Skip to content

Telegram auth provider for NGINX and NGINX Ingress controller

License

Notifications You must be signed in to change notification settings

Qusic/TelegramAuth

Repository files navigation

TelegramAuth

Authorization server using Telegram as the authentication provider.

Works with:

Usage:

  1. Create config.yaml.
  2. Run the executable in the directory containing the config file.

Endpoints:

  • /prefix/
    Reverse proxy should send subrequest with cookies here to check the auth status.
    If the response is 200, proceed with the original request.
    If the response is 401, redirect to the login page.
  • /prefix/login
    Unauthorized users should be redirected here to login with Telegram.
  • /prefix/callback
    Telegram redirects authenticated users here to further redirect them to the app if authorized.

Example with NGINX Ingress controller:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myauth
spec:
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            pathType: Prefix
            backend: # service of TelegramAuth deployment
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "https://$host/auth/?role=abc"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/auth/login?role=abc"
    nginx.ingress.kubernetes.io/auth-response-headers: "X-Telegram-Auth"
spec:
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend: # service of upstream app

You can define multiple roles in the config file and refer to one of them using a configurable query parameter role in auth-url and auth-signin. This way, one instance of TelegramAuth is capable to handle multiple upstream apps with different sets of authorized users.

NGINX Ingress controller use rd query parameter to pass the original request url for redirecting after auth completion. The parameter for redirect url is configurable.

After myapp is set up with Telegram Login, you can read the X-Telegram-Auth request header in the upstream server to know who is using your app.

Releases

No releases published

Packages

No packages published