- cross-posted to:
- opensource@lemmy.ml
- cross-posted to:
- opensource@lemmy.ml
uSentry is a lightweight, self-hosted Identity and Access Management (IAM) and Single Sign-On (SSO) solution designed for homelab and small-scale environments.
⚡ A single PHP file. < 400 lines of code. No database. No background processes. No cloud. Just works. ⚡
Most IAM and SSO solutions require databases, certificates and background services baked into a dozen containers. This is all fine but also also overkill for homelabs and impossible for low-power ARM devices. uSentry is different, it isn’t pretty but it sucks less for a lot of use cases.
Enjoy!
You must log in or register to comment.
Fun little project but I think
auth_basicwould be perfectly fine instead.Hmm… some people are going to say that basic auth would be insecure, I’m not going to be there because in this particular case it’s about the same thing.
However, this might be easier to configure and manage permissions than basic auth. Also this works cross-domain and basic auth will require full re-auth for every domain. Another obvious advantage is that at some point I plan to integrate 2FA.
https://github.com/lldap/lldap
You also could go freeipa or Samba AD
I have been constantly asking myself why there isn’t something like this, and just wondering if maybe I was missing something about the seeming immense complexity of doing this on a small scale.
Now there is something like this.
I don’t love PHP, but I also don’t love having dozens of separate passwords, keys, certificates and other nonsense to keep track of like I’m doing now. I don’t mind using PHP to get around that if I can.
Well, it isn’t pretty, but gets the job done.
The thing with PHP in this case is that I was already serving a ton of simple websites / small apps like freshrss that use PHP and by making this tool in PHP it means I don’t need yet another process running and wasting resources, can just re-use the existing php-fpm for this.
For what’s worth PHP is better than it looks, and my implementation is very crude, but also small and auditable and contained to a single file. :)
I feel like committing secrets to a config file instead of .env is a terrible idea. Thats being said this is really useful I’m sure.
The entire point of
.envfiles are to separate secrets from code. Its specifically the usage for which they were created.Yes?
Are we misunderstanding each other?
I get the point, but don’t forget those “secrets” are bcrypt hashes. Not really reversible.
The issue isn’t that. The issue is its a config folder and a lot of people back their configs up to things like github.
I’m torn between this being fucking genius, and a terrible idea all at once.
EDIT: Requires
ngx_http_auth_request_module. * Caddy4lyfe. *I didn’t test, but should be possible with forward_auth (https://caddyserver.com/docs/caddyfile/directives/forward_auth)
Nice! I’ll give it a try.
If you manage to make it worth with Caddy can you share your config? I can add it to the readme or something. Thanks.
For sure. I’m likely gonna take a look at it this weekend.
Well, me too. But frankly OpenIAM (24GB of RAM as a requirement) Keycloak, Authelia do too much, require too much and aren’t suitable at all for SBCs and small scale stuff.
Edit: This is targeted at people that run nginx as a standalone server or proxy.
I respect it.
I love the simplicity of this, I really do, but I don’t consider this SSO. It may be if you’re a single user, but even then, many things I’m hosting have their own authentication layer and allow offloading only to some oidc-/oauth or ldap-provider.
