Also updates a variety of dependencies
|3 months ago|
|.github/workflows||10 months ago|
|example/demo||7 months ago|
|js/ui||4 months ago|
|src||3 months ago|
|static||1 year ago|
|test||6 months ago|
|.dockerignore||1 year ago|
|.gitignore||1 year ago|
|Cargo.lock||3 months ago|
|Cargo.toml||3 months ago|
|Dockerfile||7 months ago|
|LICENSE-APACHE||1 year ago|
|LICENSE-MIT||1 year ago|
|README.md||6 months ago|
|siwe-oidc.toml||1 year ago|
|wrangler_example.toml||1 year ago|
OpenID Connect Identity Provider for Sign-In with Ethereum
Two versions are available, a stand-alone binary (using Axum and Redis) and a
Cloudflare Worker. They use the same code base and are selected at compile time
wasm32 will make the Worker version).
You will need
First, copy the configuration file template:
cp wrangler_example.toml wrangler.toml
Then replace the following fields:
account_id: your Cloudflare account ID;
zone_id: (Optional) DNS zone ID;
kv_namespaces: a KV namespace ID (created with
wrangler kv:namespace create SIWE_OIDC); and
- the environment variables under
You will also need to add a secret RSA key in PEM format:
wrangler secret put RSA_PEM
At this point, you should be able to create/publish the worker:
The IdP currently only supports having the frontend under the same subdomain as the API. Here is the configuration for Cloudflare Pages:
cd js/ui && npm install && npm run build;
Build output directory:
/. And you will need to add some rules to do the routing between the Page and the Worker. Here are the rules for the Worker (the Page being used as the fallback on the subdomain):
siweoidc.example.com/s* siweoidc.example.com/u* siweoidc.example.com/r* siweoidc.example.com/a* siweoidc.example.com/t* siweoidc.example.com/j* siweoidc.example.com/c* siweoidc.example.com/.w*
Note that currently the published Docker image doesn't support all wallets due to the need of bundling secrets for web3modal at compile-time.
Redis, or a Redis compatible database (e.g. MemoryDB in AWS), is required.
Starting the IdP
The Docker image is available at
ghcr.io/spruceid/siwe_oidc:0.1.0. Here is an
docker run -p 8000:8000 -e SIWEOIDC_REDIS_URL="redis://redis" ghcr.io/spruceid/siwe_oidc:latest
It can be configured either with the
siwe-oidc.toml configuration file, or
through environment variables:
SIWEOIDC_ADDRESSis the IP address to bind to.
SIWEOIDC_REDIS_URLis the URL to the Redis instance.
SIWEOIDC_BASE_URLis the URL you want to advertise in the OIDC configuration (e.g.
SIWEOIDC_RSA_PEMis the signing key, in PEM format. One will be generated if none is provided.
The current flow is very basic -- after the user is authenticated you will receive:
- an Ethereum address as the subject (
- an ENS domain as the
preferred_username(with a fallback to the address).
For the core OIDC information, it is available under
OIDC Conformance Suite:
- 🟨 (25/29, and 10 skipped) basic (
profilescope partially supported, ACR,
prompt=noneand request URIs yet to be supported);
- 🟩 config;
- 🟧 dynamic code.
- Additional information, from native projects (e.g. ENS domains profile pictures), to more traditional ones (e.g. email).
You can now use http://127.0.0.1:8787/.well-known/openid-configuration.
At the moment it's not possible to use it end-to-end with the frontend as they need to share the same host (i.e. port), unless using a local load-balancer.
Stand Alone Binary
A Docker Compose is available to test the IdP locally with Keycloak.
- You will first need to run:
docker-compose -f test/docker-compose.yml up -d
And then edit your
127.0.0.1. This is so both your browser, and Keycloak, can access the IdP.
In Keycloak, you will need to create a new IdP. You can use
http://siwe-oidc:8000/.well-known/openid-configurationto fill the settings automatically. As for the client ID/secret, you can use
Our identity provider for Sign-In with Ethereum has not yet undergone a formal security audit. We welcome continued feedback on the usability, architecture, and security of this implementation.