rauthy/README.md

# rauthy

> OpenID Connect Single Sign-On Identity & Access Management

<!-- metadata -->

* **Maintainer**: [@3wc](https://git.coopcloud.tech/3wordchant), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@dannygroenewegen](https://git.coopcloud.tech/dannygroenewegen)
* **Category**: Apps
* **Status**: 0
* **Image**: [`rauthy`](https://ghcr.io/sebadob/rauthy), 4, upstream
* **Healthcheck**: No
* **Backups**: No
* **Email**: No
* **Tests**: No
* **SSO**: No

<!-- endmetadata -->

## Quick start

1. `abra app new rauthy`
2. `abra app cmd --local <app> generate_enc_keys`
3. `abra app secret generate <app> --all`
4. `abra app deploy <app>`
5. `abra app logs <app>`
    - You'll see the automatically generated admin password in the initial logs.
      Ensure that you reset this password after you log in. The `ADMIN_EMAIL` env
      var controls the value of the admin login username.

For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).

### Host mode networking

You'll want to enable this in your Traefik configuration to avoid getting
mistakenly rate limited  based on internal ipv4 addresses (e.g. `10.0.0.6`).

```
COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
```

### Encryption key rotation

This recipe supports encryption key rotation as described in [the docs](https://sebadob.github.io/rauthy/config/encryption.html). To rotate keys the first time:

1. Increment the version of `SECRET_ENC_KEYS_B_VERSION=b1` to `b2`
2. `abra app secret insert <app> enc_keys_b b2 "$(openssl rand -base64 32)"`
2. Change `ENC_KEY_ACTIVE="a1"` to `b2` (this tells rauthy to encrypt new secrets with the new key while still having access to `a1`)
3. `abra app deploy <app>`

To rotate keys any future time, follow the same pattern of incrementing the non-active secret version and changing the active secret to that newly generated secret.