mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2025-12-31 20:42:31 +00:00
020fcb9878
This commit adds OpenID Connect (OIDC) provider functionality to tinyauth, allowing it to act as an OIDC identity provider for other applications. Features: - OIDC discovery endpoint at /.well-known/openid-configuration - Authorization endpoint for OAuth 2.0 authorization code flow - Token endpoint for exchanging authorization codes for tokens - ID token generation with JWT signing - JWKS endpoint for public key distribution - Support for PKCE (code challenge/verifier) - Nonce validation for ID tokens - Configurable OIDC clients with redirect URIs, scopes, and grant types Validation: - Docker Compose setup for local testing - OIDC test client (oidc-whoami) with session management - Nginx reverse proxy configuration - DNS server (dnsmasq) for custom domain resolution - Chrome launch script for easy testing Configuration: - OIDC configuration in config.yaml - Example configuration in config.example.yaml - Database migrations for OIDC client storage
125 lines
3.9 KiB
YAML
125 lines
3.9 KiB
YAML
# Tinyauth Example Configuration
|
|
|
|
# The base URL where Tinyauth is accessible
|
|
appUrl: "https://auth.example.com"
|
|
# Log level: trace, debug, info, warn, error
|
|
logLevel: "info"
|
|
# Directory for static resources
|
|
resourcesDir: "./resources"
|
|
# Path to SQLite database file
|
|
databasePath: "./tinyauth.db"
|
|
# Disable usage analytics
|
|
disableAnalytics: false
|
|
# Disable static resource serving
|
|
disableResources: false
|
|
# Disable UI warning messages
|
|
disableUIWarnings: false
|
|
# Enable JSON formatted logs
|
|
logJSON: false
|
|
|
|
# Server Configuration
|
|
server:
|
|
# Port to listen on
|
|
port: 3000
|
|
# Interface to bind to (0.0.0.0 for all interfaces)
|
|
address: "0.0.0.0"
|
|
# Unix socket path (optional, overrides port/address if set)
|
|
socketPath: ""
|
|
# Comma-separated list of trusted proxy IPs/CIDRs
|
|
trustedProxies: ""
|
|
|
|
# Authentication Configuration
|
|
auth:
|
|
# Format: username:bcrypt_hash (use bcrypt to generate hash)
|
|
users: "admin:$2a$10$example_bcrypt_hash_here"
|
|
# Path to external users file (optional)
|
|
usersFile: ""
|
|
# Enable secure cookies (requires HTTPS)
|
|
secureCookie: false
|
|
# Session expiry in seconds (3600 = 1 hour)
|
|
sessionExpiry: 3600
|
|
# Login timeout in seconds (300 = 5 minutes)
|
|
loginTimeout: 300
|
|
# Maximum login retries before lockout
|
|
loginMaxRetries: 3
|
|
|
|
# OAuth Configuration
|
|
oauth:
|
|
# Regex pattern for allowed email addresses (e.g., /@example\.com$/)
|
|
whitelist: ""
|
|
# Provider ID to auto-redirect to (skips login page)
|
|
autoRedirect: ""
|
|
# OAuth Provider Configuration (replace myprovider with your provider name)
|
|
providers:
|
|
myprovider:
|
|
clientId: "your_client_id_here"
|
|
clientSecret: "your_client_secret_here"
|
|
authUrl: "https://provider.example.com/oauth/authorize"
|
|
tokenUrl: "https://provider.example.com/oauth/token"
|
|
userInfoUrl: "https://provider.example.com/oauth/userinfo"
|
|
redirectUrl: "https://auth.example.com/api/oauth/callback/myprovider"
|
|
scopes: "openid email profile"
|
|
name: "My OAuth Provider"
|
|
# Allow insecure connections (self-signed certificates)
|
|
insecure: false
|
|
|
|
# OIDC Provider Configuration
|
|
oidc:
|
|
# Enable OIDC provider functionality
|
|
enabled: false
|
|
# OIDC issuer URL (defaults to appUrl if not set)
|
|
issuer: ""
|
|
# Access token expiry in seconds (3600 = 1 hour)
|
|
accessTokenExpiry: 3600
|
|
# ID token expiry in seconds (3600 = 1 hour)
|
|
idTokenExpiry: 3600
|
|
# OIDC Client Configuration
|
|
clients:
|
|
# Client ID (used as the key)
|
|
myapp:
|
|
# Client secret (or use clientSecretFile)
|
|
clientSecret: "your_client_secret_here"
|
|
# Path to file containing client secret (optional, alternative to clientSecret)
|
|
clientSecretFile: ""
|
|
# Client name for display purposes
|
|
clientName: "My Application"
|
|
# Allowed redirect URIs
|
|
redirectUris:
|
|
- "https://myapp.example.com/callback"
|
|
- "http://localhost:3000/callback"
|
|
# Allowed grant types (defaults to ["authorization_code"] if not specified)
|
|
grantTypes:
|
|
- "authorization_code"
|
|
# Allowed response types (defaults to ["code"] if not specified)
|
|
responseTypes:
|
|
- "code"
|
|
# Allowed scopes (defaults to ["openid", "profile", "email"] if not specified)
|
|
scopes:
|
|
- "openid"
|
|
- "profile"
|
|
- "email"
|
|
|
|
# UI Customization
|
|
ui:
|
|
# Custom title for login page
|
|
title: "Tinyauth"
|
|
# Message shown on forgot password page
|
|
forgotPasswordMessage: "Contact your administrator to reset your password"
|
|
# Background image URL for login page
|
|
backgroundImage: ""
|
|
|
|
# LDAP Configuration (optional)
|
|
ldap:
|
|
# LDAP server address
|
|
address: "ldap://ldap.example.com:389"
|
|
# DN for binding to LDAP server
|
|
bindDn: "cn=readonly,dc=example,dc=com"
|
|
# Password for bind DN
|
|
bindPassword: "your_bind_password"
|
|
# Base DN for user searches
|
|
baseDn: "dc=example,dc=com"
|
|
# Search filter (%s will be replaced with username)
|
|
searchFilter: "(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
|
|
# Allow insecure LDAP connections
|
|
insecure: false
|