Convert Figma logo to code with AI

buzzfeed logosso

sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

3,112
191
3,112
93
View on GitHub

Top Related Projects

authelia's avatar

authelia

24,840

The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™

oauth2-proxy's avatar

oauth2-proxy

11,694

A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.

vouch's avatar

vouch-proxy

3,101

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

pomerium's avatar

pomerium

4,323

Pomerium is an identity and context-aware access proxy.

keycloak's avatar

keycloak

27,937

Open Source Identity and Access Management For Modern Applications and Services

Quick Overview

BuzzFeed/sso is an open-source Single Sign-On (SSO) solution designed for securing internal services. It provides a centralized authentication system that integrates with various identity providers and protects internal web applications behind a reverse proxy.

Pros

  • Supports multiple identity providers (Google, Okta, etc.)
  • Offers fine-grained access control through email domains and groups
  • Provides a secure way to access internal services without a VPN
  • Easy to deploy and integrate with existing infrastructure

Cons

  • Primarily designed for internal use, may not be suitable for public-facing applications
  • Limited documentation for advanced configurations
  • Requires additional setup and maintenance compared to managed SSO solutions
  • May have a learning curve for teams new to SSO implementation

Getting Started

To get started with BuzzFeed/sso, follow these steps:

  1. Clone the repository:

    git clone https://github.com/buzzfeed/sso.git

  2. Set up your configuration file (e.g., config.yml):

    proxy_root_domain: example.com
upstream_configs:
  - name: example
    domain: http://example.com
provider: google
client_id: your_google_client_id
client_secret: your_google_client_secret

  3. Build and run the SSO proxy:

    make proxy
./bin/sso-proxy -config config.yml

  4. Configure your web server to use SSO as a reverse proxy for your internal services.

For more detailed instructions and advanced configurations, refer to the project's documentation on GitHub.

Competitor Comparisons

authelia logo

authelia

24,840

The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™

Pros of Authelia

  • More comprehensive authentication features, including 2FA and TOTP support
  • Self-hosted solution with greater control over user data and privacy
  • Active development with frequent updates and community support

Cons of Authelia

  • More complex setup and configuration compared to SSO
  • Requires additional infrastructure and maintenance
  • May have a steeper learning curve for administrators

Code Comparison

Authelia configuration (YAML):

jwt_secret: a_very_important_secret
default_redirection_url: https://public.example.com
server:
  host: 0.0.0.0
  port: 9091

SSO configuration (YAML):

upstream_configs:
  - service: example
    default:
      from: example.com
      to: http://example.com

Both projects use YAML for configuration, but Authelia's configuration is more detailed due to its broader feature set. SSO focuses primarily on single sign-on functionality, while Authelia offers a wider range of authentication options and settings.

Authelia provides a more comprehensive authentication solution with advanced features, but requires more setup and maintenance. SSO offers a simpler, more focused approach to single sign-on, which may be preferable for organizations with straightforward authentication needs or limited resources for implementation and management.

oauth2-proxy logo

oauth2-proxy

11,694

A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.

Pros of oauth2-proxy

  • Supports a wider range of OAuth providers out-of-the-box
  • Simpler setup and configuration process
  • More active community and frequent updates

Cons of oauth2-proxy

  • Less granular access control compared to SSO
  • Limited multi-factor authentication options
  • Fewer enterprise-specific features

Code Comparison

SSO configuration example:

upstreams:
  - id: example
    path: /example
    uri: http://example.com
    allowed_groups:
      - example-group

oauth2-proxy configuration example:

http_address="0.0.0.0:4180"
upstreams="http://example.com"
email_domains=["example.com"]
cookie_secret="cookie_secret"
client_id="client_id"
client_secret="client_secret"

Both projects serve as reverse proxies for authenticating users via OAuth/OpenID Connect. SSO offers more advanced features for enterprise environments, including granular access control and multi-factor authentication. oauth2-proxy provides a simpler setup and supports a broader range of OAuth providers, making it more suitable for smaller projects or those requiring quick implementation. SSO's configuration focuses on defining upstreams with specific access controls, while oauth2-proxy's configuration is more straightforward, emphasizing basic OAuth settings and upstream definitions.

vouch logo

vouch-proxy

3,101

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Pros of Vouch Proxy

  • More flexible authentication options, supporting multiple providers
  • Easier to set up and configure for simpler use cases
  • Active development and community support

Cons of Vouch Proxy

  • Less comprehensive feature set compared to SSO
  • May require additional configuration for complex scenarios
  • Smaller ecosystem and fewer integrations

Code Comparison

SSO (Go):

func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
    switch r.URL.Path {
    case "/ping":
        p.servePing(w, r)
    case "/sign_in":
        p.serveSignIn(w, r)
    case "/sign_out":
        p.serveSignOut(w, r)
    default:
        p.serveProxy(w, r)
    }
}

Vouch Proxy (Go):

func (v *Vouch) ValidateRequestHandler(w http.ResponseWriter, r *http.Request) {
    if r.Method != http.MethodGet {
        http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
        return
    }

    // ... (validation logic)
}

Both projects are written in Go and provide similar core functionality for authentication and authorization. SSO offers a more comprehensive proxy solution, while Vouch Proxy focuses on flexible authentication with various providers. The code snippets show different approaches to handling HTTP requests, with SSO using a switch statement for routing and Vouch Proxy implementing specific handler functions.

pomerium logo

pomerium

4,323

Pomerium is an identity and context-aware access proxy.

Pros of Pomerium

  • More comprehensive identity-aware access proxy with additional features like authorization policies and service discovery
  • Active development with frequent updates and a growing community
  • Supports multiple identity providers and protocols out-of-the-box

Cons of Pomerium

  • More complex setup and configuration compared to SSO
  • Steeper learning curve for administrators and users
  • May be overkill for simpler use cases where SSO's lightweight approach is sufficient

Code Comparison

SSO configuration example:

proxy_root_domains:
  - example.com
upstreams:
  - name: example
    domain: http://example.com
    static_upstreams:
      - example.com:8080

Pomerium configuration example:

authenticate_service_url: https://authenticate.example.com
authorize_service_url: https://authorize.example.com
routes:
  - from: https://example.com
    to: http://internal-app.example.com
    policy:
      - allow:
          or:
            - email:
                is: user@example.com

Both projects aim to provide secure access to internal applications, but Pomerium offers more advanced features and flexibility at the cost of increased complexity. SSO is simpler to set up and use, making it suitable for straightforward use cases, while Pomerium is better suited for organizations with more complex access control requirements.

keycloak logo

keycloak

27,937

Open Source Identity and Access Management For Modern Applications and Services

Pros of Keycloak

  • More comprehensive identity and access management solution with built-in user management, role-based access control, and multi-factor authentication
  • Supports a wider range of protocols and standards, including OpenID Connect, SAML, and OAuth 2.0
  • Offers a user-friendly admin console for easier configuration and management

Cons of Keycloak

  • More complex setup and configuration process compared to SSO's simpler approach
  • Requires more resources to run and maintain due to its extensive feature set
  • May be overkill for organizations with simpler authentication needs

Code Comparison

SSO (Go):

func (p *Proxy) authenticate(w http.ResponseWriter, r *http.Request) (*sessions.SessionState, error) {
    session, err := p.sessionStore.Load(r)
    if err != nil {
        return nil, err
    }
    return session, nil
}

Keycloak (Java):

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    AuthenticationCallback callback = new AuthenticationCallback(req, resp, deployment);
    OIDCFilterSessionStore tokenStore = new OIDCFilterSessionStore(req, resp, deployment);
    tokenStore.checkCurrentToken();
}

Both repositories provide authentication solutions, but Keycloak offers a more feature-rich platform with broader protocol support, while SSO focuses on a simpler, lightweight approach to single sign-on.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

sso

See our launch blog post for more information!

CircleCI MIT license Docker Automated build codecov.io

Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!

sso — lovingly known as the S.S. Octopus or octoboi — is the authentication and authorization system BuzzFeed developed to provide a secure, single sign-on experience for access to the many internal web apps used by our employees.

It depends on Google as its authoritative OAuth2 provider, and authenticates users against a specific email domain. Further authorization based on Google Group membership can be required on a per-upstream basis.

The main idea behind sso is a "double OAuth2" flow, where sso-auth is the OAuth2 provider for sso-proxy and Google is the OAuth2 provider for sso-auth.

sso is built on top of Bitly’s open source oauth2_proxy

In a nutshell:

  • If a user visits an sso-proxy-protected service (foo.sso.example.com) and does not have a session cookie, they are redirected to sso-auth (sso-auth.example.com).
    • If the user does not have a session cookie for sso-auth, they are prompted to log in via the usual Google OAuth2 flow, and then redirected back to sso-proxy where they will now be logged in (to foo.sso.example.com)
    • If the user does have a session cookie for sso-auth (e.g. they have already logged into bar.sso.example.com), they are transparently redirected back to proxy where they will be logged in, without needing to go through the Google OAuth2 flow
  • sso-proxy transparently re-validates & refreshes the user's session with sso-auth

Installation

Quickstart

Follow our Quickstart guide to spin up a local deployment of sso to get a feel for how it works!

Code of Conduct

Help us keep sso open and inclusive. Please read and follow our Code of Conduct.

Contributing

Contributions to sso are welcome! Please follow our contribution guideline.

Issues

Please file any issues you find in our issue tracker.

Security Vulns

If you come across any security vulnerabilities with the sso repo or software, please email security@buzzfeed.com. In your email, please request access to our bug bounty program so we can compensate you for any valid issues reported.

Maintainers

sso is actively maintained by the BuzzFeed Infrastructure teams.

Notable forks

  • pomerium an identity-access proxy, inspired by BeyondCorp.