Auth Proxy

Simple Express proxy that requires a login screen before forwarding requests to an upstream site.

Usage

1. Create a config.json (or copy config.example.json) in the project root and configure one or more hosts. Each host can have an oidc section to point to a Keycloak/OpenID Provider.

Example config.json (copy from config.example.json and edit):

[ ... ]

2. Set environment variables in a .env file (optional):

PORT=3000
SESSION_SECRET=change-me

3. Install and run:

npm install
npm start

4. Open http://localhost:3000 — if a host requires OIDC you'll be redirected to Keycloak for login. After a successful OIDC flow the proxy stores tokens in the session and forwards requests to the configured upstream.

Notes

• For OIDC hosts you must create a Keycloak client (confidential) with an appropriate redirect URI matching the host redirect_uri (e.g. http://localhost:3000/callback/app1).
• This is a demo scaffold: replace the simple in-memory USERS store, hard-coded session handling, and consider using a persistent session store and HTTPS in production.
• The proxy injects Authorization: Bearer <access_token> when available and X-Forwarded-User with the authenticated username.

Admin web UI

• There is a minimal admin interface at http://localhost:3000/admin to manage hosts (create/edit/delete) and reload OIDC clients.
• Default admin credentials are read from environment variables ADMIN_USER / ADMIN_PASS (defaults to admin/admin).
• When you save hosts in the admin UI they are persisted to config.json in the project root.

Security notes

• Protect the admin UI behind strong credentials and run the proxy with HTTPS in production.