This is a simple authentication server that uses secure cookies to authenticate users. It is meant for home lab use and is not meant to be used in production.
Currently, it only supports forward auth from NGINX, and can be used to add authentication to services that do not support auth, or support auth via header.
Every authentication system makes different tradeoffs. This system is designed to be easy to use and secure enough for home lab use.
The goal is to take the tradeoffs that only make sense for a home lab environment. Using this in an enterprise setting would be stupid. Can you imagine a sys admin restarting the auth server because one user forgot their password?
To check:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery
Alternative auth systems often use Redis and/or PostgreSQL to manage their state and users. But maintaining two databases can be a lot of effort, and if one of them breaks your entire cluster can become locked.
So we want to have a rock-solid auth server that is stupidly simple. Instead of storing users in a database, we store them in a YAML file. Instead of storing sessions in Redis, we store them in memory.
- nginx ingress
- traefik
- haproxy
- envoy
Setup stupid-auth, you might want to first create an empty users k8s secret to start the application.
Open https://stupid-auth.example.com/tutorial in your browser and follow the instructions.
From the tutorial you will learn how to create a users.yaml file and how to create a secret from it.
kubectl create secret generic stupid-auth-users --from-file=users.yaml