Aaron Parecki

No, don't think they have solved that yet... :-/ (I should have reread your original question completely "so that I can tie to an arbitrary OpenID Connect provider")

Sounds promising, but I still can't quite see all the pieces. Maybe we should do another livestream and tackle this live!

you could redirect through a serverless function to validate. JWT is probably easier since you'll presumably already have that through whatever service you're using for user management

how can I validate the contents of that cookie? From what I can tell in the docs the redirect method just checks for the presence of the cookie

but if you’re looking for a cookie, you can check for that in the redirect and send to auth if it’s not present the cookie redirect could be: /* /:splat 200! Cookie=your_cookie /* /login login could call a serverless function to set the cookie

That's promising, but can I use an external OpenID Connect IDP for that? I don't want to manage users in Netlify

In that case you could move the whole static site to a specific directory that is protected via a _redirects definition ? Access is only granted to a specific role. docs.netlify.com/visitor-access… Roles can be set via Identity

you can do user stuff without plugging into Netlify Identity. the important part is the app_metadata.roles in the token

I'm still a little confused about Netlify Identity, but it seems like it requires that I manage users in Netlify, which isn't what I want. Also wow the pricing 😮 $99/month/user in order to be able to use third party JWT tokens?

yeah, that definitely works! here’s some code to change roles if you need to, but in general Netlify Identity / roles will definitely let you gate content github.com/stripe-samples…

I followed a few links from there and it looks like possibly this is the answer? docs.netlify.com/visitor-access…

That won't work, I need to prevent access to the files entirely if the user isn't logged in.

Have you tried Snippet Injection? docs.netlify.com/site-deploys/p… You could inject the Identity code in your static code identity.netlify.com

Ideally I'd have something like a Netlify function run on every incoming request to check the presence of a cookie, validate it, and based on the result, either send an HTTP redirect to start an OIDC flow, or return the static file requested.

It's a static site, so it's a pile of files. I can push those files around as much as I want, but changing them is not really feasible

can you say more about what the ideal workflow is? if you can set a cookie, you can allow/deny access based on cookie presence docs.netlify.com/routing/redire…

If you can't modify it, how do you have access to deploy it somewhere else?