loginsrv

loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends.

** Attention: Update to v1.3.0 for Google Login Update !!!! **

Google will stop support for the Google+ APIs. So we changed loginsrv to use the standard oauth endpoints for Google login. Please update loginsrv to v1.3.0 if you are using google login.

** Attention: Since v1.3.0, pure HTTP is not supported by default **

Since v1.3.0, loginsrv sets the secure flag for the login cookie. So, if you use HTTP fo connect with the browser, e.g. for testing, you browser will ignore the cookie. Use the flag -cookie-secure=false when testing without HTTPS.

Abstract

Loginsrv provides a minimal endpoint for authentication. The login is performed against the providers and returned as a JSON Web Token (JWT). It can be used as:

• Standalone microservice
• Docker container
• Golang library
• Caddy plugin. (See caddy/README.md for details)

Supported Provider Backends

The following providers (login backends) are supported.

• Htpasswd
• OSIAM
• Simple (user/password pairs by configuration)
• Httpupstream
• OAuth2
  • GitHub login
  • Google login
  • Bitbucket login
  • Facebook login
  • Gitlab login

Questions

For questions and support please use the Gitter chat room.

Configuration and Startup

Config Options

Note for Caddy users: Not all parameters are available in Caddy. See the table for details. With Caddy, the parameter names can also be used with _ in the names, e.g. cookie_http_only.

| Parameter | Type | Default | Caddy | Description | |-----------------------------|-------------|--------------|-------|-------------------------------------------------------------------------------------------------------| | -cookie-domain | string | | X | Optional domain parameter for the cookie | | -cookie-expiry | string | session | X | Expiry duration for the cookie, e.g. 2h or 3h30m | | -cookie-http-only | boolean | true | X | Set the cookie with the HTTP only flag | | -cookie-name | string | "jwt_token" | X | Name of the JWT cookie | | -cookie-secure | boolean | true | X | Set the secure flag on the JWT cookie. (Set this to false for plain HTTP support) | | -github | value | | X | OAuth config in the form: client_id=..,client_secret=..[,scope=..][,redirect_uri=..] | | -google | value | | X | OAuth config in the form: client_id=..,client_secret=..[,scope=..][,redirect_uri=..] | | -bitbucket | value | | X | OAuth config in the form: client_id=..,client_secret=..[,scope=..][,redirect_uri=..] | | -facebook | value | | X | OAuth config in the form: client_id=..,client_secret=..[,scope=..][,redirect_uri=..] | | -gitlab | value | | X | OAuth config in the form: client_id=..,client_secret=..[,scope=..,][redirect_uri=..] | | -host | string | "localhost" | - | Host to listen on | | -htpasswd | value | | X | Htpasswd login backend opts: file=/path/to/pwdfile | | -jwt-expiry | go duration | 24h | X | Expiry duration for the JWT token, e.g. 2h or 3h30m | | -jwt-secret | string | "random key" | X | Secret used to sign the JWT token. (See caddy/README.md for details.) | | -jwt-secret-file | string | | X | File to load the jwt-secret from, e.g. /run/secrets/some.key. Takes precedence over jwt-secret! | | -jwt-algo | string | "HS512" | X | Signing algorithm to use (ES256, ES384, ES512, RS256, RS384, RS512, HS256, HS384, HS512) | | -log-level | string | "info" | - | Log level | | -login-path | string | "/login" | X | Path of the login resource | | -logout-url | string | | X | URL or path to redirect to after logout | | -osiam | value | | X | OSIAM login backend opts: endpoint=..,client_id=..,client_secret=.. | | -port | string | "6789" | - | Port to listen on | | -redirect | boolean | true | X | Allow dynamic overwriting of the the success by query parameter | | -redirect-query-parameter | string | "backTo" | X | URL parameter for the redirect target | | -redirect-check-referer | boolean | true | X | Check the referer header to ensure it matches the host header on dynamic redirects | | -redirect-host-file | string | "" | X | A file containing a list of domains that redirects are allowed to, one domain per line | | -simple | value | | X | Simple login backend opts: user1=password,user2=password,.. | | -success-url | string | "/" | X | URL to redirect to after login | | -template | string | | X | An alternative template for the login form | | -text-logging | boolean | true | - | Log in text format instead of JSON | | -jwt-refreshes | int | 0 | X | The maximum number of JWT refreshes | | -grace-period | go duration | 5s | - | Duration to wait after SIGINT/SIGTERM for existing requests. No new requests are accepted. | | -user-file | string | | X | A YAML file with user specific data for the tokens. (see below for an example) | | -user-endpoint | string | | X | URL of an endpoint providing user specific data for the tokens. (see below for an example) | | -user-endpoint-token | string | | X | Authentication token used when communicating with the user endpoint | | -user-endpoint-timeout | go duration | 5s | X | Timeout used when communicating with the user endpoint |

Environment Variables

All of the above Config Options can also be applied as environment variables by using variables named this way: LOGINSRV_OPTION_NAME. So e.g. jwt-secret can be set by environment variable LOGINSRV_JWT_SECRET.

Startup Examples

The simplest way to use loginsrv is by the provided docker container. E.g. configured with the simple provider:

$ docker run -d -p 8080:8080 tarent/loginsrv -cookie-secure=false -jwt-secret my_secret -simple bob=secret

$ curl --data "username=bob&password=secret" 127.0.0.1:8080/login
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJib2IifQ.uWoJkSXTLA_RvfLKe12pb4CyxQNxe5_Ovw-N5wfQwkzXz2enbhA9JZf8MmTp9n-TTDcWdY3Fd1SA72_M20G9lQ

The same configuration could be written with environment variables this way:

$ docker run -d -p 8080:8080 -E COOKIE_SECURE=false -e LOGINSRV_JWT_SECRET=my_secret -e LOGINSRV_BACKEND=provider=si