admin/hspguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
393 Commits 2 Branches 0 Tags
3f945fa3292084fc9016b746f5cc10d822586e04
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Amir Adal 3f945fa329 Update README.md
2025-06-08 16:38:26 +02:00
cmd/hspguard
feat: pass access to cache
2025-06-07 19:15:00 +02:00
internal
feat: log error when failing to put object
2025-06-07 22:07:28 +02:00
migrations
feat: add icon url to api service
2025-06-07 19:21:14 +02:00
queries
feat: update user verifications
2025-06-07 01:32:37 +02:00
scripts
feat: updated rsa key gen scripts
2025-05-25 14:53:02 +02:00
templates
feat: login+register pages finish
2025-05-18 23:16:54 +02:00
web
feat: center icon
2025-06-07 22:08:23 +02:00
.air.toml
feat: .air.toml file for ai
2025-05-30 21:27:46 +02:00
.env.example
feat: redis configuration
2025-06-07 01:31:47 +02:00
.gitignore
fix: add weirdo NUL (windows) file to git ignore
2025-05-31 10:27:34 +02:00
docker-compose.yml
feat: redis configuration
2025-06-07 01:31:47 +02:00
Dockerfile
feat: copy redis.conf
2025-06-07 22:07:16 +02:00
go.mod
feat: go-redis pkg
2025-06-07 01:31:55 +02:00
go.sum
feat: go-redis pkg
2025-06-07 01:31:55 +02:00
Makefile
feat: makefile adjust for windows
2025-05-30 21:23:16 +02:00
README.md
Update README.md
2025-06-08 16:38:26 +02:00
redis.conf
feat: redis configuration
2025-06-07 01:31:47 +02:00
sqlc.yaml
feat: better types overriding
2025-06-04 12:32:47 +02:00

README.md

🛡️ HSP Guard

HSP Guard is a modern OpenID Connect (OIDC) identity provider and access management system for home labs. It provides secure authentication and granular authorization for all your self-hosted services, combining ease of use with enterprise-level control — without any vendor lock-in.

Features

  • OIDC Provider: Central login for your home lab apps
  • Admin UI: Manage apps, users, roles, permissions, and sessions
  • API Tokens: Issue access tokens with embedded roles and permissions
  • Flexible Authorization: Support for roles, permissions, and groups (future)
  • App Registration: Register OAuth/OIDC clients with custom permissions
  • Automatic Permission Sync: Optionally fetch app permissions from /.well-known/guard-configuration
  • User & Admin Sessions: See and revoke active user/app sessions
  • Pluggable: Easily integrate new apps and services
  • Audit Logging: Track actions for security and troubleshooting (planned)

🚀 Getting Started

1. Run HSP Guard

You can run HSP Guard via Docker, Docker Compose, or natively (see below).

2. Register Your First App

  1. Login as admin
  2. Go to Apps → Register New App
  3. Enter:
    • Name of your app
    • Redirect URIs (for OIDC/OAuth callbacks)
    • (Optional) Permissions (manual or auto-discovered from the app)
  4. Save to receive a client_id and client_secret
  5. Configure your app to use these for OIDC login

3. Assign Permissions & Roles

  • Assign default roles to new users automatically (configurable)
  • Create custom roles to bundle permissions (e.g., FAMILY_MEMBER)
  • Assign users to roles and/or groups for flexible access control

🏗️ Concepts

🔑 Permissions

Fine-grained controls for app features (e.g., music.play, dashboard.edit).
Can be manually defined or auto-discovered from an apps .well-known/guard-configuration endpoint.

🧩 Roles

Named bundles of permissions (e.g., GUEST, FAMILY_MEMBER, ADMIN).
Assign to users/groups for easier management.

👥 Groups

(Planned) Logical user collections (e.g., “Family”, “Guests”, “Admins”) for batch management of roles/permissions.

👤 Users

Each user has a unique profile, roles, and group memberships.

🔗 OIDC/OAuth Integration

HSP Guard is a standard-compliant OIDC Provider. Any app supporting OIDC/OAuth can integrate.

  • Register app in admin panel to get client_id & client_secret
  • Configure your apps OIDC integration (see your apps docs)
  • Token claims include permissions and roles for easy authorization

Example Token Claims

{
  "sub": "123456",
  "name": "Alex Example",
  "email": "alex@example.com",
  "roles": ["GUEST"],
  "permissions": ["dashboard.view", "music.play"]
}
Description
Service that gently manages user credentials and permissions.
Readme MPL-2.0 9.4 MiB
Languages
TypeScript 66.5%
Go 30%
HTML 1.8%
Dockerfile 0.5%
Makefile 0.3%
Other 0.9%