Skip to content

Commit 4f1db82

Browse files
steveiliop56shadownetdev1dingokeep
authored
feat: docs for other oauth providers (#100)
Co-authored-by: shadownetdev1 <26750646+shadownetdev1@users.noreply.github.com> Co-authored-by: dingokeep <dingokeep@pm.me>
1 parent b34cd53 commit 4f1db82

2 files changed

Lines changed: 78 additions & 0 deletions

File tree

astro.config.mjs

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,10 @@ export default defineConfig({
8888
label: "Pocket ID OAuth",
8989
slug: "docs/guides/pocket-id",
9090
},
91+
{
92+
label: "Other OAuth Providers",
93+
slug: "docs/guides/other-oauth",
94+
},
9195
{
9296
label: "LDAP",
9397
slug: "docs/guides/ldap",
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
---
2+
title: Other OAuth Providers
3+
description: Use any OAuth provider with Tinyauth.
4+
---
5+
6+
Tinyauth supports any OAuth/OpenID Connect provider that follows the specification (specifically around the claims). This means you can use any self-hosted or third-party provider that implements the OAuth 2.0 and/or the OpenID Connect protocols.
7+
8+
## Requirements
9+
10+
For this guide, you will need:
11+
12+
- A Tinyauth instance set up and running.
13+
- An OAuth/OpenID Connect provider that you want to integrate with Tinyauth. This could be a self-hosted provider like Keycloak, or a third-party provider like Auth0, Okta, or any other that supports OAuth 2.0/OpenID Connect.
14+
15+
## Get your client credentials
16+
17+
To integrate your OAuth provider with Tinyauth, you will need to create a client/application in your OAuth provider's dashboard. This process varies depending on the provider you are using, but generally involves the following steps:
18+
19+
1. Log in to your OAuth provider's dashboard.
20+
2. Navigate to the section where you can create a new client/application.
21+
3. Fill in the required information, such as the name of your application and the redirect URI. The redirect URI should be in the format `https://your-tinyauth-instance.com/api/oauth/callback/your-provider`, where `your-provider` is a unique identifier for your OAuth provider (e.g., `keycloak`, `auth0`, etc.).
22+
4. Save the client/application and note down the client ID and client secret, as you will need these to configure Tinyauth.
23+
24+
You will also need to get the authorization, token, and user info endpoint URLs from your OAuth provider. These are typically available in the provider's documentation, dashboard or through their OpenID Connect discovery endpoint (usually found at `https://your-provider/.well-known/openid-configuration`).
25+
26+
## Configure Tinyauth
27+
28+
Once you have your client credentials and endpoint URLs, you can configure Tinyauth to use your OAuth provider. This involves adding a new provider configuration to your instance. You can do this by appending the following environment variables to your Tinyauth configuration:
29+
30+
```yaml
31+
services:
32+
tinyauth:
33+
environment:
34+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTID=your-provider-client-id
35+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTSECRET=your-provider-client-secret
36+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_AUTHURL=your-provider-authorization-endpoint
37+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_TOKENURL=your-provider-token-endpoint
38+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_USERINFOURL=your-provider-userinfo-endpoint
39+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_REDIRECTURL=https://your-tinyauth-instance.com/api/oauth/callback/myprovider # This is usually not needed as Tinyauth can auto-generate it, but you can specify it if your provider requires a specific redirect URL.
40+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_SCOPES="openid email profile groups" # Ensure you include the necessary scopes for your provider.
41+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_NAME="My Provider" # This is the name that will be displayed on the login page for this provider.
42+
- TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_INSECURE=false # Only set this to true if your provider uses self-signed certificates
43+
```
44+
45+
Make sure to replace `MYPROVIDER` with a unique identifier for your provider, and fill in the correct values for the client ID, client secret, and endpoint URLs.
46+
47+
:::caution
48+
The provider identifier (e.g., `MYPROVIDER`) must be unique and should only contain alphanumeric characters. This identifier is used in the redirect URI and environment variable names, so choose it wisely.
49+
:::
50+
51+
You can add multiple providers by repeating the above configuration with different identifiers (e.g., `KEYCLOAK`, `AUTH0`, etc.).
52+
53+
## Tips and warnings
54+
55+
:::note
56+
Set the `TINYAUTH_OAUTH_AUTOREDIRECT` environment variable to your provider ID (e.g. `myprovider`) to enable
57+
automatic redirection to your OAuth provider for Tinyauth-protected apps.
58+
:::
59+
60+
:::caution
61+
OAuth alone does not guarantee security. By default, any account in the OAuth Provider can
62+
log in as a normal user. To restrict access, use the `TINYAUTH_OAUTH_WHITELIST`
63+
environment variable to allow specific email addresses. Refer to the
64+
[configuration](/docs/reference/configuration) page for details.
65+
:::
66+
67+
:::note
68+
With OAuth enabled, the `TINYAUTH_AUTH_USERS` or `TINYAUTH_AUTH_USERSFILE` environment variable can be
69+
removed to allow login exclusively through the OAuth provider.
70+
:::
71+
72+
## Trying it out
73+
74+
After configuring Tinyauth, restart your instance to apply the changes. You should now see an option to log in with your OAuth provider on the login page. Click on it, and you should be redirected to your OAuth provider to authenticate. After authentication, you will be redirected back to Tinyauth and should be logged in successfully.

0 commit comments

Comments
 (0)