# steveiliop56/tinyauth **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/steveiliop56-tinyauth).** 6,979 stars · 221 forks · Go · gpl-3.0 ## Links - GitHub: https://github.com/steveiliop56/tinyauth - Homepage: https://tinyauth.app - awesome-repositories: https://awesome-repositories.com/repository/steveiliop56-tinyauth.md ## Topics `2fa` `authentication` `caddy` `golang` `middleware` `nginx` `selfhosted` `sso` `tinyauth` `totp` `traefik-middleware` `typescipt` ## Description Tinyauth is an authentication middleware service and identity provider that verifies user identities to grant system access. It operates as a standalone server or as an authentication gateway, utilizing a reverse proxy model to intercept requests and validate credentials before traffic reaches protected backend services. The project functions as an OpenID Connect provider for single sign-on experiences and an OAuth 2.0 gateway that delegates verification to external providers such as Google and GitHub. It also acts as an LDAP authentication server, allowing for centralized user management and group-based authorization through external directory integration. The system covers a broad range of access control capabilities, including path-based and IP-based filtering, as well as identity-based restrictions. Security is further enhanced through multi-factor authentication using time-based one-time passwords and the use of bcrypt for secure credential storage. The server is bootstrapped using environment variables to facilitate containerized deployments. ## Tags ### Security & Cryptography - [Edge Security Enforcements](https://awesome-repositories.com/f/security-cryptography/edge-security-enforcements.md) — Acts as an authentication gateway that verifies identities and enforces access policies at the network boundary before traffic reaches backends. ([source](https://tinyauth.app/docs/community/kubernetes)) - [OIDC Identity Token Issuance](https://awesome-repositories.com/f/security-cryptography/oidc-identity-token-issuance.md) — Acts as an OpenID Connect provider that manages client registrations and issues standardized identity tokens. - [OpenID Connect Providers](https://awesome-repositories.com/f/security-cryptography/openid-connect-providers.md) — Functions as a central OpenID Connect provider to enable single sign-on experiences across multiple applications. ([source](https://tinyauth.app/docs/guides/oidc/)) - [Reverse Proxy Authentication](https://awesome-repositories.com/f/security-cryptography/reverse-proxy-authentication.md) — Acts as an authentication gateway that intercepts requests to validate identity before forwarding traffic to backend services. - [Authentication Middleware](https://awesome-repositories.com/f/security-cryptography/authentication-middleware.md) — Provides a standalone server or middleware component for verifying identity and authorization on incoming requests. ([source](https://cdn.jsdelivr.net/gh/steveiliop56/tinyauth@main/README.md)) - [Credential Hashing](https://awesome-repositories.com/f/security-cryptography/cryptography/credential-hashing.md) — Secures user passwords by storing one-way salted bcrypt hashes instead of plain text. - [External Identity Provider Integration](https://awesome-repositories.com/f/security-cryptography/external-identity-provider-integration.md) — Delegates identity verification and user authentication to external providers using OAuth and LDAP. ([source](https://cdn.jsdelivr.net/gh/steveiliop56/tinyauth@main/README.md)) - [OAuth and Identity Providers](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/oauth-identity-providers.md) — Delegates user authentication and identity verification to OAuth 2.0 or OpenID Connect compliant providers. ([source](https://tinyauth.app/docs/guides/other-oauth/)) - [OAuth Provider Integrations](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management/identity-service-providers/oauth-provider-integrations.md) — Provides standardized interfaces for registering and managing OAuth-based authentication providers. ([source](https://tinyauth.app/docs/guides/runtipi/)) - [Credential Validation](https://awesome-repositories.com/f/security-cryptography/identity-authentication/user-identity-verification/credential-validation.md) — Validates user identities via local passwords, Basic Auth, LDAP, or external OIDC providers to grant system access. ([source](https://tinyauth.app/docs/reference/authentication/)) - [LDAP Authentication](https://awesome-repositories.com/f/security-cryptography/ldap-authentication.md) — Delegates user authentication and group authorization to an external directory server using LDAP search filters. - [Multi-Factor Authentication](https://awesome-repositories.com/f/security-cryptography/multi-factor-authentication.md) — Implements a secondary security layer by validating time-synchronized one-time passwords (TOTP). - [Multi-Factor Authentication Providers](https://awesome-repositories.com/f/security-cryptography/multi-factor-authentication-providers.md) — Provides a security service that implements time-based one-time passwords for secondary identity verification. - [OAuth Authentication](https://awesome-repositories.com/f/security-cryptography/oauth-authentication.md) — Operates as a central gateway delegating user verification to external providers via OAuth 2.0. - [OIDC Identity Integrations](https://awesome-repositories.com/f/security-cryptography/oidc-identity-integrations.md) — Delegates authentication to external OpenID Connect servers to manage secure network access. ([source](https://tinyauth.app/docs/guides/pocket-id/)) - [Password Verification](https://awesome-repositories.com/f/security-cryptography/password-verification.md) — Verifies provided usernames and passwords against stored bcrypt hashes with optional TOTP validation. ([source](https://tinyauth.app/docs/reference/cli)) - [Reverse Proxy Security](https://awesome-repositories.com/f/security-cryptography/reverse-proxy-security.md) — Secures backend applications by offloading authentication and access control to a reverse proxy. ([source](https://cdn.jsdelivr.net/gh/steveiliop56/tinyauth@main/README.md)) - [Session Authentication](https://awesome-repositories.com/f/security-cryptography/session-authentication.md) — Manages secure user sessions by handling the login process and issuing session cookies. ([source](https://tinyauth.app/docs/reference/flow/)) - [Single Sign-On](https://awesome-repositories.com/f/security-cryptography/single-sign-on.md) — Provides a centralized login experience across multiple applications using the OpenID Connect protocol. - [Third-Party Authentication Providers](https://awesome-repositories.com/f/security-cryptography/third-party-authentication-providers.md) — Integrates with external OAuth identity providers to allow users to sign in with third-party accounts. ([source](https://tinyauth.app/docs/community/zitadel-oauth/)) - [Multi-Provider Authentication](https://awesome-repositories.com/f/security-cryptography/third-party-authentication-providers/multi-provider-authentication.md) — Supports authentication across multiple third-party identity providers using configurable credentials. ([source](https://tinyauth.app/docs/breaking-updates/3-to-4/)) - [Two-Factor Authentication](https://awesome-repositories.com/f/security-cryptography/two-factor-authentication.md) — Implements two-factor authentication using time-based one-time passwords from authenticator apps. ([source](https://tinyauth.app/docs/guides/totp/)) - [Identity Header Injections](https://awesome-repositories.com/f/security-cryptography/user-identity-management/identity-header-injections.md) — Injects authenticated user and group metadata into request headers for downstream application authorization. ([source](https://tinyauth.app/docs/reference/headers/)) - [Group-Based Access Controls](https://awesome-repositories.com/f/security-cryptography/access-restrictions/group-based-access-controls.md) — Grants access to authorized users by validating membership in specific OIDC or LDAP groups. ([source](https://tinyauth.app/docs/guides/access-controls/)) - [Application Access Controls](https://awesome-repositories.com/f/security-cryptography/application-access-controls.md) — Defines granular permission rules for applications based on identity, groups, IP addresses, or request paths. ([source](https://tinyauth.app/docs/breaking-updates/3-to-4/)) - [Client Registration Protocols](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/oauth-identity-providers/client-registration-protocols.md) — Implements standardized procedures for onboarding and registering client applications within the OIDC system. ([source](https://tinyauth.app/docs/guides/oidc/)) - [Identity-Based Access Control](https://awesome-repositories.com/f/security-cryptography/identity-based-access-control.md) — Blocks or allows application access based on user lists, email patterns, or group memberships. ([source](https://tinyauth.app/docs/reference/labels/)) - [Identity Provider Integrations](https://awesome-repositories.com/f/security-cryptography/identity-provider-integrations.md) — Synchronizes and forwards user identities and group memberships from OIDC or LDAP providers to applications. ([source](https://tinyauth.app/docs/guides/oidc/)) - [Path-Based Access Rules](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/web-network-security/network-security/network-routing-access-control/network-access-controls/path-based-access-rules.md) — Uses regular expression matching to define which URL paths require authentication or remain public. ([source](https://tinyauth.app/docs/reference/labels/)) - [Session Security Policies](https://awesome-repositories.com/f/security-cryptography/security/policies/web-content-controls/session-security-policies.md) — Provides configurable security policies for sessions, including expiry, lifetimes, and secure cookie requirements. ([source](https://tinyauth.app/docs/reference/configuration/)) - [Cross-Subdomain Session Management](https://awesome-repositories.com/f/security-cryptography/session-authentication/cross-subdomain-session-management.md) — Maintains a single authenticated user session across different subdomains by configuring shared cookies at the parent domain level. ([source](https://tinyauth.app/docs/getting-started)) - [Cross-Subdomain Session Sharing](https://awesome-repositories.com/f/security-cryptography/session-cookie-handlers/cross-subdomain-session-sharing.md) — Shares authentication state across multiple subdomains by setting session cookies on the common parent domain. - [User-Based Access Restrictions](https://awesome-repositories.com/f/security-cryptography/user-access-management/user-based-access-restrictions.md) — Provides the ability to block or allow specific user identities and OAuth emails from accessing applications. ([source](https://tinyauth.app/docs/guides/access-controls/)) ### Software Engineering & Architecture - [Request Interception Middleware](https://awesome-repositories.com/f/software-engineering-architecture/request-interception-middleware.md) — Operates as an authentication gateway that intercepts requests and validates credentials before forwarding traffic to backends. ### Artificial Intelligence & ML - [Secret Generation](https://awesome-repositories.com/f/artificial-intelligence-ml/agentic-systems-frameworks/agent-orchestration-multi-agent/security-and-auth/authentication-strategies/passwords-mfa/totp-authentication-systems/secret-generation.md) — The Authelia server creates a time-based one-time password secret and QR code to enable multi-factor authentication for a user. ([source](https://tinyauth.app/docs/reference/cli)) ### Data & Databases - [Session Storage](https://awesome-repositories.com/f/data-databases/data-engineering-infrastructure/data-persistence-storage/data-storage/session-storage-synchronization/session-storage.md) — Enhances security and state persistence by storing user session data in a persistent database. ([source](https://tinyauth.app/docs/breaking-updates/3-to-4/)) ### DevOps & Infrastructure - [Authentication Integration](https://awesome-repositories.com/f/devops-infrastructure/ingress-controllers/authentication-integration.md) — Integrates with Kubernetes ingress controllers via annotations to forward authentication checks to the server. ([source](https://tinyauth.app/docs/community/kubernetes/)) ### System Administration & Monitoring - [Group Access Controls](https://awesome-repositories.com/f/system-administration-monitoring/group-access-controls.md) — Restricts application access by extracting and validating group memberships from an LDAP provider. ([source](https://tinyauth.app/docs/guides/ldap/)) - [IP Access Restrictions](https://awesome-repositories.com/f/system-administration-monitoring/ip-address-blocklists/ip-access-restrictions.md) — Restricts or allows traffic based on IP addresses and CIDR subnets to manage trusted access. ([source](https://tinyauth.app/docs/guides/access-controls/))