VoidAuth

Self-hosted SSO with OIDC, LDAP, passkeys, and proxy auth for your entire self-hosted stack

2.2Kstars
74forks
GNU AGPLv3
TypeScript

VoidAuth is an open-source Single Sign-On platform purpose-built for self-hosted environments, giving you a centralized identity provider that secures access to every application in your stack. It supports OpenID Connect for standard integrations, a built-in LDAP directory server for legacy apps, and reverse proxy ForwardAuth for services that lack native auth support — all without modifying those applications.

Unlike cloud SSO services that require handing over user data to a third party, VoidAuth keeps credentials and sessions entirely on your infrastructure. User data is stored encrypted at rest using AES-256-GCM, with key rotation support via a secondary storage key for zero-downtime migrations. The web-based admin panel handles user provisioning, group management, OIDC client registration, and branding from a single interface.

Modern authentication methods are first-class citizens: WebAuthn passkeys with FIDO2, TOTP-based MFA, and passkey-only account enforcement are all supported out of the box. Email-driven workflows — registration, invitation, password reset, and admin notifications — are fully configurable via SMTP. VoidAuth ships as a single Docker image with PostgreSQL or SQLite backends, making it straightforward to add to any existing compose setup.

What You Get

  • OpenID Connect (OIDC) Provider - Implements the full OIDC 1.0 specification so any OIDC-compatible app (Nextcloud, Grafana, Home Assistant, Gitea, and dozens more) can delegate authentication to VoidAuth.
  • Built-in LDAP Directory Server - A hand-rolled LDAP server with BER protocol support, TLS, and configurable base DN so legacy applications that only support LDAP authentication can participate in your SSO setup without an external directory.
  • Proxy ForwardAuth Integration - Protects any web application behind a reverse proxy (Caddy, Traefik, Nginx) via trusted HTTP headers without touching the app’s source code or configuration.
  • Passkeys and Multi-Factor Authentication - Supports WebAuthn passkeys (FIDO2), TOTP, and passkey-only account enforcement for passwordless or step-up authentication flows.
  • User and Group Management - Full admin dashboard for creating, inviting, and managing users and security groups, with group-based access control for OIDC client authorization.
  • Email-Driven User Workflows - Configurable SMTP integration powers self-registration, admin-generated invitations, email verification, password reset, and admin notification emails with customizable templates.
  • Customizable Branding - Replace the login portal’s logo, title, theme color, and email templates via environment variables and volume-mounted files — no code changes required.
  • Encryption-at-Rest with Key Rotation - All sensitive data (credentials, tokens, OIDC payloads) is encrypted using AES-256-GCM with support for a secondary storage key to enable seamless key rotation.
  • Docker Label OIDC Registration - Declare OIDC client configurations directly in Docker Compose labels via the Docker socket integration, auto-provisioning clients when containers start.

Common Use Cases

  • Home lab with a dozen self-hosted apps - A self-hoster deploys VoidAuth once and uses OIDC + ForwardAuth to protect Nextcloud, Immich, Grafana, Portainer, and Jellyfin under a single login without touching each app’s auth config.
  • Legacy app integration via LDAP - A developer runs software that only speaks LDAP (like OpenVPN or some wiki platforms) and points it at VoidAuth’s built-in LDAP server instead of setting up a separate OpenLDAP instance.
  • Passwordless family access with passkeys - A household deploys VoidAuth and issues passkey-only accounts to family members so they can log into shared services with biometrics and no passwords to forget or share.
  • Small team replacing SaaS SSO - A startup uses VoidAuth with OIDC to give developers access to internal tools like Gitea, Mattermost, and Grafana with centrally managed credentials, avoiding per-user Okta or Auth0 costs.
  • Privacy-first migration from cloud identity - A privacy-focused user replaces Google or Microsoft login across their apps with VoidAuth to eliminate third-party tracking and keep all authentication data on their own hardware.

Under The Hood

Architecture VoidAuth follows a pragmatic monolithic structure with a clear service boundary between a Node.js/Express backend and an Angular SPA frontend, communicating over a well-typed REST API. The server is organized into discrete modules — routes, database layer, OIDC provider integration, LDAP server, CLI commands, and shared utilities — with async-local-storage used for per-request transaction scoping rather than request-threading globals. The OIDC integration wraps the oidc-provider library with a custom Knex-backed adapter and intercepts the interaction policy to layer in VoidAuth-specific checks (user approval, expiry, MFA enforcement). The LDAP server is implemented from scratch in Node.js with manual BER protocol parsing and TLS support — a deliberate choice to avoid a heavy external dependency while keeping the server footprint small. Configuration is class-based with Zod-validated environment variable parsing, giving clear startup errors rather than silent misconfigurations.

Tech Stack The server runs on Node.js 24 with Express 5 and TypeScript 5.9 in strict ESM mode, using esbuild for a single-file production bundle. The Angular 21 frontend uses Material Design components, ngx-translate for i18n, and SimpleWebAuthn for in-browser passkey operations. Database access uses Knex.js for migrations and queries against PostgreSQL 18 (primary) or SQLite via better-sqlite3 (lightweight deployments). Authentication relies on the oidc-provider library for OIDC, @simplewebauthn/server for WebAuthn, otpauth for TOTP, nodemailer for SMTP, and jose for JWT operations. Zod handles request validation throughout. Docker multi-stage builds produce a compact final image from a custom base at dhi.io/node.

Code Quality The codebase does not yet have automated tests — no spec files exist in the server layer and the frontend’s Vitest dependency is present but not exercised. Code quality is maintained through strong TypeScript strict mode enforcement, Zod schema validation on all API inputs, ESLint with Prettier, and Husky-backed pre-commit hooks that enforce formatting automatically. Shared types between frontend and backend via the @shared module eliminate entire classes of API contract drift. Error handling uses structured logger calls with typed error arrays rather than bare console output, though a few catch blocks swallow errors silently. The transaction-per-request pattern with automatic commit/rollback on 5xx responses is a sound architectural choice that prevents partial writes.

What Makes It Unique The built-in LDAP directory server is VoidAuth’s most distinctive feature: rather than requiring a separate OpenLDAP instance, it implements the LDAP protocol directly in TypeScript with BER encoding, TLS support, and security limits on frame size and search results — a rare choice that meaningfully reduces the operational footprint for self-hosters with legacy app requirements. Docker label-based OIDC client auto-provisioning is another differentiator, letting developers declare auth configuration alongside their service definitions in Compose files. The dual-database support (PostgreSQL for production, SQLite for lightweight setups) with a live migration CLI command bridges a gap that forces most similar tools to commit to one backend permanently.

Self-Hosting

VoidAuth is released under the GNU Affero General Public License v3.0 (AGPL-3.0). In practical terms this means you can use, modify, and self-host it freely for any purpose, including commercial use, but if you distribute a modified version or provide it as a network service to others you must also make your modifications available under the same license. For a team running VoidAuth only for their own internal users this copyleft condition does not typically create obligations — the AGPL’s network-use clause applies when you offer the software as a service to third parties, not when you use it internally.

Running VoidAuth yourself is straightforward by self-hosted standards: it ships as a single Docker image that pairs with PostgreSQL (recommended) or SQLite (lightweight setups). You provide a reverse proxy for TLS termination, set a handful of required environment variables (APP_URL, STORAGE_KEY, DB_PASSWORD), and bring up the stack with Compose. Ongoing maintenance involves keeping the container image updated, managing database backups via your preferred PostgreSQL tooling, and monitoring the application logs for errors. VoidAuth includes a built-in healthcheck endpoint and a CLI for administrative tasks like password reset link generation and database migration between backends. The operational burden is comparable to running any small Dockerized Node.js service — low, but entirely yours to own.

There is no paid cloud tier or commercial support offering from the VoidAuth project; support is community-driven through GitHub Issues and Discussions, which the maintainer monitors actively. This means there are no managed upgrades, no SLA, no high-availability failover, and no enterprise support contract — all of which are your responsibility. Compared to managed identity providers like Auth0, Okta, or Clerk, you give up turnkey infrastructure, 99.9%+ uptime guarantees, and dedicated security response teams. What you gain is full data ownership, no per-user or per-MAU pricing, and the ability to run your identity layer in an air-gapped or fully private environment.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search