Kanidm Management Interface

A comprehensive web-based management interface for Kanidm identity management system. This SvelteKit application provides an intuitive interface to manage OAuth2 applications, groups, and users in your Kanidm instance with advanced features like Unix extensions and SSH key management.

Features

OAuth2 Application Management

• Complete OAuth2 application lifecycle (create, edit, delete)
• Support for both confidential and public OAuth2 clients
• Advanced configuration options (PKCE, legacy crypto, redirect URLs)
• Image upload and favicon fetching capabilities
• Scope mapping management for group-based permissions
• Claim mapping management for permissions inside applications like grafana
• Basic secret management and configuration

Group Management

• Full group lifecycle management (create, edit, delete)
• Member management with add/remove functionality
• Unix/POSIX extension support with GID configuration
• Group attribute management (display name, description)
• Unix token generation for system integration

User Management

• Complete user account lifecycle management
• User attribute management (display name, email, legal name)
• Group membership visualization and management
• Unix extension support with UID, GID, home directory, and shell configuration
• Password reset capabilities for Unix-enabled accounts
• Credential status and update intent management

General Features

• Responsive design using Tailwind CSS and DaisyUI components
• Real-time updates and notifications
• Tabbed interface with item counts and badges

Architecture

• Frontend: SvelteKit 2.x with Svelte 5 (runes syntax)
• Styling: Tailwind CSS 4.x with DaisyUI components
• Backend: API proxy layer for Kanidm authentication
• Build: Vite with Node.js adapter
• Package Manager: Bun

Required Environment Variables

The application requires the following environment variables to be configured:

Variable	Description	Example
KANIDM_BASE_URL	Base URL of your Kanidm instance	https://idm.example.com
KANIDM_USERNAME	Username for Kanidm authentication	idm_admin
KANIDM_PASSWORD	Password for Kanidm authentication	your_password_here
ORIGIN	Location the application is running on required for some features on localhost	http://localhost:3000

Docker Deployment

Using Docker Compose

Create a docker-compose.yml file:

version: '3.8'

services:
  kanidm-oauth2-manager:
    image: ghcr.io/tricked-dev/kanidm-oauth2-manager:latest
    container_name: kanidm-oauth2-manager
    restart: unless-stopped
    ports:
      - '3000:3000'
    environment:
      - KANIDM_BASE_URL=https://your-kanidm-instance.example.com
      - KANIDM_USERNAME=idm_admin
      - KANIDM_PASSWORD=your_admin_password
    depends_on:
      - kanidm # Optional: if running Kanidm in the same compose stack
    networks:
      - kanidm-network

networks:
  kanidm-network:
    driver: bridge

or if you like them like this

services:
  kanidm-oauth2-manager:
    image: ghcr.io/tricked-dev/kanidm-oauth2-manager:latest
    container_name: kanidm-oauth2-manager
    restart: unless-stopped
    ports:
      - '3000:3000'
    env_file: .env

Using Docker Run

docker run -d \
  --name kanidm-oauth2-manager \
  --restart unless-stopped \
  -p 3000:3000 \
  -e KANIDM_BASE_URL=https://your-kanidm-instance.example.com \
  -e KANIDM_USERNAME=idm_admin \
  -e KANIDM_PASSWORD=your_admin_password \
  -e ORIGIN=http://localhost:3000 \
  ghcr.io/tricked-dev/kanidm-oauth2-manager:latest

Adding login shield

The application currently has no way to secure it built in you can use caddy with the security plugin or oauth2 proxy to secure the site instead. pull requests that add built in authentication are welcomed (MUST have oidc support).

Development Setup

Prerequisites

• Bun package manager
• Node.js 18+
• Access to a Kanidm instance

Installation

1. Clone the repository

2. Install dependencies:

   bun install

3. Configure environment variables:

   cp .env.example .env
   # Edit .env with your Kanidm configuration

4. Start the development server:

   bun run dev

Available Scripts

• bun run dev - Start development server with hot reload
• bun run build - Build for production
• bun run preview - Preview production build
• bun run check - Run Svelte type checking
• bun run lint - Check code formatting
• bun run format - Format code

Configuration

The application connects to your Kanidm instance through an API proxy layer that handles authentication and session management. The proxy automatically manages Bearer token authentication with a 5-minute token cache to optimize performance.

Security Considerations

• Ensure your Kanidm credentials are stored securely
• Use environment variables or Docker secrets for sensitive configuration
• The application requires administrative access to Kanidm for OAuth2 application management
• Consider running behind a reverse proxy with TLS termination

Or just run it locally real quick

pull the container do what you want shutdown the container and forget i exist :)

running it with bun is also a valid option if you don't want to deal with docker btw

OAuth2 Application Management

The interface displays OAuth2 applications with their complete configuration including:

• Application name and display name
• Redirect URLs and origin settings
• Scope mappings and security settings
• Cryptographic configuration
• Basic secret configuration (hidden for security)

Troubleshooting

Common Issues

1. Authentication failures: Verify KANIDM_USERNAME and KANIDM_PASSWORD are correct
2. Connection errors: Ensure KANIDM_BASE_URL is accessible from the container
3. Cross-site POST form submissions are forbidden when trying to upload app image: Ensure the origin environment variable is set

Logs

Check container logs for detailed error information:

docker logs kanidm-oauth2-manager

More images

License

This project is licensed under the MPL-2.0 License.