anon/README.md

# ^NON \[anon\]

Extremely rudimentary OIDC provider. Users hold account codes from which
their identities are derived on-demand.

Each identity is separate for different services, but can be accessed from a
single account code. ^NON does not have a database of the users, so nobody
can correlate user information across services.

## Installation

1. build binary with `cargo`

2. fill out `config.toml.sample`. The server expects a file called
   `config.toml` in its working directory.

3. Generate the keypair for signing JWT tokens with:
   ```bash
   openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 | \
      openssl pkcs8 -topk8 -nocrypt -outform der > rsa-key.pk8
   ```

4. Enjoy :)

Alternatively you can use the pre-built docker image:
```
git.nolog.cz/nolog.cz/anon:latest
```

## Deployment notes

When deploying, you should be aware of the potential of a birthday attack on
the system. For `v1` of the account code, we should expect a collision after
about `2^36` unique accounts, which means that, without rate-limiting, there is
the potential to brute-force an account / accidentally log into someone else's
account. You should consider the amount of users which will use the system, and
set up a rate-limiter.

Improbable things happen all the time, so better safe than sorry :)
refactor, rethink, rewrite 2024-06-01 22:44:32 +02:00			`# ^NON \[anon\]`
add README 2024-02-25 19:20:16 +01:00
refactor, rethink, rewrite 2024-06-01 22:44:32 +02:00			`Extremely rudimentary OIDC provider. Users hold account codes from which`
add README 2024-02-25 19:20:16 +01:00			`their identities are derived on-demand.`

			`Each identity is separate for different services, but can be accessed from a`
refactor, rethink, rewrite 2024-06-01 22:44:32 +02:00			`single account code. ^NON does not have a database of the users, so nobody`
add README 2024-02-25 19:20:16 +01:00			`can correlate user information across services.`

			`## Installation`

			1. build binary with `cargo`

			2. fill out `config.toml.sample`. The server expects a file called
			`config.toml` in its working directory.

refactor, rethink, rewrite 2024-06-01 22:44:32 +02:00			`3. Generate the keypair for signing JWT tokens with:`
			```bash
			`openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 \| \`
			`openssl pkcs8 -topk8 -nocrypt -outform der > rsa-key.pk8`
			```

			`4. Enjoy :)`

mention docker image in readme 2024-06-01 22:53:15 +02:00			`Alternatively you can use the pre-built docker image:`
			```
			`git.nolog.cz/nolog.cz/anon:latest`
			```

refactor, rethink, rewrite 2024-06-01 22:44:32 +02:00			`## Deployment notes`

			`When deploying, you should be aware of the potential of a birthday attack on`
			the system. For `v1` of the account code, we should expect a collision after
			about `2^36` unique accounts, which means that, without rate-limiting, there is
			`the potential to brute-force an account / accidentally log into someone else's`
			`account. You should consider the amount of users which will use the system, and`
			`set up a rate-limiter.`

			`Improbable things happen all the time, so better safe than sorry :)`