okay Internet, I need your suggestions: I have a static ... • Aaron Parecki

okay Internet, I need your suggestions:

I have a static website that I can't modify, and I want to host it on some platform that I can tie to an arbitrary OpenID Connect provider so that only certain people can access it.

What's the easiest way to do this?

Portland, Oregon • 83°F

Fri, Jul 23, 2021 3:16pm -07:00 #oauth #openid

13 likes 7 reposts 47 replies
- Tomáš Jakl
- Nick Doty
- Justin Richer
- Brian Demers
- raupach
- Thomas gratier
- It's David
- Chandu
- ari
- Ben Reilly
- Sven
- Frederico Hakamine
- Dale
Have you written a response to this? Let me know the URL:
- bergeron indieweb.social/@bergeron
  
  @aaronpk Behind a proxy of some sort, presumably.
  
  Sun, Sep 12, 2021 3:55am +00:00
- fluffy 💜 ✪▾̫✪ twitter.com/fluffy
  
  Also I don't know why Twitter just decided to show me this post just now
  
  Mon, Jul 26, 2021 6:33am +00:00 (via brid.gy)
- fluffy 💜 ✪▾̫✪ twitter.com/fluffy
  
  Normally I'd suggest Aaron Parecki as someone to ask this question to but
  
  Mon, Jul 26, 2021 6:32am +00:00 (via brid.gy)
- Johannes Ernst twitter.com/Johannes_Ernst
  
  I’d love to know that, too.
  
  Mon, Jul 26, 2021 6:00am +00:00 (via brid.gy)
- Jo Wouters twitter.com/jowouters
  
  No, don't think they have solved that yet... :-/ (I should have reread your original question completely "so that I can tie to an arbitrary OpenID Connect provider")
  
  Sun, Jul 25, 2021 8:49pm +00:00 (via brid.gy)
- Jonas Dautel twitter.com/jonasdautel
  
  *give
  
  Sun, Jul 25, 2021 11:30am +00:00 (via brid.gy)
- Jonas Dautel twitter.com/jonasdautel
  
  Even easier : host on s3 and use. Cloudflare access to five out access to that domain/ subdomain
  
  Sun, Jul 25, 2021 11:30am +00:00 (via brid.gy)
- Jonas Dautel twitter.com/jonasdautel
  
  docs.aws.amazon.com/apigateway/lat…
  
  Sun, Jul 25, 2021 10:12am +00:00 (via brid.gy)
- Jonas Dautel twitter.com/jonasdautel
  
  Static s3 behind api gateway for Auth
  
  Sun, Jul 25, 2021 10:11am +00:00 (via brid.gy)
- gschwepp chaos.social/@gschwepp
  
  @aaronpk Not sure if this applies to your problem, but maybe the nginx auth_request module helpes.
  
  Sat, Jul 24, 2021 6:34am +00:00
- Yannick twitter.com/YannickBeot
  
  Azure Static Web App is the way to go!
  
  Sat, Jul 24, 2021 5:55am +00:00 (via brid.gy)
- John Patrick Dandison ☁☁☁ twitter.com/AzureAndChill
  
  Awesome!
  
  Sat, Jul 24, 2021 12:42am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Yup, that was it! Thanks for the reminder! This works great.
  
  Sat, Jul 24, 2021 12:34am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  oh well that could very well be the missing piece here!
  
  Sat, Jul 24, 2021 12:24am +00:00 (via brid.gy)
- John Patrick Dandison ☁☁☁ twitter.com/AzureAndChill
  
  Using the standard tier, correct? I think the paid one is required for byo
  
  Sat, Jul 24, 2021 12:21am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Sounds promising, but I still can't quite see all the pieces. Maybe we should do another livestream and tackle this live!
  
  Sat, Jul 24, 2021 12:21am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Managed to get pretty far with this approach, but got hung up on this issue if you have any thoughts: github.com/aaronpowell/sw…
  
  Sat, Jul 24, 2021 12:17am +00:00 (via brid.gy)
- Jason Lengstorf twitter.com/jlengstorf
  
  you could redirect through a serverless function to validate. JWT is probably easier since you'll presumably already have that through whatever service you're using for user management
  
  Sat, Jul 24, 2021 12:10am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  how can I validate the contents of that cookie? From what I can tell in the docs the redirect method just checks for the presence of the cookie
  
  Fri, Jul 23, 2021 11:30pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  This is promising, thanks, I am going to check it out.
  
  Fri, Jul 23, 2021 11:05pm +00:00 (via brid.gy)
- Jason Lengstorf twitter.com/jlengstorf
  
  but if you’re looking for a cookie, you can check for that in the redirect and send to auth if it’s not present the cookie redirect could be: /* /:splat 200! Cookie=your_cookie /* /login login could call a serverless function to set the cookie
  
  Fri, Jul 23, 2021 11:03pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  That's promising, but can I use an external OpenID Connect IDP for that? I don't want to manage users in Netlify
  
  Fri, Jul 23, 2021 11:03pm +00:00 (via brid.gy)
- Jo Wouters twitter.com/jowouters
  
  In that case you could move the whole static site to a specific directory that is protected via a _redirects definition ? Access is only granted to a specific role. docs.netlify.com/visitor-access… Roles can be set via Identity
  
  Fri, Jul 23, 2021 11:02pm +00:00 (via brid.gy)
- Jason Lengstorf twitter.com/jlengstorf
  
  you can do user stuff without plugging into Netlify Identity. the important part is the app_metadata.roles in the token
  
  Fri, Jul 23, 2021 10:57pm +00:00 (via brid.gy)
- karmanyaahm social.linux.pizza/@karmanyaahm
  
  @aaronpk I haven't used it but I've heard about Authelia which could perhaps do this?
  
  Fri, Jul 23, 2021 10:56pm +00:00
- Aaron Parecki twitter.com/aaronpk
  
  I'm still a little confused about Netlify Identity, but it seems like it requires that I manage users in Netlify, which isn't what I want. Also wow the pricing 😮 $99/month/user in order to be able to use third party JWT tokens?
  
  Fri, Jul 23, 2021 10:55pm +00:00 (via brid.gy)
- Jason Lengstorf twitter.com/jlengstorf
  
  yeah, that definitely works! here’s some code to change roles if you need to, but in general Netlify Identity / roles will definitely let you gate content github.com/stripe-samples…
  
  Fri, Jul 23, 2021 10:52pm +00:00 (via brid.gy)
- Jesse Cooke twitter.com/jc00ke
  
  Nice! Looks like there's an OpenID provider too: oauth2-proxy.github.io/oauth2-proxy/d…
  
  Fri, Jul 23, 2021 10:48pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  I just found a tutorial on deploying that on Heroku which is currently at the top of my list!
  
  Fri, Jul 23, 2021 10:48pm +00:00 (via brid.gy)
- Jesse Cooke twitter.com/jc00ke
  
  I used github.com/oauth2-proxy/o… in front of S3 years ago, worked quite well.
  
  Fri, Jul 23, 2021 10:47pm +00:00 (via brid.gy)
- Kevin C. social.librem.one/@kcoram
  
  @aaronpk
  Does Vouch support OpenID Connect? I remember learning how to set it up for OAuth from instructions on your site . . .
  
  Fri, Jul 23, 2021 10:44pm +00:00
- John Patrick Dandison ☁☁☁ twitter.com/AzureAndChill
  
  Azure static web apps has auth proxy built in and is pretty lightweight, $9 to byo oidc. Or an az function proxy and use easyauth/write a couple of methods to handle the redirect and code redemption. That's free under 1m executions
  
  Fri, Jul 23, 2021 10:41pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  I followed a few links from there and it looks like possibly this is the answer? docs.netlify.com/visitor-access…
  
  Fri, Jul 23, 2021 10:40pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  That won't work, I need to prevent access to the files entirely if the user isn't logged in.
  
  Fri, Jul 23, 2021 10:37pm +00:00 (via brid.gy)
- Jo Wouters twitter.com/jowouters
  
  Have you tried Snippet Injection? docs.netlify.com/site-deploys/p… You could inject the Identity code in your static code identity.netlify.com
  
  Fri, Jul 23, 2021 10:35pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Ideally I'd have something like a Netlify function run on every incoming request to check the presence of a cookie, validate it, and based on the result, either send an HTTP redirect to start an OIDC flow, or return the static file requested.
  
  Fri, Jul 23, 2021 10:32pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Those and github.com/vouch/vouch-pr… are on my list, but require that I run an nginx/Apache server somewhere, and ideally I'd be able to deploy this on something that doesn't require a full VM. That's my backup plan tho.
  
  Fri, Jul 23, 2021 10:30pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  It's a static site, so it's a pile of files. I can push those files around as much as I want, but changing them is not really feasible
  
  Fri, Jul 23, 2021 10:29pm +00:00 (via brid.gy)
- Bertrand Carlier twitter.com/bertrandcarlier
  
  mod_auth_openidc for Apache or nginx equivalent by the excellent @hanszandbelt?
  
  Fri, Jul 23, 2021 10:29pm +00:00 (via brid.gy)
- Jason Lengstorf twitter.com/jlengstorf
  
  can you say more about what the ideal workflow is? if you can set a cookie, you can allow/deny access based on cookie presence docs.netlify.com/routing/redire…
  
  Fri, Jul 23, 2021 10:28pm +00:00 (via brid.gy)
- Jeremy Fiel twitter.com/jeremyfiel
  
  If you can't modify it, how do you have access to deploy it somewhere else?
  
  Fri, Jul 23, 2021 10:28pm +00:00 (via brid.gy)
- certified post-corporate hellscape solutions twitter.com/4c4d
  
  idk i know heroku has their own local identity introspection implementation but i know nothing about it
  
  Fri, Jul 23, 2021 10:22pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  I have spent no joke like 4 hours trying to do this on @netlify already today and cannot for the life of me figure it out
  
  Fri, Jul 23, 2021 10:21pm +00:00 (via brid.gy)
- certified post-corporate hellscape solutions twitter.com/4c4d
  
  so it might look something like, static asset in google Cloud Storage, sitting behind Identity Aware Proxy - we have a bunch of these sitting around. Higher traffic loads might require idk like some sort of cloud cdn and billing tiers tho idk
  
  Fri, Jul 23, 2021 10:21pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  That's exactly what I want, but is there anything lighter weight than those platforms? It feels way overkill. I can't find a corresponding feature in Netlify or Heroku for example though.
  
  Fri, Jul 23, 2021 10:20pm +00:00 (via brid.gy)
- Jeremy Fiel twitter.com/jeremyfiel
  
  Netlify @cassidoo @jlengstorf can help
  
  Fri, Jul 23, 2021 10:20pm +00:00 (via brid.gy)
- certified post-corporate hellscape solutions twitter.com/4c4d
  
  Google, Azure, AWS all have the concept of the identity aware proxy, which is something that inspects the jwt/token and denies access if it's not valid. I've used GCP's, and it's pretty well featured, but the other providers should be reasonable as well (it's a common feature)
  
  Fri, Jul 23, 2021 10:19pm +00:00 (via brid.gy)

Posted in /notes using quill.p3k.io