Aaron Parecki

Friday, July 23, 2021

• 
• 

  9:58pm

  Asleep

  6:17am

  Awake

  8h 19m

  Slept

  29m

  Awake for

  

  Portland, Oregon, USA • 61°F

  Fri, Jul 23, 2021 6:17am -07:00
• 

  okay Internet, I need your suggestions:
  
  I have a static website that I can't modify, and I want to host it on some platform that I can tie to an arbitrary OpenID Connect provider so that only certain people can access it.
  
  What's the easiest way to do this?

  Portland, Oregon • 83°F

  13 likes 7 reposts 47 replies

  Fri, Jul 23, 2021 3:16pm -07:00 #oauth #openid
• certified post-corporate hellscape solutions https://twitter.com/4c4d   •   Jul 23

  Google, Azure, AWS all have the concept of the identity aware proxy, which is something that inspects the jwt/token and denies access if it's not valid. I've used GCP's, and it's pretty well featured, but the other providers should be reasonable as well (it's a common feature)
  

  That's exactly what I want, but is there anything lighter weight than those platforms? It feels way overkill. I can't find a corresponding feature in Netlify or Heroku for example though.

  Portland, Oregon • 83°F

  8 replies

  Fri, Jul 23, 2021 3:20pm -07:00
• Jeremy Fiel https://twitter.com/jeremyfiel   •   Jul 23

  Netlify @cassidoo @jlengstorf can help
  

  I have spent no joke like 4 hours trying to do this on @netlify already today and cannot for the life of me figure it out

  Portland, Oregon • 83°F

  1 like 17 replies

  Fri, Jul 23, 2021 3:21pm -07:00
• Jeremy Fiel https://twitter.com/jeremyfiel   •   Jul 23

  If you can't modify it, how do you have access to deploy it somewhere else?
  

  It's a static site, so it's a pile of files. I can push those files around as much as I want, but changing them is not really feasible

  Portland, Oregon • 83°F

  Fri, Jul 23, 2021 3:29pm -07:00
• Bertrand Carlier https://twitter.com/bertrandcarlier   •   Jul 23

  mod_auth_openidc for Apache or nginx equivalent by the excellent @hanszandbelt?
  

  Those and https://github.com/vouch/vouch-proxy are on my list, but require that I run an nginx/Apache server somewhere, and ideally I'd be able to deploy this on something that doesn't require a full VM. That's my backup plan tho.

  Portland, Oregon • 83°F

  2 likes

  Fri, Jul 23, 2021 3:30pm -07:00
• Jason Lengstorf https://twitter.com/jlengstorf   •   Jul 23

  can you say more about what the ideal workflow is? if you can set a cookie, you can allow/deny access based on cookie presence https://docs.netlify.com/routing/redirects/redirect-options/#redirect-by-cookie-presence
  

  Ideally I'd have something like a Netlify function run on every incoming request to check the presence of a cookie, validate it, and based on the result, either send an HTTP redirect to start an OIDC flow, or return the static file requested.

  Portland, Oregon • 83°F

  5 replies

  Fri, Jul 23, 2021 3:32pm -07:00
• Jo Wouters https://twitter.com/jowouters   •   Jul 23

  Have you tried Snippet Injection? https://docs.netlify.com/site-deploys/post-processing/snippet-injection/ You could inject the Identity code in your static code https://identity.netlify.com/
  

  That won't work, I need to prevent access to the files entirely if the user isn't logged in.

  Portland, Oregon • 83°F

  1 like 3 replies

  Fri, Jul 23, 2021 3:37pm -07:00
• Jason Lengstorf https://twitter.com/jlengstorf   •   Jul 23

  can you say more about what the ideal workflow is? if you can set a cookie, you can allow/deny access based on cookie presence https://docs.netlify.com/routing/redirects/redirect-options/#redirect-by-cookie-presence
  

  I followed a few links from there and it looks like possibly this is the answer?
  
  https://docs.netlify.com/visitor-access/role-based-access-control/#external-providers

  Portland, Oregon • 83°F

  3 replies

  Fri, Jul 23, 2021 3:40pm -07:00
• Kevin C. https://social.librem.one/@kcoram   •   Jul 23

  @aaronpk
  Does Vouch support OpenID Connect? I remember learning how to set it up for OAuth from instructions on your site . . .
  

  It does! That's high on my list, but ideally I'd like to deploy this to something that doesn't require that I run nginx/Apache or a VM.

  Portland, Oregon • 83°F

  Fri, Jul 23, 2021 3:46pm -07:00
• Jesse Cooke https://twitter.com/jc00ke   •   Jul 23

  I used https://github.com/oauth2-proxy/oauth2-proxy in front of S3 years ago, worked quite well.
  

  I just found a tutorial on deploying that on Heroku which is currently at the top of my list!

  Portland, Oregon • 83°F

  2 likes 1 reply

  Fri, Jul 23, 2021 3:48pm -07:00
• He couldn’t get over his fiancee’s death. So he brought her back as an A.I. chatbot (www.sfchronicle.com)

  Fri, Jul 23, 2021 3:53pm -07:00 #ai #chatbot
• Jason Lengstorf https://twitter.com/jlengstorf   •   Jul 23

  yeah, that definitely works! here’s some code to change roles if you need to, but in general Netlify Identity / roles will definitely let you gate content
  
  https://github.com/stripe-samples/netlify-stripe-subscriptions
  

  I'm still a little confused about Netlify Identity, but it seems like it requires that I manage users in Netlify, which isn't what I want.
  
  Also wow the pricing 😮 $99/month/user in order to be able to use third party JWT tokens?

  Portland, Oregon • 83°F

  1 reply

  Fri, Jul 23, 2021 3:55pm -07:00
• karmanyaahm https://social.linux.pizza/@karmanyaahm   •   Jul 23

  @aaronpk I haven't used it but I've heard about Authelia which could perhaps do this?
  

  I'm skimming through their docs and it looks like it is an OAuth server itself? That sounds like something different.

  Portland, Oregon • 83°F

  1 like 2 replies

  Fri, Jul 23, 2021 3:58pm -07:00
• Jo Wouters https://twitter.com/jowouters   •   Jul 23

  In that case you could move the whole static site to a specific directory that is protected via a _redirects definition ? Access is only granted to a specific role. https://docs.netlify.com/visitor-access/role-based-access-control/ Roles can be set via Identity

  
  

  That's promising, but can I use an external OpenID Connect IDP for that? I don't want to manage users in Netlify

  Portland, Oregon • 84°F

  1 reply

  Fri, Jul 23, 2021 4:03pm -07:00
• John Patrick Dandison ☁☁☁ https://twitter.com/AzureAndChill   •   Jul 23

  Azure static web apps has auth proxy built in and is pretty lightweight, $9 to byo oidc. Or an az function proxy and use easyauth/write a couple of methods to handle the redirect and code redemption. That's free under 1m executions
  

  This is promising, thanks, I am going to check it out.

  Portland, Oregon • 84°F

  2 likes

  Fri, Jul 23, 2021 4:05pm -07:00
• https://octodon.social/@npd/106632461524722923
  

  yeah, HTTP Basic Auth is problematic for several reasons

  Portland, Oregon • 84°F

  Fri, Jul 23, 2021 4:22pm -07:00
• Jason Lengstorf https://twitter.com/jlengstorf   •   Jul 23

  but if you’re looking for a cookie, you can check for that in the redirect and send to auth if it’s not present
  
  the cookie redirect could be:
  
  /* /:splat 200! Cookie=your_cookie
  /* /login
  
  login could call a serverless function to set the cookie
  

  how can I validate the contents of that cookie? From what I can tell in the docs the redirect method just checks for the presence of the cookie

  Portland, Oregon • 84°F

  2 replies

  Fri, Jul 23, 2021 4:30pm -07:00
• John Patrick Dandison ☁☁☁ https://twitter.com/AzureAndChill   •   Jul 23

  Azure static web apps has auth proxy built in and is pretty lightweight, $9 to byo oidc. Or an az function proxy and use easyauth/write a couple of methods to handle the redirect and code redemption. That's free under 1m executions
  

  Managed to get pretty far with this approach, but got hung up on this issue if you have any thoughts: https://github.com/aaronpowell/swa-custom-auth-okta/issues/1

  Portland, Oregon • 84°F

  4 replies

  Fri, Jul 23, 2021 5:17pm -07:00
• Jason Lengstorf https://twitter.com/jlengstorf   •   Jul 24

  you could redirect through a serverless function to validate. JWT is probably easier since you'll presumably already have that through whatever service you're using for user management
  

  Sounds promising, but I still can't quite see all the pieces. Maybe we should do another livestream and tackle this live!

  Portland, Oregon • 84°F

  1 like

  Fri, Jul 23, 2021 5:21pm -07:00
• Authentication and authorization for Azure Static Web Apps | Microsoft Docs (docs.microsoft.com)

  Fri, Jul 23, 2021 5:22pm -07:00 #azure #authentication #oauth
• Using Okta with Static Web Apps - Microsoft Tech Community (techcommunity.microsoft.com)

  Fri, Jul 23, 2021 5:23pm -07:00 #azure #oauth #okta
• Custom authentication in Azure Static Web Apps | Microsoft Docs (docs.microsoft.com)

  Fri, Jul 23, 2021 5:23pm -07:00 #azure #oauth #okta
• John Patrick Dandison ☁☁☁ https://twitter.com/AzureAndChill   •   Jul 24

  Using the standard tier, correct? I think the paid one is required for byo
  

  oh well that could very well be the missing piece here!

  Portland, Oregon • 84°F

  Fri, Jul 23, 2021 5:24pm -07:00
• John Patrick Dandison ☁☁☁ https://twitter.com/AzureAndChill   •   Jul 24

  Using the standard tier, correct? I think the paid one is required for byo
  

  Yup, that was it! Thanks for the reminder! This works great.

  Portland, Oregon • 84°F

  1 like 1 reply

  Fri, Jul 23, 2021 5:34pm -07:00
• Vittorio https://twitter.com/vibronet

  If I run a humidifier and a dehumidifier at the same time in the same room, do I get any cryptocurrency as award?

  Portland, Oregon • 74°F

  Sat, Jul 24, 2021 3:33am +00:00 (liked on Fri, Jul 23, 2021 9:49pm -07:00)
• 

  Contributions from: Colombia, Japan, Russian Federation, United Kingdom, United States

  Fri, Jul 23, 2021 11:20pm -07:00