{"id":20102943,"url":"https://github.com/stackrox/infra-auth-lib","last_synced_at":"2026-05-05T16:42:22.920Z","repository":{"id":153394493,"uuid":"623423993","full_name":"stackrox/infra-auth-lib","owner":"stackrox","description":"Auth Library for infra\u0026automation services for OIDC","archived":false,"fork":false,"pushed_at":"2024-05-29T15:58:36.000Z","size":184,"stargazers_count":0,"open_issues_count":9,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-13T04:40:12.892Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackrox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-04T10:47:56.000Z","updated_at":"2024-05-29T15:58:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"0d5d4b0d-b2eb-433a-b2ae-ebb9edfc47f9","html_url":"https://github.com/stackrox/infra-auth-lib","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Finfra-auth-lib","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Finfra-auth-lib/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Finfra-auth-lib/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Finfra-auth-lib/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackrox","download_url":"https://codeload.github.com/stackrox/infra-auth-lib/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241542436,"owners_count":19979317,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T17:33:44.471Z","updated_at":"2026-05-05T16:42:22.854Z","avatar_url":"https://github.com/stackrox.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# infra-auth-lib\n\nAuth Library for infra\u0026amp;automation services for OIDC.\n\n## How to create the OIDC configuration file\n\nCreate an OIDC application on your identity provider. Remember client ID, client secret, issuer, and which endpoint(s) you configured.\n\nGenerate a session secret with:\n\n```bash\npython3 -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'\n```\n\nCreate the file. Your `oidc.yaml` config can look like this, if the IDP provides a well-known openid configuration.\n\n```yaml\nissuer: https://idp.company.corp\n```\n\nIf your IDP does not provide the configuration file, can still configure this manually. Your `oidc.yaml` may look like:\n\n```yaml\nofflineProviderConfig: true\nissuer: https://idp.company.corp\nauthUrl: https://idp.company.corp/oauth/authorize\ntokenUrl: https://idp.company.corp/oauth/token\nuserInfoUrl: https://idp.company.corp/oauth/userinfo\njwksUrl: https://idp.company.corp/oauth/discovery/keys\nalgorithms:\n  - RS256\n```\n\nIn any case, add client and session information, endpoint, additional access token claims, allowed email suffix, and blocked email addresses to this file:\n\n```yaml\nclientID: awesome-application-id\nclientSecret: Y0xZeFNYVVNkLWJMRWJ0cXNzbmk4QUNna3o1dGUyOTZsUWRCcjFBak51Yz0K\nsessionSecret: Tf12qmXZ5y3kWK5M9wmc_dXjN0GUwhtEcErixd07n1U=\nendpoint: your-app.company.corp\naccessTokenClaims:\n  - value: https://idp.company.corp\n    op: eq\n    path: iss\n  - value: authorized-users\n    op: in\n    path: realm_access.roles\nallowedEmailSuffix: \"@company.com\"\nemailBlockList:\n  - donotreply@invalid.domain\n```\n\n## How it works\n\n## Login flow for humans\n\n![Auth Flow for Login](docs/images/auth-flow-login.drawio.png)\n\nThis displays the initial login flow.\nFor subsequent access, if the token stored in the cookie is still valid, the hop to the identity provider is skipped.\n\nThe authentication middleware in the backend transforms the user token into a service account, which can be accessed from the context in the request handlers.\n\n## Human access to backend with Service Account Token\n\n![Auth Flow for Humans with Service Account Token](docs/images/auth-flow-human-sa-token.drawio.png)\n\nHumans can access their service account token through the UI (or calling the `/token` endpoint directly).\nThey authenticate this request with their user token, provided by the identity provider.\n\nThe returned service account token can be used for subsequent API requests.\n\n## Technical user access to backend with Service Account Token\n\n![Auth Flow for Generating Service Account Tokens for Technical Users](docs/images/auth-flow-robot-sa-token.drawio.png)\n\nAn administrator calls the `/create-token` with the admin password from the server configuration.\nIn this request, they must specify a name, description and an email address.\n\nThe returned service account token can be used for subsequent API requests.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Finfra-auth-lib","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackrox%2Finfra-auth-lib","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Finfra-auth-lib/lists"}