50°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Aaron Parecki
    okay Internet, I need your suggestions:

    I have a static website that I can't modify, and I want to host it on some platform that I can tie to an arbitrary OpenID Connect provider so that only certain people can access it.

    What's the easiest way to do this?
    Portland, Oregon • 83°F
    Fri, Jul 23, 2021 3:16pm -07:00 #oauth #openid
    13 likes 7 reposts 47 replies
    • Tomáš Jakl
    • Nick Doty
    • Justin Richer
    • Brian Demers
    • raupach
    • Thomas gratier
    • It's David
    • Chandu
    • ari
    • Ben Reilly
    • Sven
    • Frederico Hakamine
    • Dale
    • Stampeding Longhorn
    • Pratik Bhatt 🇮🇳
    • André E. Veltstra
    • Brian Demers
    • Alexander Martin
    • Gabe Kangas
    • bergeron indieweb.social/@bergeron

      @aaronpk Behind a proxy of some sort, presumably.

      Sun, Sep 12, 2021 3:55am +00:00
    • fluffy 💜 ✪▾̫✪ twitter.com/fluffy
      Also I don't know why Twitter just decided to show me this post just now
      Mon, Jul 26, 2021 6:33am +00:00 (via brid.gy)
    • fluffy 💜 ✪▾̫✪ twitter.com/fluffy
      Normally I'd suggest Aaron Parecki as someone to ask this question to but
      Mon, Jul 26, 2021 6:32am +00:00 (via brid.gy)
    • Johannes Ernst twitter.com/Johannes_Ernst
      I’d love to know that, too.
      Mon, Jul 26, 2021 6:00am +00:00 (via brid.gy)
    • Jo Wouters twitter.com/jowouters
      No, don't think they have solved that yet... :-/ (I should have reread your original question completely "so that I can tie to an arbitrary OpenID Connect provider")
      Sun, Jul 25, 2021 8:49pm +00:00 (via brid.gy)
    • Jonas Dautel twitter.com/jonasdautel
      *give
      Sun, Jul 25, 2021 11:30am +00:00 (via brid.gy)
    • Jonas Dautel twitter.com/jonasdautel
      Even easier : host on s3 and use. Cloudflare access to five out access to that domain/ subdomain
      Sun, Jul 25, 2021 11:30am +00:00 (via brid.gy)
    • Jonas Dautel twitter.com/jonasdautel
      docs.aws.amazon.com/apigateway/lat…
      Sun, Jul 25, 2021 10:12am +00:00 (via brid.gy)
    • Jonas Dautel twitter.com/jonasdautel
      Static s3 behind api gateway for Auth
      Sun, Jul 25, 2021 10:11am +00:00 (via brid.gy)
    • gschwepp chaos.social/@gschwepp

      @aaronpk Not sure if this applies to your problem, but maybe the nginx auth_request module helpes.

      Sat, Jul 24, 2021 6:34am +00:00
    • Yannick twitter.com/YannickBeot
      Azure Static Web App is the way to go!
      Sat, Jul 24, 2021 5:55am +00:00 (via brid.gy)
    • John Patrick Dandison ☁☁☁ twitter.com/AzureAndChill
      Awesome!
      Sat, Jul 24, 2021 12:42am +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      Yup, that was it! Thanks for the reminder! This works great.
      Sat, Jul 24, 2021 12:34am +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      oh well that could very well be the missing piece here!
      Sat, Jul 24, 2021 12:24am +00:00 (via brid.gy)
    • John Patrick Dandison ☁☁☁ twitter.com/AzureAndChill
      Using the standard tier, correct? I think the paid one is required for byo
      Sat, Jul 24, 2021 12:21am +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      Sounds promising, but I still can't quite see all the pieces. Maybe we should do another livestream and tackle this live!
      Sat, Jul 24, 2021 12:21am +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      Managed to get pretty far with this approach, but got hung up on this issue if you have any thoughts: github.com/aaronpowell/sw…
      Sat, Jul 24, 2021 12:17am +00:00 (via brid.gy)
    • Jason Lengstorf twitter.com/jlengstorf
      you could redirect through a serverless function to validate. JWT is probably easier since you'll presumably already have that through whatever service you're using for user management
      Sat, Jul 24, 2021 12:10am +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      how can I validate the contents of that cookie? From what I can tell in the docs the redirect method just checks for the presence of the cookie
      Fri, Jul 23, 2021 11:30pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      This is promising, thanks, I am going to check it out.
      Fri, Jul 23, 2021 11:05pm +00:00 (via brid.gy)
    • Jason Lengstorf twitter.com/jlengstorf
      but if you’re looking for a cookie, you can check for that in the redirect and send to auth if it’s not present the cookie redirect could be: /* /:splat 200! Cookie=your_cookie /* /login login could call a serverless function to set the cookie
      Fri, Jul 23, 2021 11:03pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      That's promising, but can I use an external OpenID Connect IDP for that? I don't want to manage users in Netlify
      Fri, Jul 23, 2021 11:03pm +00:00 (via brid.gy)
    • Jo Wouters twitter.com/jowouters
      In that case you could move the whole static site to a specific directory that is protected via a _redirects definition ? Access is only granted to a specific role. docs.netlify.com/visitor-access… Roles can be set via Identity
      Fri, Jul 23, 2021 11:02pm +00:00 (via brid.gy)
    • Jason Lengstorf twitter.com/jlengstorf
      you can do user stuff without plugging into Netlify Identity. the important part is the app_metadata.roles in the token
      Fri, Jul 23, 2021 10:57pm +00:00 (via brid.gy)
    • karmanyaahm social.linux.pizza/@karmanyaahm

      @aaronpk I haven't used it but I've heard about Authelia which could perhaps do this?

      Fri, Jul 23, 2021 10:56pm +00:00
    • Aaron Parecki twitter.com/aaronpk
      I'm still a little confused about Netlify Identity, but it seems like it requires that I manage users in Netlify, which isn't what I want. Also wow the pricing 😮 $99/month/user in order to be able to use third party JWT tokens?
      Fri, Jul 23, 2021 10:55pm +00:00 (via brid.gy)
    • Jason Lengstorf twitter.com/jlengstorf
      yeah, that definitely works! here’s some code to change roles if you need to, but in general Netlify Identity / roles will definitely let you gate content github.com/stripe-samples…
      Fri, Jul 23, 2021 10:52pm +00:00 (via brid.gy)
    • Jesse Cooke twitter.com/jc00ke
      Nice! Looks like there's an OpenID provider too: oauth2-proxy.github.io/oauth2-proxy/d…
      Fri, Jul 23, 2021 10:48pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      I just found a tutorial on deploying that on Heroku which is currently at the top of my list!
      Fri, Jul 23, 2021 10:48pm +00:00 (via brid.gy)
    • Jesse Cooke twitter.com/jc00ke
      I used github.com/oauth2-proxy/o… in front of S3 years ago, worked quite well.
      Fri, Jul 23, 2021 10:47pm +00:00 (via brid.gy)
    • Kevin C. social.librem.one/@kcoram

      @aaronpk
      Does Vouch support OpenID Connect? I remember learning how to set it up for OAuth from instructions on your site . . .

      Fri, Jul 23, 2021 10:44pm +00:00
    • John Patrick Dandison ☁☁☁ twitter.com/AzureAndChill
      Azure static web apps has auth proxy built in and is pretty lightweight, $9 to byo oidc. Or an az function proxy and use easyauth/write a couple of methods to handle the redirect and code redemption. That's free under 1m executions
      Fri, Jul 23, 2021 10:41pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      I followed a few links from there and it looks like possibly this is the answer? docs.netlify.com/visitor-access…
      Fri, Jul 23, 2021 10:40pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      That won't work, I need to prevent access to the files entirely if the user isn't logged in.
      Fri, Jul 23, 2021 10:37pm +00:00 (via brid.gy)
    • Jo Wouters twitter.com/jowouters
      Have you tried Snippet Injection? docs.netlify.com/site-deploys/p… You could inject the Identity code in your static code identity.netlify.com
      Fri, Jul 23, 2021 10:35pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      Ideally I'd have something like a Netlify function run on every incoming request to check the presence of a cookie, validate it, and based on the result, either send an HTTP redirect to start an OIDC flow, or return the static file requested.
      Fri, Jul 23, 2021 10:32pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      Those and github.com/vouch/vouch-pr… are on my list, but require that I run an nginx/Apache server somewhere, and ideally I'd be able to deploy this on something that doesn't require a full VM. That's my backup plan tho.
      Fri, Jul 23, 2021 10:30pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      It's a static site, so it's a pile of files. I can push those files around as much as I want, but changing them is not really feasible
      Fri, Jul 23, 2021 10:29pm +00:00 (via brid.gy)
    • Bertrand Carlier twitter.com/bertrandcarlier
      mod_auth_openidc for Apache or nginx equivalent by the excellent @hanszandbelt?
      Fri, Jul 23, 2021 10:29pm +00:00 (via brid.gy)
    • Jason Lengstorf twitter.com/jlengstorf
      can you say more about what the ideal workflow is? if you can set a cookie, you can allow/deny access based on cookie presence docs.netlify.com/routing/redire…
      Fri, Jul 23, 2021 10:28pm +00:00 (via brid.gy)
    • Jeremy Fiel twitter.com/jeremyfiel
      If you can't modify it, how do you have access to deploy it somewhere else?
      Fri, Jul 23, 2021 10:28pm +00:00 (via brid.gy)
    • certified post-corporate hellscape solutions twitter.com/4c4d
      idk i know heroku has their own local identity introspection implementation but i know nothing about it
      Fri, Jul 23, 2021 10:22pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      I have spent no joke like 4 hours trying to do this on @netlify already today and cannot for the life of me figure it out
      Fri, Jul 23, 2021 10:21pm +00:00 (via brid.gy)
    • certified post-corporate hellscape solutions twitter.com/4c4d
      so it might look something like, static asset in google Cloud Storage, sitting behind Identity Aware Proxy - we have a bunch of these sitting around. Higher traffic loads might require idk like some sort of cloud cdn and billing tiers tho idk
      Fri, Jul 23, 2021 10:21pm +00:00 (via brid.gy)
    • Aaron Parecki twitter.com/aaronpk
      That's exactly what I want, but is there anything lighter weight than those platforms? It feels way overkill. I can't find a corresponding feature in Netlify or Heroku for example though.
      Fri, Jul 23, 2021 10:20pm +00:00 (via brid.gy)
    • Jeremy Fiel twitter.com/jeremyfiel
      Netlify @cassidoo @jlengstorf can help
      Fri, Jul 23, 2021 10:20pm +00:00 (via brid.gy)
    • certified post-corporate hellscape solutions twitter.com/4c4d
      Google, Azure, AWS all have the concept of the identity aware proxy, which is something that inspects the jwt/token and denies access if it's not valid. I've used GCP's, and it's pretty well featured, but the other providers should be reasonable as well (it's a common feature)
      Fri, Jul 23, 2021 10:19pm +00:00 (via brid.gy)
Posted in /notes using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv