PalAuth is an authentication and IAM provider with support for OIDC. It's similar to Keycloak but aims to be simpler and easier to install/maintain.
Here are some features:
- Secure password authentication using argon2id
- (Relatively) easy set up process with a ready-made Dockerfile
- Support for TOTP and Webauthn based 2FA
- Support for passkeys (passwordless sign-in with Webauthn)
- RBAC IAM with a user-friendly dashboard and a REST HTTP API
- Sessions stored in Redis
- Uses MySQL with Prisma schemas for an easy development experience
- You need a MySQL database. You can set the database name and credentials to be whatever you'd like, as you will need to supply a full database URL to PalAuth.
- Make sure to run migrations for this database by running
bun run --cwd packages/backend db:migrate:prod
with thePAL_DB_STRING
environment variable specified. Currently, these have to be run manually; PalAuth will not run them for you, even if there are new migrations required.
- Make sure to run migrations for this database by running
- You need a Redis instance.
- You need a self-hosted friendly-lite-server.
- Clone this repository
- Run
bun install
- Run
bun run --cwd packages/webauthn-frontend build-prod
- Run
bun run --cwd packages/backend db:generate
- Run
bun run --cwd packages/backend build
- Configure (see below)
- Run
bun run --cwd packages/backend prod
- Clone this repository
- Build the Docker image using the Dockerfile
- Configure the environment variables
- Run!
PalAuth is available as ghcr.io/palkerecsenyi/palauth
. For now, this only has one tag latest
, with images available for linux/amd64
and linux/arm64/v8
.
As a containerised app, you can easily deploy PalAuth on Kubernetes. The configuration used at auth.palk.me is available in k8s/deployment.yaml
.
Currently, PalAuth can be configured through a number of environment variables prefixed with PAL_
.
These are all the available options:
-
PAL_DB_STRING
: The SQL connection string. See Prisma docs -
PAL_HOSTNAME
: The hostname PalAuth will be running on (e.g.example.com
) -
PAL_OIDC_ID
: The Provider ID of the OIDC subsystem. Usually similar to the hostname but must be a full URL. E.g.https://example.com
-
PAL_CAPTCHA_URL
: URL of a Friendly Captcha server. Currently only the self-hosted friendly-lite-server is supported. -
PAL_CAPTCHA_KEY
: API key of the Friendly Captcha server. -
PAL_SECRET
: A secret used for session and CSRF signing. -
PAL_PUBLIC_JWK
: A base64-encoded RS256 JWK public key. You can generate these at mkjwk (for example) -
PAL_PRIVATE_JWK
: The corresponding base64-encoded JWK private key -
PAL_MAILGUN_KEY
: An API key for Mailgun, used for sending account emails -
PAL_MAILGUN_HOST
: The host to send Mailgun emails from -
PAL_REDIS_URL
: A Redis connection string including credentials, used for session storage -
NODE_ENV
:production
ordevelopment
You can use these variables in development to make your life easier:
PAL_DEV_CAPTCHA_DISABLE
:true
orfalse
— disables captchasPAL_DEV_ALLOW_INSECURE_PASSWORD
:true
orfalse
— disabled password security requirementsPAL_DEV_SKIP_EMAIL_VERIFICATION
:true
orfalse
— skips email verification for new accounts
GNU GPL 3.0. See LICENSE.md
.