- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
uSentry is a lightweight, self-hosted Identity and Access Management (IAM) and Single Sign-On (SSO) solution designed for homelab and small-scale environments.
⚡ A single PHP file. < 400 lines of code. No database. No background processes. No cloud. Just works. ⚡
Most IAM and SSO solutions require databases, certificates and background services baked into a dozen containers. This is all fine but also also overkill for homelabs and impossible for low-power ARM devices. uSentry is different, it isn’t pretty but it sucks less for a lot of use cases.
Enjoy!
You must log in or register to comment.
I love the simplicity of this, I really do, but I don’t consider this SSO. It may be if you’re a single user, but even then, many things I’m hosting have their own authentication layer and allow offloading only to some oidc-/oauth or ldap-provider.
In the simplest form it might be SSO. It does support multiple users and if you look for instance at the filebrowser it’s very possible to pass the username. But yes, this is very simple, very crude and exactly what a lot of people need.
Fun little project but I think
auth_basicwould be perfectly fine instead.Hmm… some people are going to say that basic auth would be insecure, I’m not going to be there because in this particular case it’s about the same thing.
However, this might be easier to configure and manage permissions than basic auth. Also this works cross-domain and basic auth will require full re-auth for every domain. Another obvious advantage is that at some point I plan to integrate 2FA.
https://github.com/lldap/lldap
You also could go freeipa or Samba AD
I have been constantly asking myself why there isn’t something like this, and just wondering if maybe I was missing something about the seeming immense complexity of doing this on a small scale.
Now there is something like this.
I don’t love PHP, but I also don’t love having dozens of separate passwords, keys, certificates and other nonsense to keep track of like I’m doing now. I don’t mind using PHP to get around that if I can.
Well, it isn’t pretty, but gets the job done.
The thing with PHP in this case is that I was already serving a ton of simple websites / small apps like freshrss that use PHP and by making this tool in PHP it means I don’t need yet another process running and wasting resources, can just re-use the existing php-fpm for this.
For what’s worth PHP is better than it looks, and my implementation is very crude, but also small and auditable and contained to a single file. :)
I’m torn between this being fucking genius, and a terrible idea all at once.
EDIT: Requires
ngx_http_auth_request_module. * Caddy4lyfe. *Well, me too. But frankly OpenIAM (24GB of RAM as a requirement) Keycloak, Authelia do too much, require too much and aren’t suitable at all for SBCs and small scale stuff.
Edit: This is targeted at people that run nginx as a standalone server or proxy.
I respect it.
I didn’t test, but should be possible with forward_auth (https://caddyserver.com/docs/caddyfile/directives/forward_auth)
Nice! I’ll give it a try.
If you manage to make it worth with Caddy can you share your config? I can add it to the readme or something. Thanks.
For sure. I’m likely gonna take a look at it this weekend.
I feel like committing secrets to a config file instead of .env is a terrible idea. Thats being said this is really useful I’m sure.
The entire point of
.envfiles are to separate secrets from code. Its specifically the usage for which they were created.Yes?
Are we misunderstanding each other?
We are. I read
I feel like committing secrets to a config file instead of .env is a terrible idea.asI feel like committing secrets to a .env is a terrible idea..Muh bad.
I get the point, but don’t forget those “secrets” are bcrypt hashes. Not really reversible.
The issue isn’t that. The issue is its a config folder and a lot of people back their configs up to things like github.
You can backup the entire file then. I get your point, but it also seems like you’re referring to some container-based approach where you would place this inside a container and then mount the config file to some path. While some people might like that approach, that kind of goes against the original idea here, I didn’t want to run yet another instance of nginx for auth, nor another php-fpm - the ideia was simply to use this on a low power device , no containers, no overhead of duplicate webservers and PHP, just a single nginx running a couple of apps on the same php-fpm alongside this.
