Skip to content

lele-blue/poiSSOn

BranchesTags

Repository files navigation

Very simple and specific SSO

This is an SSO service that is tailored to operate primarily on the nginx auth_request directive.

Key features:

  • Can easily be retrofitted to services that don't support authentication (like static sites), or SSO (i retrofitted FoundryVTT with this)
  • Provides anonymous One time code login for users without an account
  • Provides a OIDC interface for services that support OAuth (may need a bit more work though, very basic atm)
  • Provides a dashboard with a collection of links that is configurable per user

Setup

Something like

cd src
npm i
npm run build
cd ..
docker compose build
docker compose up

Note: The nginx service can also be external, in that case replace the URL web below with localhost, assuming everything is on one server

Then add this to each server block in nginx where you want to pretect routes (which can be cross-origin, in that case the user session is transferred between origins)

            error_page 401 = @error401;
            location /auth/api/ping {
                    internal;
                    proxy_pass 'http://web:2312'; # This has to point to your INTERNAL sso instance
                    proxy_set_header Host $host;
                    proxy_set_header X-Original-URL $scheme://$host:$server_port$request_uri;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
            location @error401 {
                    return 302 https://public_sso.domain.url/auth/go/unauthenticated?url=$scheme://$host:$server_port$request_uri; # sso URL, this has to point to your PUBLIC sso instance
            }
            location /_sso/ {
                    proxy_pass http://web:2312/auth/crossorigin; # sso URL, this has to point to your INTERNAL sso instance
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
            }

And finally this to your locations you want to protect

auth_request /auth/api/ping;

then create a service via /auth/go/admin, fill in sub_url as your nginx location (WITHOUT origin), and use domain:port as origin (no https://). Choose an icon from https://github.com/Ertego/sso/blob/publish/src/src/components/Icon.svelte#L2

Your may also want to create a UserServiceConnection, which is basically a permission grant for a user (leave username and passwordPlain empty, those are for more advanced retrofitting)

About

Mirror of https://gitlab.cs.fau.de/jo96xiry/poisson

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages