45 lines
1.7 KiB
Markdown
45 lines
1.7 KiB
Markdown
# Auth Proxy
|
|
|
|
Simple Express proxy that requires a login screen before forwarding requests to an upstream site.
|
|
|
|
Usage
|
|
|
|
1. Create a `config.json` (or copy `config.example.json`) in the project root and configure one or more hosts. Each host can have an `oidc` section to point to a Keycloak/OpenID Provider.
|
|
|
|
Example `config.json` (copy from `config.example.json` and edit):
|
|
|
|
```json
|
|
[ ... ]
|
|
```
|
|
|
|
2. Set environment variables in a `.env` file (optional):
|
|
|
|
```bash
|
|
PORT=3000
|
|
SESSION_SECRET=change-me
|
|
```
|
|
|
|
3. Install and run:
|
|
|
|
```bash
|
|
npm install
|
|
npm start
|
|
```
|
|
|
|
4. Open `http://localhost:3000` — if a host requires OIDC you'll be redirected to Keycloak for login. After a successful OIDC flow the proxy stores tokens in the session and forwards requests to the configured upstream.
|
|
|
|
Notes
|
|
- For OIDC hosts you must create a Keycloak client (confidential) with an appropriate redirect URI matching the host `redirect_uri` (e.g. `http://localhost:3000/callback/app1`).
|
|
- This is a demo scaffold: replace the simple in-memory `USERS` store, hard-coded session handling, and consider using a persistent session store and HTTPS in production.
|
|
- The proxy injects `Authorization: Bearer <access_token>` when available and `X-Forwarded-User` with the authenticated username.
|
|
|
|
Admin web UI
|
|
|
|
- There is a minimal admin interface at `http://localhost:3000/admin` to manage hosts (create/edit/delete) and reload OIDC clients.
|
|
- Default admin credentials are read from environment variables `ADMIN_USER` / `ADMIN_PASS` (defaults to `admin`/`admin`).
|
|
- When you save hosts in the admin UI they are persisted to `config.json` in the project root.
|
|
|
|
Security notes
|
|
|
|
- Protect the admin UI behind strong credentials and run the proxy with HTTPS in production.
|