{"id":13757442,"url":"https://github.com/wolfeidau/website-openid-proxy","last_synced_at":"2026-03-13T23:32:17.624Z","repository":{"id":54895919,"uuid":"329738407","full_name":"wolfeidau/website-openid-proxy","owner":"wolfeidau","description":"This service provides authenticated access to a static website hosted in an s3 bucket.","archived":false,"fork":false,"pushed_at":"2023-02-25T06:33:23.000Z","size":164,"stargazers_count":32,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-12T18:03:11.463Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wolfeidau.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-01-14T21:26:45.000Z","updated_at":"2025-05-12T09:16:08.000Z","dependencies_parsed_at":"2024-04-02T12:54:57.630Z","dependency_job_id":"e950d9d7-735b-453f-9249-6e0d0a65c6e7","html_url":"https://github.com/wolfeidau/website-openid-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/wolfeidau/website-openid-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fwebsite-openid-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fwebsite-openid-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fwebsite-openid-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fwebsite-openid-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wolfeidau","download_url":"https://codeload.github.com/wolfeidau/website-openid-proxy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fwebsite-openid-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30479363,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-13T20:45:58.186Z","status":"ssl_error","status_checked_at":"2026-03-13T20:45:20.133Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T12:00:38.474Z","updated_at":"2026-03-13T23:32:17.609Z","avatar_url":"https://github.com/wolfeidau.png","language":"Go","funding_links":[],"categories":["Other Awesome Lists"],"sub_categories":["Misc"],"readme":"# website-openid-proxy\n\nThis service provides [OpenID](https://openid.net/) authenticated access to a static website hosted in an s3 bucket.  \n\nIt is designed to be a simple way to add authentication to [static websites](https://en.wikipedia.org/wiki/Static_web_page) stored in [AWS S3](https://aws.amazon.com/s3/).\n\nThis service uses [AWS API Gateway](https://aws.amazon.com/api-gateway/) HTTP APIs and is powered by [AWS Lambda](https://aws.amazon.com/lambda/).\n\n# How it works\n\n![ArchitectureDiagram](docs/images/diagram.png)\n\n1. Each request to the site checks for a session cookie prior to returning a response. If a user accesses the site for the first time users they are redirected to the OpenID provider.\n2. User authenticates with the OpenID provider and is redirected back to the website as per the [OAuth 2.0 Authorization Code Grant Type](https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type#what-is-an-oauth-20-grant-type).\n3. After authentication occurs the users info is retrieved, this includes `sub` and `email`, both of these are saved to the users session and logged when accessing content. [PKCE](https://oauth.net/2/pkce/) is used to add an extra layer of verification for this exchange.\n4. Uses the API Gateway version 2 format which includes support for cookies, this is translated to normal HTTP requests using [apex/gateway](https://github.com/apex/gateway).\n5. GET requests are translated into GetObject requests which retrieve objects from the S3 bucket using [wolfeidau/echo-s3-middleware](https://github.com/wolfeidau/echo-s3-middleware). All these requests pass through the service.\n6. The secret used to sign session cookies is stored in [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/).\n\n## Cookies\n\nThis service uses two cookies to manage state, these are both signed using [gorilla/securecookie](https://github.com/gorilla/securecookie) with a secret generated by AWS Secrets Manager. Both cookies are also marked as `secure` and `httpOnly` in line with best practices.\n\nFor reference these cookies are:\n\n* `proxy_auth_session` is used to store the oauth2 state variable during authentication and has an expiry of 5 minutes.\n* `proxy_login_session` is used to check your logged in during the life of your session, this has an expiry of 8 hours.\n\n# Goals\n\n1. Provide a simple authentication access to static websites hosted in s3.\n2. Utilise AWS lambda and API Gateway to enable low cost hosting.\n3. Take advantage of the rate limiting provided by AWS API Gateway to ensure access isn't possible using [brute force attacks](https://en.wikipedia.org/wiki/Brute-force_attack).\n4. Use existing opensource libraries to provide secure access via cookies.\n5. Support OpenID authentication of users accessing the site.\n# Deployment\n\nYou will need the following tools.\n\n* [AWS cli](https://aws.amazon.com/cli/) \n* [SAM cli](https://github.com/aws/aws-sam-cli)\n\nAlso an aws profile setup with your [aws credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).\n\nCreate an OpenID application in a service such as [Okta](https://www.okta.com/).\n\nCreate an .envrc file using [direnv](https://direnv.net/).\n\n```bash\n#!/bin/bash\n\nexport AWS_PROFILE=wolfeidau\nexport AWS_DEFAULT_PROFILE=wolfeidau\nexport AWS_REGION=ap-southeast-2\n\n# these are provided by your OpenID provider \nexport CLIENT_ID=xxxxxxxxx\nexport CLIENT_SECRET=xxxxxxxxx\nexport ISSUER=https://dev-xxxxxx.okta.com\n\nexport HOSTED_ZONE_ID=XXXXXXXXXX\n\n# results in $SUBDOMAIN_NAME.$HOSTED_ZONE_NAME or something.wolfe.id.au\nexport HOSTED_ZONE_NAME=wolfe.id.au\nexport SUBDOMAIN_NAME=something\n```\n\nRun make.\n\n```\nmake\n```\n\n# TODO\n\n* [ ] Add an example using [AWS Cognito](https://aws.amazon.com/cognito/) via OpenID.\n* [ ] Add an example with [Amazon Cloudfront](https://aws.amazon.com/cloudfront/) in front of the API Gateway supporting the use of [AWS WAF](https://aws.amazon.com/waf/) to enable IP whitelisting and other [AWS managed rule sets](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for compliance. \n* [ ] Provide some options to configure what cache headers for single page applications which already use [cache busting](https://www.keycdn.com/support/what-is-cache-busting) for their assets.\n* [ ] Containerise this service to enable running in [AWS fargate](https://aws.amazon.com/fargate/) or possibly [kubernetes](https://kubernetes.io/).\n\n# License\n\nThis application is released under Apache 2.0 license and is copyright [Mark Wolfe](https://www.wolfe.id.au).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwolfeidau%2Fwebsite-openid-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwolfeidau%2Fwebsite-openid-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwolfeidau%2Fwebsite-openid-proxy/lists"}