DarkAuth is an open-source, self-hosted authentication solution featuring the OPAQUE protocol for password security. Designed for absolute privacy, it ensures passwords remain unknown to servers while supporting OIDC compatibility for seamless integration. With features like TOTP MFA, email password reset, and secure key storage, it provides a robust framework for secure authentication.
DarkAuth: A Zero-Knowledge Authentication Solution
DarkAuth offers a robust zero-knowledge authentication system that is fully compatible with OpenID Connect (OIDC). By leveraging the OPAQUE protocol (RFC 9380), DarkAuth ensures that user passwords remain entirely secure, as they are never transmitted to the server. It also features optional zero-knowledge delivery of Data Root Keys (DRK) directly to trusted clients.
Key Features
- Zero-Knowledge Password Authentication: Implements the OPAQUE protocol, allowing users' passwords to be kept secret from the server.
- OpenID Connect Compatibility: Uses standard OAuth 2.0/OIDC protocols for seamless integration with existing systems.
- Secure DRK Delivery: Provides a mechanism for the safe transmission of wrapped DRKs to trusted clients using JWE (JSON Web Encryption).
- TOTP Multifactor Authentication: Offers time-based one-time passwords for both users and admins, complete with backup codes and customizable rate limits.
- Email Password Reset: Enables secure self-service password resets through hashed one-time tokens sent via email.
- Database-Driven Configuration: Utilizes PostgreSQL to store most configurations, with a minimal
config.yamlfile required for initial setup. - Dual-Port Architecture: Operates on separate ports for user access and admin functionality, with a guided installer for easy initial setup.
- Secure Key Storage: Supports the encryption of sensitive private keys at rest using Argon2id-derived key encryption keys (KEK).
- Role-Based Access Control (RBAC): Enables detailed permissions and roles that can be scoped to individual organizations.
- Production Ready: Incorporates essential security features such as content security policy headers, rate limiting, and session management.
Quick Start Guide
For a fast way to deploy DarkAuth, run it using Docker:
docker run -d -p 9080:9080 -p 9081:9081 ghcr.io/puzed/darkauth:latest
Visit http://localhost:9081 to complete the installation process.
Development and Testing
DarkAuth is designed with developers in mind. It supports a development mode with hot reloading and easy access to its components. The system is structured in a modular monorepo that includes API services, user and admin interfaces, and testing suites. The various endpoints and configurations allow for flexibility in setup and usage, accommodating both integrated and standalone database configurations.
Security Considerations
To maintain the integrity and confidentiality of user data, DarkAuth enforces essential security practices, such as:
- Utilizing HTTPS in production environments.
- Implementing a strong KEK passphrase for sensitive operations.
- Enforcing rate limits on vulnerable endpoints.
- Providing tools for comprehensive session management and audit logging.
Conclusion
DarkAuth stands out as a leading solution for organizations requiring a zero-knowledge authentication system. Its blend of security, flexibility, and open-source accessibility makes it a compelling choice for developers and system administrators alike, ensuring that passwords remain secure and user data is protected.
No comments yet.
Sign in to be the first to comment.