Skip to content

Telegram auth provider for NGINX and NGINX Ingress controller

License

Notifications You must be signed in to change notification settings

Qusic/TelegramAuth

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Feb 25, 2023
6fe5f25 · Feb 25, 2023

History

28 Commits
Dec 20, 2020
Feb 25, 2023
Jun 27, 2020
Dec 22, 2020
Jun 29, 2020
Jun 29, 2020
Jun 29, 2020
Jun 29, 2020
Jun 29, 2020
Jun 29, 2020
Jun 29, 2020
Feb 25, 2023
Feb 25, 2023
Jun 29, 2020
Jun 29, 2020
Dec 12, 2020
Dec 12, 2020
Dec 12, 2020

Repository files navigation

TelegramAuth

Authorization server using Telegram as the authentication provider.

Works with:

Usage:

  1. Create config.yaml.
  2. Run the executable in the directory containing the config file.

Endpoints:

  • /prefix/
    Reverse proxy should send subrequest with cookies here to check the auth status.
    If the response is 200, proceed with the original request.
    If the response is 401, redirect to the login page.
  • /prefix/login
    Unauthorized users should be redirected here to login with Telegram.
  • /prefix/callback
    Telegram redirects authenticated users here to further redirect them to the app if authorized.

Example with NGINX Ingress controller:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myauth
spec:
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            pathType: Prefix
            backend: # service of TelegramAuth deployment
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "https://$host/auth/?role=abc"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/auth/login?role=abc"
    nginx.ingress.kubernetes.io/auth-response-headers: "X-Telegram-Auth"
spec:
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend: # service of upstream app

You can define multiple roles in the config file and refer to one of them using a configurable query parameter role in auth-url and auth-signin. This way, one instance of TelegramAuth is capable to handle multiple upstream apps with different sets of authorized users.

NGINX Ingress controller use rd query parameter to pass the original request url for redirecting after auth completion. The parameter for redirect url is configurable.

After myapp is set up with Telegram Login, you can read the X-Telegram-Auth request header in the upstream server to know who is using your app.

Releases

No releases published

Packages

No packages published