Multi-Tenant OAuth2 Authentication Proxy
A lightweight, high-performance OAuth2 reverse proxy written in Go that supports multiple tenants, providers, and integrates seamlessly with nginx's auth_request module. Perfect for SaaS platforms, white-label applications, and enterprise authentication.
- Landlord & Tenant Admin: Global admin plus per-tenant self-service admin
- 15+ OAuth Providers: Google, GitHub, GitLab, Azure AD, Okta, Auth0, AWS Cognito, Discord, Slack, Apple, Facebook, Twitter/X, Bitbucket, Generic OIDC
- Multi-Site Support: Unlimited tenants with independent configuration
- Auto-Setup Sites: Drop credential files into a directory for automatic site provisioning
- Secure Session Management: Cookie-based (stateless) or Redis-backed sessions
- Hot Config Reload: Automatic file watching or manual API reload without restart
- Modern Admin UI: Dark/light themes, responsive design, full CRUD operations
- Advanced Configuration: Environment variables, file loading, modular configs, secret manager integration
- Docker Ready: Multi-stage Docker build with minimal footprint (<25MB)
- High Performance: Stateless architecture, optional Redis for scale
- nginx Integration: Native support for nginx
auth_requestmodule - Rate Limiting: Per-IP rate limiting on all auth endpoints (10k verify/min, 1k login/min)
- Prometheus Metrics: Full observability with Prometheus-format metrics
- Request Tracing: Request ID propagation for distributed tracing
- API Keys: Machine-to-machine authentication with scoped access
- Email Notifications: Login alerts, security events, API key management
- Token Refresh: Automatic OAuth token renewal for 9+ providers
- Custom Branding: Per-tenant logos, colors, and themes
- Session Management UI: View and revoke active sessions
- Webhook Events: Login, logout, session revoked, config changed, access denied
- OpenAPI Spec: Complete API documentation in OpenAPI 3.0.3 format
Dashboard - Sites |
OAuth Providers Management |
Site Configuration |
|
git clone <your-repo-url>
cd authlord
cp config.example.json config.json- Go to Google Cloud Console
- Create a new project or select existing
- Enable "Google+ API"
- Go to "Credentials" → "Create Credentials" → "OAuth 2.0 Client ID"
- Set authorized redirect URIs:
https://your-domain.com/auth/callback - Copy Client ID and Client Secret to
config.json
- Go to GitHub Developer Settings
- Click "New OAuth App"
- Set Authorization callback URL:
https://your-domain.com/auth/callback - Copy Client ID and Client Secret to
config.json
# Generate cookie secret
./authlord secret
# Edit config.json with your OAuth credentialsSee config.example.json for a complete configuration template.
docker compose up -d --build
# for dev
docker compose --profile dev upThe proxy will be available at http://localhost:8080
Navigate to http://localhost:8080/admin/
OAuth-based access (recommended):
- You'll be redirected to OAuth provider login
- After authentication, access is granted if your email is in
allowed_emails
See docs/ADMIN_SETUP.md for detailed setup instructions.
server {
listen 443 ssl;
http2 on;
server_name app.example.com;
ssl_certificate /etc/nginx/ssl/app.example.com.crt;
ssl_certificate_key /etc/nginx/ssl/app.example.com.key;
# AuthLord endpoints (must come BEFORE protected locations)
location /auth/ {
proxy_pass http://authlord:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
}
# Protected application
location / {
# AuthLord OAuth Protection
auth_request /auth/verify;
error_page 401 = @error401;
# Capture user info
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# Forward to backend
proxy_pass http://backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Handle 401 errors - redirect to login
location @error401 {
return 302 https://auth.example.com/auth/login?site=app.example.com&rd=https://$host$request_uri;
}
}CRITICAL: The /auth/ location must come BEFORE the protected / location to prevent redirect loops on OAuth callback.
See docs/NGINX.md for comprehensive nginx configuration examples.
Each site (tenant) operates independently with:
- Separate OAuth providers or shared providers
- Independent access control (email/domain whitelists)
- Custom branding and pages
- Per-tenant session configuration
- Optional self-service tenant admin access
See docs/MULTI_TENANT.md for detailed multi-tenant guide.
Give enterprise customers admin access to manage their own tenant without accessing other tenants:
{
"sites": [{
"id": "acme-corp",
"domain": "acme.example.com",
"tenant_admin_mode": true,
"tenant_admins": ["admin@acmecorp.com"],
"allowed_domains": ["acmecorp.com"]
}]
}Tenant admins can manage access control, customize pages, and configure OAuth scopes for their site.
See docs/TENANT_ADMIN.md for complete tenant admin guide.
Create API keys for backend services and automation:
# Create via Admin UI or Tenant Admin UI
# Or via API:
curl -X POST http://localhost:8080/tenant-admin/sites/my-site/api-keys \
-H "Cookie: session_cookie" \
-d '{
"name": "Backend Service",
"description": "Production API access",
"scopes": ["read", "write"]
}'Use API keys in your applications:
curl -H "Authorization: Bearer authlord_key_xxxxx" \
https://app.example.com/api/dataSee docs/API_KEYS_USAGE.md for usage guide with code examples.
Automated security notifications for:
- Login alerts (new login from known or new device)
- API key created/revoked alerts
- Security events
Configurable SMTP settings with customizable HTML/plain text templates.
See docs/EMAIL_NOTIFICATIONS.md for setup and customization.
View and manage active sessions:
- List all active sessions per site *
- View session details (device, location, last activity) *
- Revoke individual sessions *
- Bulk revoke all sessions *
- Supports both cookie and Redis session stores
*Redis session store is optional but required for these features.
See docs/REDIS_SESSIONS.md for Redis configuration.
Per-tenant customization:
- Custom logos (light/dark mode)
- Brand colors and themes
- Custom login/logout/error pages
- Favicon customization
See docs/BRANDING.md for branding guide.
Automatic OAuth token renewal for maintained access to provider APIs:
- Automatic refresh before expiration
- Non-blocking, transparent to users
- Supports 9+ providers (Google, GitHub, Azure AD, Okta, Auth0, etc.)
- Configurable refresh timing
See docs/TOKEN_REFRESH.md for details.
{
"listen_address": ":8080",
"admin_enabled": true,
"admin_auth": {
"allowed_emails": ["admin@example.com"],
"require_oauth": true,
"admin_provider_id": "google-provider",
"admin_cookie_name": "_oauth2_admin",
"admin_cookie_secret": "your-32-char-secret"
},
"sites": [
{
"id": "my-app",
"domain": "app.example.com",
"provider_id": "google-provider",
"cookie_secret": "your-32-char-secret",
"allowed_domains": ["example.com"]
}
],
"providers": [
{
"id": "google-provider",
"type": "google",
"client_id": "xxx.apps.googleusercontent.com",
"client_secret": "your-secret",
"redirect_url": "https://app.example.com/auth/callback"
}
]
}AuthLord supports powerful configuration features:
Environment Variables:
{
"client_secret": "$ENV['OAUTH_SECRET']"
}File Loading (Docker Secrets, K8s Secrets):
{
"client_secret": "/run/secrets/oauth-secret",
"allowed_emails": "/etc/authlord/users.txt"
}Modular Configuration:
{
"include": [
"./config/providers.json",
"./config/sites/*.json",
"/etc/authlord/tenants"
]
}See docs/CONFIGURATION.md for comprehensive configuration guide.
GET /auth/verify- nginx auth_request endpointGET /auth/login?rd=/path- Initiate OAuth loginGET /auth/callback- OAuth callback handlerGET /auth/logout?rd=/path- Logout
All admin endpoints require authentication (OAuth or Basic Auth).
Sites:
GET /admin/api/sites- List sitesPOST /admin/api/sites- Create siteGET /admin/api/sites/:id- Get sitePUT /admin/api/sites/:id- Update siteDELETE /admin/api/sites/:id- Delete site
Providers:
GET /admin/api/providers- List providersPOST /admin/api/providers- Create providerGET /admin/api/providers/:id- Get providerPUT /admin/api/providers/:id- Update providerDELETE /admin/api/providers/:id- Delete provider
Sessions:
GET /admin/api/sites/:id/sessions- List active sessionsDELETE /admin/api/sites/:id/sessions/:session_id- Revoke session
API Keys:
GET /tenant-admin/sites/:id/api-keys- List API keysPOST /tenant-admin/sites/:id/api-keys- Create API keyPUT /tenant-admin/sites/:id/api-keys/:key_id/revoke- Revoke API keyDELETE /tenant-admin/sites/:id/api-keys/:key_id- Delete API key
GET /health- Health check endpointGET /health/live- Liveness probeGET /health/ready- Readiness probe
GET /metrics- Prometheus metrics endpoint
Includes:
- Authentication metrics (verify, login, callback success/failure by site)
- HTTP request counters by method and status
- Request duration percentiles (p50, p95, p99)
- Active users gauge per site
- Rate limiter statistics
authlord validate # Validate configuration file
authlord secret # Generate secure cookie secret
authlord health # Health check (for Docker healthcheck)
authlord version # Show version info
authlord help # Show helpSee docs/API.md for complete API reference.
# Install dependencies
go mod download
# Build
go build -o authlord cmd/authlord/main.go
# Run
./authlordgo test ./...docker build -t authlord:latest .Expected Performance:
- Auth verification: <1ms
- OAuth callback: <200ms
- Admin API: <10ms
- Memory usage: <30MB
- Binary size: ~15MB
- Container size: ~25MB
- HTTPS Required: Always use HTTPS in production
- Strong Secrets: Use cryptographically secure random secrets (32+ bytes)
- Cookie Security: Cookies are encrypted, signed, and marked HttpOnly/Secure
- OAuth State: CSRF protection via state parameter
- Admin Access: Protect admin UI with OAuth or strong credentials
- Email Verification: Providers check verified_email
See docs/ADMIN_SECURITY.md for security best practices.
- Quick Start - Get running in 5 minutes
- Admin Setup - Configure admin access
- nginx Integration - Comprehensive nginx examples
- Configuration Guide - Advanced features, examples, best practices
- Config Reload - Hot-reload configuration without restart
- Auto-Setup Sites - Automatic site provisioning from credential files
- Multi-Tenant Guide - Per-tenant OAuth, scopes, and isolation
- OAuth Scopes - Per-tenant scope configuration
- Redis Sessions - Server-side session storage
- Token Refresh - Automatic OAuth token renewal
- Custom Branding - Per-tenant styling and themes
- Email Notifications - Security alerts and notifications
- API Keys Usage - Machine-to-machine authentication
- HTTP Status Codes - Error handling reference
- Landlord Admin Guide - Global admin configuration
- Tenant Admin Guide - Self-service tenant management
- API Documentation - REST API reference
- OpenAPI Specification - OpenAPI 3.0.3 spec for API tools
- Admin Security - Security best practices
- Architecture - System design and components
- Features - Complete feature list
- Observability - Metrics, logging, and tracing
"redirect_uri_mismatch"
- Ensure redirect URL in config matches OAuth app settings exactly
- Include protocol (https://) and path (/auth/callback)
"Email not verified"
- User must verify their email with the provider
Sessions not persisting
- Check cookie_secret is consistent
- Verify browser accepts cookies
- Ensure Secure flag works (requires HTTPS)
401 errors on every request
- Verify
/auth/location is properly configured - Check authlord is accessible from nginx
- Ensure Host header is forwarded correctly
Contributions are welcome! Please read the contributing guidelines before submitting PRs.
MIT License - see LICENSE file for details.
- Documentation: docs/
- Issues: GitHub Issues
- Discussions: GitHub Discussions
AuthLord - Multi-Tenant OAuth2 Authentication Proxy
Built with:


