Skip to content
/ cfauth Public template
forked from matthewpi/access-oidc

OpenID Connect endpoint running on Cloudflare Workers, with DurableObjects for data storage and Cloudflare Access for auth/access control

n.berlette.com/cfauth

License

MIT license
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nberlette/cfauth

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.husky
.husky
 
 
.yarn/releases
.yarn/releases
 
 
src
src
 
 
.editorconfig
.editorconfig
 
 
.eslintignore
.eslintignore
 
 
.gitignore
.gitignore
 
 
.prettierignore
.prettierignore
 
 
.prettierrc.json
.prettierrc.json
 
 
.yarnrc.yml
.yarnrc.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.cjs
build.cjs
 
 
openapi.yaml
openapi.yaml
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 
wrangler.example.toml
wrangler.example.toml
 
 
yarn.lock
yarn.lock
 
 

Repository files navigation

Access OIDC

OpenID Connect server running on Cloudflare Workers and authenticated by Cloudflare Access.

Usage

Prerequisites

First-time Setup

If this is the first time you are deploying the Worker, you will need to run the following commands in order to setup the wrangler configuration.

Copy the wrangler.example.toml:

cp wrangler.example.toml wrangler.toml

Open the wrangler.toml you just copied in an editor of your choice, replace:

  1. <ACCOUNT_ID> and <ZONE_ID>, click this link and select the target account and domain, then scroll down on the page until you see the API section on the left side of the page.
    1. This link is a magic link for Cloudflare's Dashboard which will force you to select and account and domain so you can find your Account ID and Zone ID easier, you can avoid using that link if you login to the dashboard and select a domain from one of your accounts.
  2. <DOMAIN>, this should be the same domain you selected in the previous step or a subdomain of it.
    1. So if you selected example.com in the step above, you must use example.com OR *.example.com
  3. Set the value of the SECRET_CF_ACCESS_TEAM variable to your Access Team Name
  4. Create an Application
    1. Application type Self-hosted
    2. Application name, whatever you want. I used OpenID Connect Identity Provider.
    3. Session duration, whatever you want. I used 30 minutes.
    4. Application domain, use <DOMAIN> from the previous step. For the path, use /protocol/openid-connect/auth
    5. Click Next and configure whatever polices you want.
    6. Click Next, leave the CORS Settings empty
      1. Set Same Site Attribute to Strict
      2. Enable HTTP Only
      3. Keep Enable Binding Cookie disabled
        1. Enabling this setting will cause a redirect loop when using the auth endpoint.
    7. Click Add application
    8. Edit the application, select Overview.
    9. Copy Application Audience (AUD) Tag and update the value of the SECRET_CF_ACCESS_AUD variable.

Create a KV namespace:

wrangler kv:namespace create "KV_OIDC"

Once created, add it to the wrangler.toml under the kv_namespaces field.

Development

Install dependencies:

yarn install --immutable

Start the miniflare development server:

yarn run dev

Production

This project uses Durable Objects which requires the Workers Paid plan. See Durable Objects Pricing for more information.

This worker will not work properly if you deploy the worker with only a workers.dev domain, the /protocol/openid-connect/auth endpoint needs to be protected by Cloudflare Access which can only be done with a custom domain.

Install dependencies:

yarn install --immutable

Deploy the worker:

wrangler publish

References

  • The OAuth 2.0 Authorization Framework RFC 6749
    • Implemented Partially
    • Response Types
      • Authorization Code code - Implemented
      • Implicit token - Unsupported
        • "NOTE: While OAuth 2.0 also defines the token Response Type value for the Implicit Flow, OpenID Connect does not use this Response Type, since no ID Token would be returned." ref
        • Use the id_token or id_token token Response Types from the OpenID Connect Core spec instead
    • Grant Types
      • Authorization Code authorization_code - Implemented
      • Access Token client_credentials - Unimplemented
      • Refresh Token refresh_token - Unimplemented
  • The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750
    • Implemented
  • OAuth 2.0 Token Revocation RFC 7009
    • Soon™
  • Proof Key for Code Exchange by OAuth Public Clients RFC 7636
    • Implemented
  • OAuth 2.0 Token Introspection RFC 7662
    • Soon™
  • OAuth 2.0 for Native Apps RFC 8252
    • Soon™
  • OAuth 2.0 Authorization Server Metadata RFC 8414
    • Soon™
  • OAuth 2.0 Device Authorization Grant RFC 8628
    • Soon™
  • OpenID Connect Core
    • Implemented Partially
    • Response Types
      • Authorization Code code - Implemented
      • Implicit id_token, id_token token - Implemented (untested)
      • Hybrid code id_token, code token, code id_token token - Implemented (untested)
    • Grant Types
  • OpenID Connect Discovery
    • Implemented
  • OpenID Client Registration
    • Implemented Partially

Security Considerations

Notable Mentions

About

OpenID Connect endpoint running on Cloudflare Workers, with DurableObjects for data storage and Cloudflare Access for auth/access control

n.berlette.com/cfauth

Topics

authentication workers cloudflare openid access-control cloudflare-access durableobjects

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Languages

  • TypeScript 99.3%
  • Other 0.7%