# Auth Proxy

Simple Express proxy that requires a login screen before forwarding requests to an upstream site.

Usage

1. Create a `config.json` (or copy `config.example.json`) in the project root and configure one or more hosts. Each host can have an `oidc` section to point to a Keycloak/OpenID Provider.

Example `config.json` (copy from `config.example.json` and edit):

```json
[ ... ]
```

2. Set environment variables in a `.env` file (optional):

```bash
PORT=3000
SESSION_SECRET=change-me
```

3. Install and run:

```bash
npm install
npm start
```

4. Open `http://localhost:3000` — if a host requires OIDC you'll be redirected to Keycloak for login. After a successful OIDC flow the proxy stores tokens in the session and forwards requests to the configured upstream.

Notes
- For OIDC hosts you must create a Keycloak client (confidential) with an appropriate redirect URI matching the host `redirect_uri` (e.g. `http://localhost:3000/callback/app1`).
- This is a demo scaffold: replace the simple in-memory `USERS` store, hard-coded session handling, and consider using a persistent session store and HTTPS in production.
- The proxy injects `Authorization: Bearer <access_token>` when available and `X-Forwarded-User` with the authenticated username.

Admin web UI

- There is a minimal admin interface at `http://localhost:3000/admin` to manage hosts (create/edit/delete) and reload OIDC clients.
- Default admin credentials are read from environment variables `ADMIN_USER` / `ADMIN_PASS` (defaults to `admin`/`admin`).
- When you save hosts in the admin UI they are persisted to `config.json` in the project root.

Security notes

- Protect the admin UI behind strong credentials and run the proxy with HTTPS in production.