SSO

sso,又名 S.S.Octopus,又名 octoboi,是一个确保内部服务安全的单点登录解决方案。「sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services」

Github stars Tracking Chart

sso

更多信息请见我们的 发布博文!

请参加 SSO 社区调查,让我们了解我们的工作情况,并帮助我们规划我们的路线图!

sso -- 被亲切地称为 S.S. Octopus 或 octoboi -- 是 BuzzFeed 开发的认证和授权系统,为访问我们员工使用的许多内部网络应用提供安全的单点登录体验。

它依赖于谷歌作为其权威的 OAuth2 provider,并根据特定的电子邮件域对用户进行认证。基于谷歌集团成员资格的进一步授权可以在每个上游的基础上要求。

sso 的主要思想是一个 "double OAuth2" 流程,其中 sso-auth 是 sso-proxy 的 OAuth2 提供者,Google 是 sso-auth 的 OAuth2 提供者。

sso 是建立在 Bitly 的开源 oauth2_proxy 之上的。

简而言之:

  • 如果用户访问一个受 sso-proxy 保护的服务(foo.sso.example.com)并且没有会话 cookie,他们会被重定向到 sso-auth(sso-auth.example.com)。
    • 如果用户没有 sso-auth 的会话 cookie,他们会被提示通过通常的 Google OAuth2 流程登录,然后被重定向到 sso-proxy,在那里他们现在将被登录(到foo.sso.example.com)。
    • 如果用户有 sso-auth 的会话 cookie(例如,他们已经登录到 bar.sso.example.com),他们会被透明地重定向到代理,在那里他们将被登录,而不需要通过谷歌 OAuth2 流程
    • sso-proxy 通过 sso-auth 透明地重新验证和刷新用户的会话

安装

快速启动

遵循我们的 快速入门指南,启动 sso 的本地部署,以感受它是如何工作的!

行为准则

帮助我们保持 sso 的开放性和包容性。请阅读并遵守我们的《行为准则》

贡献

我们欢迎对 sso 的贡献! 请遵循我们的 贡献指南

问题

请将你发现的任何问题提交到我们的 问题跟踪器

安全漏洞

如果你发现 sso repo 或软件有任何安全漏洞,请发邮件到 security@buzzfeed.com。在您的电子邮件中,请请求访问我们的 漏洞赏金计划,以便我们可以为报告的任何有效问题提供补偿。

维护者

sso 由 BuzzFeed 基础设施团队积极维护。

值得注意的分叉

pomerium 一个身份访问代理,灵感来自 BeyondCorp。

(The first version translated by vz on 2021.09.25)


Overview

Name With Ownerbuzzfeed/sso
Primary LanguageGo
Program languageDockerfile (Language Count: 5)
PlatformDocker, Linux
License:MIT License
Release Count6
Last Release Namev3.0.0 (Posted on )
First Release Namev1.0.0 (Posted on )
Created At2018-08-16 16:06:36
Pushed At2024-02-15 14:19:48
Last Commit At
Stargazers Count3.1k
Watchers Count52
Fork Count184
Commits Count331
Has Issues Enabled
Issues Count157
Issue Open Count70
Pull Requests Count144
Pull Requests Open Count19
Pull Requests Close Count26
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private

sso

See our launch blog post for more information!

CircleCI
MIT license
Docker Automated build
codecov.io

Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!


sso — lovingly known as the S.S. Octopus or octoboi — is the
authentication and authorization system BuzzFeed developed to provide a secure,
single sign-on experience for access to the many internal web apps used by our
employees.

It depends on Google as its authoritative OAuth2 provider, and authenticates
users against a specific email domain. Further authorization based on Google
Group membership can be required on a per-upstream basis.

The main idea behind sso is a "double OAuth2" flow, where sso-auth is the
OAuth2 provider for sso-proxy and Google is the OAuth2 provider for sso-auth.

sso is built on top of Bitly’s open source oauth2_proxy

In a nutshell:

  • If a user visits an sso-proxy-protected service (foo.sso.example.com) and does not have a session cookie, they are redirected to sso-auth (sso-auth.example.com).
    • If the user does not have a session cookie for sso-auth,
      they are prompted to log in via the usual Google OAuth2 flow, and then
      redirected back to sso-proxy where they will now be logged in (to
      foo.sso.example.com)
    • If the user does have a session cookie for sso-auth (e.g. they
      have already logged into bar.sso.example.com), they are
      transparently redirected back to proxy where they will be logged in,
      without needing to go through the Google OAuth2 flow
  • sso-proxy transparently re-validates & refreshes the user's session with sso-auth

Installation

Quickstart

Follow our Quickstart guide to spin up a local deployment
of sso to get a feel for how it works!

Code of Conduct

Help us keep sso open and inclusive. Please read and follow our Code of Conduct.

Contributing

Contributions to sso are welcome! Please follow our contribution guideline.

Issues

Please file any issues you find in our issue tracker.

Security Vulns

If you come across any security vulnerabilities with the sso repo or software, please email security@buzzfeed.com. In your email, please request access to our bug bounty program so we can compensate you for any valid issues reported.

Maintainers

sso is actively maintained by the BuzzFeed Infrastructure teams.

Notable forks

  • pomerium an identity-access proxy, inspired by BeyondCorp.
To the top