Stand up single sign-on for a handful of internal tools without deploying a full enterprise identity platform.
Restrict new account registration to invite-only codes or a specific company email domain.
Let connected apps verify user identity with signed tokens fetched from a simple JWKS endpoint.
| wmn1525/oaioidc | arlandaren/proagents | audietoffe/plasma-gpu-router | |
|---|---|---|---|
| Stars | 25 | 25 | 25 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | easy | hard |
| Complexity | 3/5 | 1/5 | 3/5 |
| Audience | ops devops | vibe coder | ops devops |
Figures from each repo's GitHub metadata at analysis time.
No refresh token, userinfo endpoint, or multi-tenant support yet, intended for small internal deployments only.
OAIOIDC is a lightweight, self-hosted identity server that handles single sign-on for internal systems. It implements OpenID Connect (OIDC), a standard protocol that lets users log in once and access multiple connected applications without entering their credentials again. The project is aimed at small internal deployments where a full enterprise identity platform would be more than needed. The server is built in Python with Flask and stores all data in SQLite, making it straightforward to deploy on a single machine without setting up a separate database. It runs locally or in Docker and exposes the standard OIDC discovery endpoints that connected applications use to verify identities and fetch public signing keys. User registration is controlled through a CDK system. An administrator creates registration codes with a limited number of uses and distributes them to people who need accounts. Only someone with a valid code can register, which keeps the user base to a known set. Registration can also be restricted to a fixed email domain, so only addresses from a specific organization are accepted. Once a user registers and logs in, connected applications receive signed tokens (ID Token and Access Token) that confirm the user's identity. The tokens are signed with an RS256 key that the server generates automatically on first start. Applications verify these tokens using the public key exposed at the /jwks.json endpoint. An admin dashboard lets administrators manage registered applications, review audit logs, view users, and manage CDKs. The README notes that the server does not yet support refresh tokens, the userinfo endpoint, or multi-tenant deployments, and recommends a more complete identity platform for organizations that need those features. MIT licensed.
A lightweight self-hosted identity server that lets users log in once and access multiple internal apps using the OpenID Connect standard.
Mainly Python. The stack also includes Python, Flask, SQLite.
Use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.