business logic.
Brute-Force and basic DoS protection
Rauthy has brute force and basic DoS protection for the login endpoint. Your timeout will be artificially delayed after
enough invalid logins. It does auto-balacklist IP's that exceeded too many invalid logins, with automatic
expiry of the blacklisting. You can, if you like, manually blacklist certain IP's as well via the Admin UI.
Already in production
Rauthy is already being used in production, and it works with all typical OIDC clients (so far). It was just not an
open source project for quite some time.
Keycloak was a rough inspiration in certain places and if something is working with Keycloak, it does with rauthy too
(again, so far).
Since Rauthy is currently pre v1.0, it might be missing some nice to have features. Some of them will never be implemented (see below), while others might come or are even planned already.
Currently missing features:
Resident Keys / Discoverable Credentials
You can have a Passkey-Only account, as long as you provide your E-Mail address. But full support for resident keys
does not yet exist for two resons:
- Platform support is not fully there yet. For instance, my Android device always returns a UUID of all 0's when requesting the discoverable credential, which would of course not work. Android has just implemented support for CTAP2 in September 2023, and then it is not even complete yet. Currently, only Fingerprint does work and PIN / NFC is still not working. Resisdent Keys will be the next step afterwards.
- The dependencies I use for the Webauthn integration do have some support for resident keys in the current nightly versions, but not in stable yet. As soon as they push this support into their stable versions, I will start investigating this support with Rauthy as well.
OIDC Client
Rauthy will most probably have the option to be an OIDC Client itself as well. With this feature, you would be able
to do things like "Login with Github" to Rauthy and then use Rauthy for the extended management and features.
Either just take a look at the Rauthy Book, or start directly by taking a look at the application yourself with docker on your localhost:
docker run --rm -p 8080:8080 ghcr.io/sebadob/rauthy:0.17.0-lite