Tech Nest

Appearance

Tinyauth

To create a user and generate a secret, see the official docs: https://tinyauth.app/docs/getting-started

Docker Compose

yaml
services:
  tinyauth:
    image: ghcr.io/steveiliop56/tinyauth:v3
    container_name: tinyauth
    restart: unless-stopped
    environment:
      - BACKGROUND_IMAGE=https://auth.domain.lol/api/application-images/background
      - APP_TITLE=Auth
  - SECRET=<32‑character secret>
      - APP_URL=https://tinyauth.domain.lol
  - USERS=<see docs on creating a user> # can be commented out to allow only OIDC
      - DISABLE_CONTINUE=true
      - FORGOT_PASSWORD_MESSAGE=Contact site Administrator.
      # OIDC for PocketID
      - GENERIC_CLIENT_ID=
      - GENERIC_CLIENT_SECRET=
      - GENERIC_AUTH_URL=https://auth.domain.lol/authorize
      - GENERIC_TOKEN_URL=https://auth.domain.lol/api/oidc/token
      - GENERIC_USER_URL=https://auth.domain.lol/api/oidc/userinfo
      - GENERIC_SCOPES=openid email profile groups
      - GENERIC_NAME=Pocket ID
  - OAUTH_AUTO_REDIRECT=generic # automatically redirect to Pocket ID every time
    labels:
      traefik.enable: true
      traefik.http.routers.tinyauth.rule: Host(`tinyauth.domain.lol`)
      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
    networks:
      - reverseproxy-nw

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock # required to use tinyauth labels

networks:
  reverseproxy-nw:
    external: true

Access Controls

Full documentation on access controls can be found at: https://tinyauth.app/docs/guides/access-controls

Ensure the Docker socket is mounted.

yaml
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

Users whitelist

Let's say we have two users, user1 and user2, and we need to restrict access to our app to only user1. This can be done by adding the users label to it:

yaml
tinyauth.users: user1

OAuth whitelist

The above example also applies to OAuth users. If we use user1@example.com and user2@example.com and need to restrict access to our app to only user1@example.com, this can be done by using the oauth.whitelist label:

yaml
tinyauth.oauth.whitelist: user1@example.com

Allowed paths

Tinyauth also supports skipping authentication for specific paths. This can be useful if you need an API path to be accessed without logging in to Tinyauth. You can allow a path using the allowed label:

INFO

For example, ^\/api matches any path starting with /api.

yaml
tinyauth.allowed: ^\/api

Access controls using OIDC groups

Some OIDC servers like Pocket ID support user groups in the OIDC response. If your OIDC server supports this, you can use groups to manage access controls. To begin, make sure that the GENERIC_SCOPES/--generic-scopes config option includes the groups scope. Then add the oauth.groups label to your app:

yaml
tinyauth.oauth.groups: admin

A nest of technical knowledge.