Secure by default
It tries to be as secure as possible by default while still providing all the options needed to be compatible with older systems. For instance, if you create a new OIDC client, it activates
ed25519
as the default algorithm for token signing and S256 PKCE flow. This will not work with old clients, which do not support it, but you can of course deactivate this to your liking.MFA and Passwordless Login
Rauthy provides FIDO 2 / Webauthn login flows. If you once logged in on a new client with your username + password, you will get an encrypted cookie which will allow you to log in without a password from that moment on. You only need to have a FIDO compliant Passkey being registered for your account.
Fast and efficient
The main goal was to provide an SSO solution like Keycloak and others while using a way lower footprint and being more efficient with resources. For instance, Rauthy can easily run a fully blown SSO provider on just a Raspberry Pi. It makes extensive use of caching to be as fast as possible in cases where your database is further away or just a bit slower, because it is maybe running on an SBC from an SD card. Most things are even cached for several hours (config options will come in the future) and special care has been taken into account in case of cache eviction and invalidation.
Highly Available
Even though it makes extensive use of caching, you can run it in HA mode. It uses its own embedded distributed HA cache called redhac, which cares about cache eviction on remote hosts. You can choose between a SQLite for single instance deployments and a Postgres, if you need HA. MySQL support might come in the future.
Client Branding
You have a simple way to create some kind of branding or stylized look for the Login page for each client. The whole color theme can be changed and each client can have its own custom logo. Additionally, if you modify the branding for the default
rauthy
client, it will not only change the look for the Login page, but also for the Account and Admin page.Already in production
Rauthy is already being used in production, and it works with all typical OIDC clients (so far). It was just not an open source project for quite some time. Keycloak was a rough inspiration in certain places and if something is working with Keycloak, it does with
rauthy
too (again, so far).