{"id":30027781,"url":"https://github.com/nihalgonsalves/oidc-cookie-forward-auth","last_synced_at":"2026-05-30T01:03:46.721Z","repository":{"id":306648203,"uuid":"1026831071","full_name":"nihalgonsalves/oidc-cookie-forward-auth","owner":"nihalgonsalves","description":"Simple forward-auth provider to make cookie-based auth compatible with OpenID Connect","archived":false,"fork":false,"pushed_at":"2026-05-06T21:21:58.000Z","size":75,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-06T23:30:56.506Z","etag":null,"topics":["forward-auth","oidc","oidc-proxy","traefik"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nihalgonsalves.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-26T17:48:31.000Z","updated_at":"2026-05-06T21:22:01.000Z","dependencies_parsed_at":"2025-07-26T23:02:25.976Z","dependency_job_id":"92d00648-d06a-407a-8134-b34d58b39eea","html_url":"https://github.com/nihalgonsalves/oidc-cookie-forward-auth","commit_stats":null,"previous_names":["nihalgonsalves/oidc-cookie-forward-auth"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/nihalgonsalves/oidc-cookie-forward-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nihalgonsalves%2Foidc-cookie-forward-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nihalgonsalves%2Foidc-cookie-forward-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nihalgonsalves%2Foidc-cookie-forward-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nihalgonsalves%2Foidc-cookie-forward-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nihalgonsalves","download_url":"https://codeload.github.com/nihalgonsalves/oidc-cookie-forward-auth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nihalgonsalves%2Foidc-cookie-forward-auth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33676192,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forward-auth","oidc","oidc-proxy","traefik"],"created_at":"2025-08-06T13:57:05.483Z","updated_at":"2026-05-30T01:03:46.716Z","avatar_url":"https://github.com/nihalgonsalves.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OIDC Cookie Forward-Auth\n\nThis is a simple forward-auth middleware for Traefik that handles cookie-based\nauth on behalf of a user authenticated via OpenID Connect.\n\nApps such as [tinyauth](https://github.com/steveiliop56/tinyauth) or\n[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) can protect\nunauthenticated apps or apps that support auth via a plain header, but do not\nprovide support for stateful authentication.\n\nThis forward-auth middleware keeps track of cookies as part of the forward-auth\nsession, and provides them to the reverse-proxy forward-auth handler, to be used\nin the origin request.\n\nThe forward-auth endpoint / server is never exposed. Everything is handled via\nthe forward-auth middleware.\n\n## Setup\n\n### Prerequisites\n\n- A reverse proxy with forward-auth support (only [Traefik][traefik] is\n  currently supported and tested). See [Limitations](#limitations).\n- An OIDC provider, such as [Pocket ID][pocket-id]. Any provider conforming to\n  the OIDC specification should work.\n\n[traefik]: https://doc.traefik.io/traefik/getting-started/install-traefik/\n[pocket-id]: https://github.com/pocket-id/pocket-id\n\n### Configuration reference\n\n#### Environment variables\n\n| Name                   | Description                                                                          |\n| ---------------------- | ------------------------------------------------------------------------------------ |\n| CLIENT_ID              | OAuth2 Client ID                                                                     |\n| CLIENT_SECRET          | OAuth2 Client Secret                                                                 |\n| OIDC_ISSUER_CONFIG_URL | Fully qualified OIDC issuer URL, e.g. `https://auth.example.com/`                    |\n| SQLITE_PATH            | Database file, e.g. `/var/lib/oidc/db/sessions.db`, defaults to in-memory if not set |\n| DOMAIN_BASE            | Base domain, used to shorten the config filenames                                    |\n| UNSAFE_COOKIE_INSECURE | Can be set to `true` or `1` to enable using insecure session cookies                 |\n\n#### Configuration files\n\nYou must create a new config file in `/var/lib/oidc/config/` for each host you\nwant to support.\n\nFor example, if you have `https://whoami.example.com`, set your `DOMAIN_BASE` to\n`.example.com`, and create a config file in at `/var/lib/oidc/config/whoami.ts`.\n\n### Step-by-step\n\n\u003e [!TIP] There's a complete example in the\n\u003e [./docs/example/ directory](./docs/example/)\n\n1. Make sure you have\n   [Traefik set up with SSL](https://doc.traefik.io/traefik/https/overview/)\n   correctly\n\n1. Create a new OIDC client in your provider. The redirect URL is\n   `https://whoami.example.com/oauth2/callback` – the same host as your regular\n   service. The forward-auth proxy itself is not exposed.\n\n   If you need to protect multiple hosts, you can set a wildcard redirect URL,\n   list all the hosts, or create a client per host (as well as a forward-auth\n   container and middleware per host).\n\n1. Add the forward-auth container and the middleware to the service you want to\n   protect:\n\n   ```yaml\n   services:\n     # ...\n     oidc-cookie-forward-auth:\n       image: ghcr.io/nihalgonsalves/oidc-cookie-forward-auth:latest\n       # depends_on:\n       #   pocket-id:\n       #     condition: service_healthy\n       restart: unless-stopped\n       env_file:\n         # this file should contain:\n         # CLIENT_ID=...\n         # CLIENT_SECRET=...\n         - .env.oidc-cookie-forward-auth\n       environment:\n         # you can omit this and the DB volume if you'd like sessions not to\n         # be persisted across container restarts\n         SQLITE_DB: /var/lib/oidc/db/sessions.db\n         OIDC_ISSUER_CONFIG_URL: \"https://auth.example.com/.well-known/openid-configuration\"\n         DOMAIN_BASE: \".example.com\"\n       volumes:\n         - oidc-db:/var/lib/oidc/db\n         # or other local path to store the config\n         - ./config/:/var/lib/oidc/config\n       expose:\n         - 3000\n       labels:\n         traefik.enable: true\n         traefik.http.middlewares.oidc-cookie-forward-auth.forwardauth.address: http://oidc-cookie-forward-auth:3000/oauth2/traefik\n         traefik.http.middlewares.oidc-cookie-forward-auth.forwardauth.authResponseHeaders: cookie\n\n   # ...\n\n   whoami:\n     depends_on:\n       oidc-cookie-forward-auth:\n         condition: service_healthy\n     image: traefik/whoami:latest\n     restart: unless-stopped\n     labels:\n       traefik.enable: true\n       traefik.http.routers.whoami.rule: Host(`whoami.example.com`)\n       traefik.http.routers.whoami.entrypoints: websecure\n       traefik.http.routers.whoami.middlewares: oidc-cookie-forward-auth\n\n   volumes:\n     oidc-db:\n   ```\n\n1. Create a config file:\n\n   ```ts\n   // ./config/whoami.ts\n   export const config = {\n   \t// this is any function that returns a fetch Response containing\n   \t// the Set-Cookie headers\n   \tgetUpstreamCookies: () =\u003e\n   \t\tfetch(new URL(\"http://whoami:80/auth/signin\"), {\n   \t\t\tmethod: \"POST\",\n   \t\t\tbody: new URLSearchParams({\n   \t\t\t\t// you can also add env variables to the cookie auth file\n   \t\t\t\t// and reference them using process.env.NAME\n   \t\t\t\tusername: \"admin\",\n   \t\t\t\tpassword: \"password\",\n   \t\t\t}),\n   \t\t}),\n   \t// this is a validation request to make sure the session is still valid.\n   \t// use any URL that is only accessible when logged in.\n   \t// this enables the user to use logout functionality inside the origin\n   \t// app and seamlessly invalidate the OIDC session too.\n   \tvalidateUpstreamSession: async (headers: Bun.HeadersInit) =\u003e {\n   \t\ttry {\n   \t\t\tconst response = await fetch(new URL(\"http://whoami:80/me\"), {\n   \t\t\t\theaders,\n   \t\t\t\tredirect: \"manual\",\n   \t\t\t});\n\n   \t\t\treturn response.ok;\n   \t\t} catch {\n   \t\t\treturn false;\n   \t\t}\n   \t},\n   };\n   ```\n\n1. That's it. Start the container, and visit your service, for example\n   \u003chttps://whoami.example.com/\u003e. You should be redirected to the OIDC provider.\n\n   Once logged in there, `getUpstreamCookies` will be called to log in to the\n   origin service, creating a session in the forward-auth service.\n\n   Every subsequent request will be re-validated using\n   `validateUpstreamSession`, and then the valid cookies will be sent to the\n   reverse proxy to be provided to the origin request.\n\n## Limitations\n\n- This has only been tested with Traefik, but Caddy and nginx also support\n  forward-auth and should work.\n- While an upstream session is unique to a browser session, this doesn't support\n  any sub-configuration based on the user (or for e.g. groups). Access is\n  allowed as long as the OIDC provider authorises the user to access this\n  client.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnihalgonsalves%2Foidc-cookie-forward-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnihalgonsalves%2Foidc-cookie-forward-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnihalgonsalves%2Foidc-cookie-forward-auth/lists"}