sso
See our launch blog post for more information!
Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!
sso โย lovingly known as the S.S. Octopus or octoboi โ is the authentication and authorization system BuzzFeed developed to provide a secure, single sign-on experience for access to the many internal web apps used by our employees.
It depends on Google as its authoritative OAuth2 provider, and authenticates users against a specific email domain. Further authorization based on Google Group membership can be required on a per-upstream basis.
The main idea behind sso is a "double OAuth2" flow, where sso-auth
is the
OAuth2 provider for sso-proxy
and Google is the OAuth2 provider for sso-auth
.
sso is built on top of Bitlyโs open source oauth2_proxy
In a nutshell:
- If a user visits an
sso-proxy
-protected service (foo.sso.example.com
) and does not have a session cookie, they are redirected tosso-auth
(sso-auth.example.com
).- If the user does not have a session cookie for
sso-auth
, they are prompted to log in via the usual Google OAuth2 flow, and then redirected back tosso-proxy
where they will now be logged in (tofoo.sso.example.com
) - If the user does have a session cookie for
sso-auth
(e.g. they have already logged intobar.sso.example.com
), they are transparently redirected back toproxy
where they will be logged in, without needing to go through the Google OAuth2 flow
- If the user does not have a session cookie for
sso-proxy
transparently re-validates & refreshes the user's session withsso-auth
Installation
- Prebuilt binary releases
- Docker
go get github.com/buzzfeed/sso/cmd/...
Quickstart
Follow our Quickstart guide to spin up a local deployment of sso to get a feel for how it works!
Code of Conduct
Help us keep sso open and inclusive. Please read and follow our Code of Conduct.
Contributing
Contributions to sso are welcome! Please follow our contribution guideline.
Issues
Please file any issues you find in our issue tracker.
Security Vulns
If you come across any security vulnerabilities with the sso repo or software, please email [email protected]. In your email, please request access to our bug bounty program so we can compensate you for any valid issues reported.
Maintainers
sso is actively maintained by the BuzzFeed Infrastructure teams.
Notable forks
- pomerium an identity-access proxy, inspired by BeyondCorp.