DarkAuth

DarkAuth is a robust, open-source zero-knowledge authentication system designed for maximum security and compliance with OpenID Connect (OIDC). Incorporating the OPAQUE protocol (RFC 9380), DarkAuth enables password authentication while ensuring that passwords never reach the server, providing exceptional privacy and security.

Key Features

• Zero-Knowledge Password Authentication: Utilizing the OPAQUE protocol, user passwords remain secret and are never exposed to the server.
• OIDC Compatibility: Supports OAuth 2.0 and OpenID Connect, ensuring interoperability with various services and applications.
• Zero-Knowledge Delivery of Data Root Keys: Employs a fragment-based JSON Web Encryption (JWE) technique to securely deliver Data Root Keys (DRK) to trusted users.
• TOTP Multi-Factor Authentication (MFA): Introduces time-based one-time passwords for enhanced security for both users and administrators, alongside features like backup codes and rate limiting.
• Database-Driven Configuration: Most configurations are managed through PostgreSQL, with a simple config.yaml for initial setup.
• Two-Port Architecture: Features dedicated ports for user access (9080) and administrative controls (9081), ensuring streamlined management.
• Secure Key Storage: Facilitates the optional encryption of private keys at rest using a KEK derived from Argon2id.
• Role-Based Access Control (RBAC): Implements fine-grained permissions and user groups, enhancing organizational security.
• Production Readiness: Built with security best practices like content security policies, session management, and rate limiting in mind, making it suitable for deployment in real-world applications.

Quick Start Guide

To run DarkAuth with Docker, use the command:

docker run -d -p 9080:9080 -p 9081:9081 ghcr.io/puzed/darkauth:latest

Once launched, access the installation interface at http://localhost:9081.

Architectural Overview

DarkAuth is structured as a monorepo using npm workspaces, consisting of the following key components:

packages/
├── api/           # Main server and API
├── user-ui/       # User-facing React application
├── admin-ui/      # Admin panel React application
├── test-suite/    # Playwright end-to-end tests
└── ...

Comprehensive API Endpoints

DarkAuth provides a variety of API endpoints for handling authentication, session management, and user administration, including:

• OIDC Discovery: /api/.well-known/openid-configuration
• OAuth Authorization: /api/authorize
• Opaque Authentication: POST requests for registration and login processes.

This project prioritizes security—recommended practices include enforcing HTTPS in production environments, utilizing strong KEK passphrases, and maintaining database encryption. For further details and support, contributions can be made through the GitHub issue tracker.