Skip to content

tinyauth

Reverse Proxies & Load Balancers

The tiniest authentication and authorization server you have ever seen, working as middleware or a standalone service.

Track releases GitHub Website
Go Latest v5.0.7 · 1mo ago Security brief →

Features

  • Provides OAuth, LDAP, and fine‑grained access‑control capabilities
  • Can be used as an authentication middleware for your applications
  • Runs as a standalone auth server

Recent releases

View all 8 releases →
v5.0.7 Breaking risk
Notable features
  • OpenID Connect server now supports PKCE
  • User information endpoint supports POST requests with access token in body
  • Unsigned OpenID Connect request objects now supported
Full changelog

Tinyauth v5.0.7

Hello everyone! This is officially the last release under my username. After this last patch, Tinyauth will move to its new home tinyauthapp, no breaking changes for now. As for this release, it addresses some further issues with the Envoy proxy and improves the OpenID Connect experience.

Improvements

  • The OpenID Connect server now supports PKCE
  • The OpenID Connect user information endpoint now supports POST requests @scottmckendry
  • The OpenID Connect user information endpoint now supports the access token in the POST request body @scottmckendry
  • The OAuth flow now supports the OpenID Connect parameters and stores CSRF states server-side for anti-tampering
  • Add X-Tinyauth-Location header for Nginx instances to support redirect to login and unauthorized pages automatically
  • Support unsigned OpenID Connect request objects @scottmckendry
  • Accessibility improvements

Fixes

  • Use 307 redirects for Envoy proxy
  • Fix TOTP field auto-fill not working in some password managers @scottmckendr

Technical

  • Update dependencies
  • Update translations
  • Use own fork of the paerser library for better flexibility in configuration parsing
  • Fail app early when the app URL is missing

Please let us know of any issues so we can address them as soon as possible.

Full Changelog: https://github.com/steveiliop56/tinyauth/compare/v5.0.6...v5.0.7

View release on GitHub
v5.0.6 Bug fix

Fixed browser detection for traffic passing through certain proxies and refreshed dependencies to close hidden bugs, improving reliability of auth redirects.

View release on GitHub
v5.0.5 Security relevant
Security fixes
  • GHSA-9q5m-jfc4-wc92: OAuth flow vulnerability
Notable features
  • Multiple simultaneous OAuth login attempts
  • Nginx and Envoy proxy support
View release on GitHub
v5.0.3 Security relevant
Security fixes
  • GHSA-xg2q-62g2-cvcm: Empty X-Forwarded headers bypass
  • GHSA-3q28-qjrv-qr39: 2FA flow and client ID validation
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
7,420
Forks
237
Languages
Go TypeScript CSS
View on GitHub Homepage Live demo Documentation

Install & Platforms

Install via
docker-compose

Community & Support

Discord

Similar tools

oauth2-proxy
nforwardauth
docker-swag
caddy
zoraxy

Beta — feedback welcome: [email protected]