Skip to content

pkoenig10/auth-oidc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

167 Commits
.github
.github
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

auth-oidc

An OpenID Connect Relying Party designed to support authentication and authorization in a reverse proxy.

Users are authenticated using the configured OpenID Provider and authorized using the provided configuration file. Session information is stored as a signed JWT in a cookie.

Endpoints

  • /auth

    Performs authentication and authorization. The user's email address is returned in the X-Subject response header.

    Query parameters:

    Name Required Description
    group No The group name to use for authorization.
    redirect No The URL to redirect to after a successful login.

    Status codes:

    Status Description
    200 The user is authenticated and authorized.
    302 The user is not authenticated and a redirect URL was provided. Redirects to the OpenID Provider Authorization Endpoint.
    401 The user is not authenticated and a redirect URL was not provided.
    403 The user is authenticated but not authorized.

  • /login

    Starts the OpenID Connect Authorization Code Flow.

    Query parameters:

    Name Required Description
    redirect No The URL to redirect to after a successful login.

    Status codes:

    Status Description
    302 Redirects to the OpenID Provider Authorization Endpoint.

  • /logout

    Performs logout.

    Status codes:

    Status Description
    200 The user was successfully logged out.

  • /callback

    Completes the OpenID Connect Authorization Code Flow. The OpenID Provider should be configured with this endpoint as the callback URL.

    Status codes:

    Status Description
    200 The user was successfully logged in and a redirect URL was not provided.
    302 The user was successfully logged in and a redirect URL was provided. Redirects to the provided redirect URL.

Configuration

Environment variables

Variable Description Required? Default
LISTEN_ADDRESS The network address the server listens on. No :80
ISSUER_URL The OpenID Connect issuer URL. No https://accounts.google.com
EXTERNAL_URL The external URL of this server. Used to construct the OAuth2 redirect URL. Yes -
CLIENT_ID The OpenID Connect client ID. Yes -
CLIENT_SECRET The OpenID Connect client secret. Yes -
TOKEN_KEY The JWT signing key. Yes -
TOKEN_EXPIRATION The JWT expiration duration. No 168h
COOKIE_NAME The cookie name. No _token
COOKIE_DOMAIN The cookie Domain attribute. No ``
COOKIE_PATH The cookie Path attribute. No /
CONFIG_PATH The configation file path. No config.yml

Configuration file

The configuration file is a YAML file with the following properties:

Property Object Description
groups Object Group memberships to use for authorization.

Example

groups:
  group1:
    - user1@example.com
  group2:
    - user1@example.com
    - user2@example.com

About

Authentication service using OpenID Connect

hub.docker.com/r/pkoenig10/oidc-rp

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Packages

 
 
 

Contributors

Languages