diff --git a/.gitignore b/.gitignore
index 6240da8..aa33e56 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,6 @@ pnpm-debug.log*
# macOS-specific files
.DS_Store
+
+# idea
+/.idea/
\ No newline at end of file
diff --git a/astro.config.mjs b/astro.config.mjs
index 8118cf3..1eab5a5 100644
--- a/astro.config.mjs
+++ b/astro.config.mjs
@@ -116,6 +116,10 @@ export default defineConfig({
label: "Runtipi",
slug: "docs/guides/runtipi",
},
+ {
+ label: "Tailscale",
+ slug: "docs/guides/tailscale",
+ },
{
label: "Using the Binary",
slug: "docs/guides/using-the-binary",
@@ -134,10 +138,18 @@ export default defineConfig({
label: "Zerobyte",
slug: "docs/integrations/zerobyte",
},
+ {
+ label: "Tailscale",
+ slug: "docs/integrations/tailscale",
+ },
{
label: "Immich",
slug: "docs/integrations/immich",
},
+ {
+ label: "Beszel",
+ slug: "docs/integrations/beszel",
+ },
],
},
{
diff --git a/public/screenshots/beszel/beszel_collection_controls.png b/public/screenshots/beszel/beszel_collection_controls.png
new file mode 100644
index 0000000..5eef52e
Binary files /dev/null and b/public/screenshots/beszel/beszel_collection_controls.png differ
diff --git a/public/screenshots/beszel/beszel_create_provider.png b/public/screenshots/beszel/beszel_create_provider.png
new file mode 100644
index 0000000..33bfc77
Binary files /dev/null and b/public/screenshots/beszel/beszel_create_provider.png differ
diff --git a/public/screenshots/beszel/beszel_external_auths.png b/public/screenshots/beszel/beszel_external_auths.png
new file mode 100644
index 0000000..35d1f3d
Binary files /dev/null and b/public/screenshots/beszel/beszel_external_auths.png differ
diff --git a/public/screenshots/beszel/beszel_login.png b/public/screenshots/beszel/beszel_login.png
new file mode 100644
index 0000000..0fda13b
Binary files /dev/null and b/public/screenshots/beszel/beszel_login.png differ
diff --git a/public/screenshots/beszel/beszel_providers.png b/public/screenshots/beszel/beszel_providers.png
new file mode 100644
index 0000000..0c2e3a5
Binary files /dev/null and b/public/screenshots/beszel/beszel_providers.png differ
diff --git a/public/screenshots/beszel/beszel_system_users.png b/public/screenshots/beszel/beszel_system_users.png
new file mode 100644
index 0000000..ba3f9e4
Binary files /dev/null and b/public/screenshots/beszel/beszel_system_users.png differ
diff --git a/public/screenshots/oidc/authorize.png b/public/screenshots/oidc/authorize.png
index 5bc7a18..b2f17b7 100644
Binary files a/public/screenshots/oidc/authorize.png and b/public/screenshots/oidc/authorize.png differ
diff --git a/public/screenshots/tailscale/tailscale_api_token.png b/public/screenshots/tailscale/tailscale_api_token.png
new file mode 100644
index 0000000..85b5e58
Binary files /dev/null and b/public/screenshots/tailscale/tailscale_api_token.png differ
diff --git a/public/screenshots/tailscale/tailscale_keys.png b/public/screenshots/tailscale/tailscale_keys.png
new file mode 100644
index 0000000..80960db
Binary files /dev/null and b/public/screenshots/tailscale/tailscale_keys.png differ
diff --git a/public/screenshots/tailscale/tailscale_login.png b/public/screenshots/tailscale/tailscale_login.png
new file mode 100644
index 0000000..263963e
Binary files /dev/null and b/public/screenshots/tailscale/tailscale_login.png differ
diff --git a/public/screenshots/tailscale/tailscale_settings.png b/public/screenshots/tailscale/tailscale_settings.png
new file mode 100644
index 0000000..10567ca
Binary files /dev/null and b/public/screenshots/tailscale/tailscale_settings.png differ
diff --git a/public/tinyauth-dark.png b/public/tinyauth-dark.png
index 62a96bf..9470b06 100644
Binary files a/public/tinyauth-dark.png and b/public/tinyauth-dark.png differ
diff --git a/src/content/docs/docs/about.mdx b/src/content/docs/docs/about.mdx
index df978d3..c069b27 100644
--- a/src/content/docs/docs/about.mdx
+++ b/src/content/docs/docs/about.mdx
@@ -15,7 +15,7 @@ Tinyauth was developed as a personal challenge to create a robust application an
## Suitable Use Cases
-Tinyauth is not intended for production environments. Its primary purpose is to add a login screen to applications in homelabs or to facilitate resource sharing with family and friends. For scenarios requiring advanced user management, Authentik is recommended.
+Tinyauth's main purpose is to add a login screen to applications in homelabs or to facilitate resource sharing with family and friends. It is not designed for production environments, which require features like RBAC and more granular permissions. For scenarios requiring advanced user management, Authentik is recommended.
## Future Direction
diff --git a/src/content/docs/docs/community/caddy.mdx b/src/content/docs/docs/community/caddy.mdx
index 623365a..01aa6c3 100644
--- a/src/content/docs/docs/community/caddy.mdx
+++ b/src/content/docs/docs/community/caddy.mdx
@@ -68,6 +68,12 @@ services:
caddy.reverse_proxy: "{{upstreams 3000}}"
```
+It is recommended (and required for IP address ACLs) that you set the `TINYAUTH_AUTH_TRUSTEDPROXIES` environment variable (`--auth.trustedproxies` for CLI flags and `auth.trustedProxies` for YAML) to the IP address of your Caddy instance so Tinyauth can trust the `X-Real-IP` and `X-Forwarded-For`headers and get the correct client IP.
+
+:::note
+For Caddy setups in Docker (like this one), you will need to ensure that Caddy detects the correct IP address. Because Docker uses NAT for containers, you will probably need to run Caddy in `network_mode: host`.
+:::
+
## Securing a Service
Place any service behind Tinyauth. The only addition required to secure a service is the reusable snippet, `tinyauth_forwarder`, created earlier:
diff --git a/src/content/docs/docs/community/kubernetes.mdx b/src/content/docs/docs/community/kubernetes.mdx
index bafefcf..baa7e83 100644
--- a/src/content/docs/docs/community/kubernetes.mdx
+++ b/src/content/docs/docs/community/kubernetes.mdx
@@ -77,6 +77,8 @@ spec:
periodSeconds: 10
```
+It is recommended (and required for IP address ACLs) that you also set the `TINYAUTH_AUTH_TRUSTEDPROXIES` environment variable to the IP address of your Nginx/Istio instance so Tinyauth can trust the `X-Real-IP` and `X-Forwarded-For`headers and get the correct client IP.
+
## Create a Service
Create the service:
@@ -159,6 +161,8 @@ extensionProviders:
pathPrefix: "/api/auth/envoy?path="
includeRequestHeadersInCheck: ["cookie", "x-forwarded-for", "x-forwarded-proto", "x-forwarded-host", "accept", "user-agent"]
includeAdditionalHeadersInCheck:
+ "x-forwarded-for": "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
+ "x-real-ip": "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
"x-forwarded-proto": "%REQ(:SCHEME)%"
"x-forwarded-host": "%REQ(:AUTHORITY)%"
"x-forwarded-uri": "%REQ(:PATH)%"
diff --git a/src/content/docs/docs/getting-started.mdx b/src/content/docs/docs/getting-started.mdx
index fdae935..d58de5d 100644
--- a/src/content/docs/docs/getting-started.mdx
+++ b/src/content/docs/docs/getting-started.mdx
@@ -108,6 +108,13 @@ tinyauth:
traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
```
+It is recommended (and required for IP address ACLs) that you set the `TINYAUTH_AUTH_TRUSTEDPROXIES` environment variable (`--auth.trustedproxies` for CLI flags and `auth.trustedProxies` for YAML) to the IP address of your Traefik instance so Tinyauth can trust the `X-Real-IP` and `X-Forwarded-For`headers and get the correct client IP. For a Docker-based deployment,
+`172.17.0.0/16` should work.
+
+:::caution
+For Traefik setups in Docker (like this one), you will need to ensure that Traefik detects the correct IP address. Because Docker uses NAT for containers, you will probably need to run Traefik in `network_mode: host`.
+:::
+
To protect additional applications, include the following label in their configuration:
```yaml
@@ -145,6 +152,7 @@ services:
environment:
- TINYAUTH_APPURL=https://tinyauth.example.com
- TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+ - TINYAUTH_AUTH_TRUSTEDPROXIES=172.17.0.0/16
labels:
traefik.enable: true
traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
diff --git a/src/content/docs/docs/guides/access-controls.mdx b/src/content/docs/docs/guides/access-controls.mdx
index b13f4c0..cca6cbc 100644
--- a/src/content/docs/docs/guides/access-controls.mdx
+++ b/src/content/docs/docs/guides/access-controls.mdx
@@ -6,9 +6,11 @@ description: Tinyauth has support for docker label-based access controls.
Tinyauth supports basic access controls with either Docker labels or environment variables. These labels (or environment variables) can restrict or allow access to applications.
:::caution[Proxy configuration matters]
-Tinyauth relies on the `X-Forwarded-Host` header (set by your reverse proxy) to determine which app's access controls apply to a given request. If your proxy doesn't overwrite this header, or if tinyauth is directly reachable on the network without going through the proxy, a user could send a request with a spoofed host that doesn't match any configured app. When no app matches, tinyauth treats the request as having no restrictions and allows any authenticated user through.
+Tinyauth relies on the `X-Forwarded-Host` header (set by your reverse proxy) to determine which app's access controls apply to a given request. If your proxy doesn't overwrite this header, or if Tinyauth is directly reachable on the network without going through the proxy, a user could send a request with a spoofed host that doesn't match any configured app. When no app matches, Tinyauth treats the request as having no restrictions and allows any authenticated user through.
-To avoid this, make sure your reverse proxy always sets `X-Forwarded-Host` itself and doesn't pass through client-supplied values. Traefik and Caddy do this by default. For nginx, use `proxy_set_header X-Forwarded-Host $host;` in your location block. You should also make sure tinyauth is not directly accessible from the network — only your reverse proxy should be able to reach it.
+To avoid this, make sure your reverse proxy always sets `X-Forwarded-Host` itself and doesn't pass through client-supplied values. Traefik and Caddy do this by default. For Nginx, use `proxy_set_header X-Forwarded-Host $host;` in your location block. You should also make sure Tinyauth is not directly accessible from the network — only your reverse proxy should be able to reach it.
+
+It is also recommended (and required for IP address ACLs) that your proxy sets correctly the `X-Forwarded-For` and `X-Real-IP` headers so Tinyauth can get the correct client IP and perform ACLs. You will also need to configure the `TINYAUTH_AUTH_TRUSTEDPROXIES` environment variable (`--auth.trustedproxies` for CLI flags and `auth.trustedProxies` for YAML) to point to your proxy IP. In case your proxy runs in Docker, you will most likely need to run it with `network_mode: host`.
:::
## Modifying the Tinyauth Container
@@ -95,6 +97,37 @@ Tinyauth will now use the domain to match the configuration instead of the app I
Labels are dynamic and can be updated at runtime, environment variables are not and require a restart of Tinyauth to take effect.
:::
+## Access Control Policy
+
+Tinyauth supports both an allow-by-default and a deny-by-default approach in access controls. The policy can be defined
+using the `TINYAUTH_AUTH_ACLS_POLICY` environment variable or the `--auth.acls.policy` CLI flag. The configuration option
+supports either `deny` or `allow`. The default policy is `allow`.
+
+In both examples we have the following ACLs defined as Docker labels.
+
+```yaml
+tinyauth.apps.myapp.config.domain: myapp.example.com
+```
+
+**Allow-by-default example**
+
+In this example we have `TINYAUTH_AUTH_ACLS_POLICY=allow`.
+
+With this config, every user you define in Tinyauth will be allowed unless you set up
+a user allow or block list.
+
+**Deny-by-default example**
+
+In this example we have `TINYAUTH_AUTH_ACLS_POLICY=deny`.
+
+With this config, every user you define in Tinyauth will be denied access to the app
+unless you manually allow them with a whitelist.
+
+:::caution
+Due to the setup-specific nature of the IP and OAuth Group access controls, they are excluded
+from the deny-by-default policy and are only applied if you manually specify a blocklist.
+:::
+
## User ACLs
*Going forward, the guide will use the labels format but everything mentioned also applies to environment variables.*
diff --git a/src/content/docs/docs/guides/advanced.mdx b/src/content/docs/docs/guides/advanced.mdx
index d7af8b3..e39170d 100644
--- a/src/content/docs/docs/guides/advanced.mdx
+++ b/src/content/docs/docs/guides/advanced.mdx
@@ -5,6 +5,19 @@ description: Guides and tips for advanced setups.
Below, you can find some guides for advanced setups.
+## Tinyauth API
+
+Tinyauth exposes its API under `/api`. Documentation for the API is not available so you will have to consult
+the controller [sources](https://github.com/tinyauthapp/tinyauth/tree/main/internal/controller). The API endpoint
+is designed to be consumed only by the frontend and **no guarantees** can be made that it will remain stable
+throughout updates. In case you are building an application that utilizes the Tinyauth API, please make sure
+to consult the release notes of each Tinyauth release to ensure that no changes have been made.
+
+:::note
+Even though the API endpoints are not guaranteed to remain stable, user-facing endpoints like the forward-auth,
+OAuth and OpenID Connect endpoints **are guaranteed** to remain stable.
+:::
+
## Authenticating to Apps with Basic Auth
Some apps already offer authentication methods like basic auth (e.g. browser pop-ups). This can be inconvenient as it requires logging in to both Tinyauth and the protected app. Tinyauth supports authenticating to apps automatically by adding basic auth labels to the protected app.
diff --git a/src/content/docs/docs/guides/nginx-proxy-manager.mdx b/src/content/docs/docs/guides/nginx-proxy-manager.mdx
index b275c23..cd47f2f 100644
--- a/src/content/docs/docs/guides/nginx-proxy-manager.mdx
+++ b/src/content/docs/docs/guides/nginx-proxy-manager.mdx
@@ -99,12 +99,20 @@ location /tinyauth {
proxy_pass http://tinyauth:3000/api/auth/nginx;
# Pass the request headers
+ proxy_set_header x-forwarded-for $remote_addr;
+ proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-proto $scheme;
proxy_set_header x-forwarded-host $http_host;
proxy_set_header x-forwarded-uri $request_uri;
}
```
+It is recommended (and required for IP address ACLs) that you set the `TINYAUTH_AUTH_TRUSTEDPROXIES` environment variable (`--auth.trustedproxies` for CLI flags and `auth.trustedProxies` for YAML) to the IP address of your Nginx instance so Tinyauth can trust the `X-Real-IP` and `X-Forwarded-For`headers and get the correct client IP.
+
+:::caution
+For Nginx setups in Docker (like this one), you will need to ensure that Nginx detects the correct IP address. Because Docker uses NAT for containers, you will probably need to run Nginx in `network_mode: host`.
+:::
+
:::note
The `/tinyauth` path can be renamed for convenience.
:::
diff --git a/src/content/docs/docs/guides/oidc.mdx b/src/content/docs/docs/guides/oidc.mdx
index aaf9ce5..8be3fef 100644
--- a/src/content/docs/docs/guides/oidc.mdx
+++ b/src/content/docs/docs/guides/oidc.mdx
@@ -6,7 +6,11 @@ description: Use Tinyauth's OIDC server to authenticate applications.
import { Tabs, TabItem } from '@astrojs/starlight/components';
import CreateOidcClientTool from "../../../../components/create-oidc-client-tool.astro";
-In Tinyauth v5, a major milestone was the introduction of the OIDC server, which allows Tinyauth not only to use other identity providers but also to act as an identity provider itself. This means that Tinyauth can serve as a central authentication gateway for multiple applications, providing a single sign-on experience for users.
+From v5.1.0 and going forward, Tinyauth is an OpenID Connect™ Certified server. This means that Tinyauth has been tested and verified to comply with the OpenID Connect Core 1.0 specification, ensuring that it meets the standards for secure authentication and identity management.
+
+You can use the OpenID Connect server of Tinyauth to authenticate applications and provide a seamless login experience for users using a centralized authentication system. This allows for better security, easier user management, and a more streamlined user experience across multiple applications.
+
+
## What is OpenID Connect?
@@ -36,17 +40,40 @@ Supported scopes:
- `openid`
- `profile`
- `email`
+- `phone`
+- `address`
- `groups`
Supported claims:
- `sub`
- `name`
+- `given_name`
+- `family_name`
+- `middle_name`
+- `nickname`
+- `profile`
+- `picture`
+- `website`
+- `gender`
+- `birthdate`
+- `zoneinfo`
+- `locale`
- `email`
- `preferred_username`
+- `email_verified`
+- `phone_number`
+- `phone_number_verified`
+- `address`
- `groups`
- `updated_at`
-- `email_verified`
+
+These claims align with the OpenID Connect Core 1.0 specification's standard claims.
+
+:::note
+The `groups` claim and scope are an addition to the OpenID Connect Core 1.0 specification and
+not something officially supported by the OpenID Foundation.
+:::
Supported token endpoint authentication methods:
@@ -61,7 +88,7 @@ While no promises can be made, if you feel a required OpenID Connect feature is
## Important Considerations
-Tinyauth’s core idea is to be a stateless application, but OIDC requires persistence for session and key storage. Everything is stored in the `/data` directory so, if you are using Docker, add the corresponding volume to your `docker-compose.yml` file:
+Tinyauth’s core idea is to be a stateless application however, OpenID Connect requires persistence for sessions and keys. Everything is stored in the `/data` directory so, if you are using Docker, add the corresponding volume to your `docker-compose.yml` file:
```yaml
services:
@@ -76,6 +103,12 @@ You also need to specify the paths where the public and private keys are stored.
Lastly, for the OIDC server to work, HTTPS is **required** on the app URL, which will become the issuer URL. You can use a self‑signed certificate or a certificate from a trusted CA.
+:::tip
+In case you are planning to use Tinyauth as a standalone OpenID Connect provider, you can use
+`TINYAUTH_AUTH_SUBDOMAINSENABLED=false` to disable support for wildcard cookies and increase
+security. By disabling wildcard cookies, the forward-auth middleware will ***not*** work.
+:::
+
## Creating OIDC Clients
To create an OIDC client, use the `oidc create` command. For example:
diff --git a/src/content/docs/docs/guides/tailscale.mdx b/src/content/docs/docs/guides/tailscale.mdx
new file mode 100644
index 0000000..7b7cadc
--- /dev/null
+++ b/src/content/docs/docs/guides/tailscale.mdx
@@ -0,0 +1,108 @@
+---
+title: Tailscale Authentication
+description: Use your Tailscale connection to automatically log in to Tinyauth.
+---
+
+Tinyauth has support for detecting your Tailscale connection and automatically logging you in with
+your Tailscale identity. This is made possible using the Tailscale API.
+
+## Requirements
+
+- A Tailscale account
+- A Tinyauth instance
+
+:::warning
+You will need your proxy to correctly forward the client IP to Tinyauth for the Tailscale detection
+to work. This differs from proxy to proxy, but usually you will need your proxy container to run
+with `network_mode: host` in Docker.
+:::
+
+### K3S
+
+In case you are using K3S (and possibly other Kubernetes deployments that use Traefik+MetalLB) you can use
+the following Helm chart config for Traefik to forward the correct client IP to your applications (including
+Tinyauth):
+
+```yaml
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+ name: traefik-config
+ namespace: kube-system
+spec:
+ valuesContent: |-
+ service:
+ spec:
+ externalTrafficPolicy: Local
+
+ entryPoints:
+ web:
+ address: ':80'
+ forwardedHeaders:
+ trustedIPs:
+ - 10.42.0.0/24
+ websecure:
+ address: ':443'
+ forwardedHeaders:
+ trustedIPs:
+ - 10.42.0.0/24
+```
+
+You can check if Tinyauth is receiving the correct client IP by visiting it and checking the
+`client_ip` section in the info logs.
+
+## Get the Tailscale API token
+
+Before configuring Tinyauth, you need to obtain your Tailnet ID and an API token from Tailscale. This can be
+done by visiting the Tailscale [admin console](https://login.tailscale.com/admin/settings/general). The Tailnet
+ID is the first thing you see in the page.
+
+
+
+:::note
+While you can use the Legacy Tailnet ID, it is recommended to use the new random one.
+:::
+
+Then, you can generate an API token in the [keys](https://login.tailscale.com/admin/settings/keys) page.
+
+
+
+There click the **Generate access token** button, give it a name and click **Generate access token** again.
+You should then be greeted by the following page.
+
+
+
+Make sure to note down your Tailnet ID and the new API token as we will need them in the next part.
+
+## Configure Tinyauth
+
+With your Tailnet ID and API token you can configure Tinyauth in the following way:
+
+```yaml
+services:
+ tinyauth:
+ environment:
+ - TINYAUTH_TAILSCALE_ENABLED=true
+ - TINYAUTH_TAILSCALE_APITOKEN=your-api-token # TINYAUTH_TAILSCALE_APITOKENFILE also supported
+ - TINYAUTH_TAILSCALE_TAILNET=your-tailnet-id
+```
+
+Tinyauth by default caches the user and device list for 5 minutes, you can reduce the cache duration with
+`TINYAUTH_TAILSCALE_CACHEDURATION` (in seconds).
+
+:::note
+Tinyauth does ***not*** support serving on a Tailscale domain (like `tinyauth.funny-name.ts.net`). This is
+because we would need the `tsnet` library to serve on Tailscale which adds a lot of unnecessary weight to the
+binary (+20MB). Features requiring the `tsnet` library will ***not*** be added.
+:::
+
+Make sure to restart Tinyauth after updating the configuration.
+
+## Usage
+
+After restarting and assuming Tinyauth can get your client IP, you should see the following screen
+when visiting Tinyauth to login:
+
+
+
+After clicking **Continue with Tailscale**, authentication should proceed as normal.
diff --git a/src/content/docs/docs/integrations/beszel.mdx b/src/content/docs/docs/integrations/beszel.mdx
new file mode 100644
index 0000000..0f0912c
--- /dev/null
+++ b/src/content/docs/docs/integrations/beszel.mdx
@@ -0,0 +1,114 @@
+---
+title: Beszel
+description: Use the Tinyauth OpenID Connect provider to authenticate users in Beszel.
+---
+
+import { Tabs, TabItem } from '@astrojs/starlight/components';
+import CreateOIDCClientTool from "../../../../components/create-oidc-client-tool.astro";
+
+[Beszel](https://github.com/henrygd/beszel) is a lightweight server monitoring platform that includes Docker statistics, historical data, and alert functions. It uses PocketBase under the hood making it easy to add Tinyauth as an OpenID connect provider.
+
+## Requirements
+
+- A running instance of Beszel
+- A Tinyauth instance
+
+:::caution
+You will need to run Tinyauth with HTTPS to use it as an OpenID Connect provider.
+:::
+
+## Tinyauth Configuration
+
+To begin with, we need to generate a client ID and secret in Tinyauth for Beszel. This can be done by running the following command:
+
+
+
+ ```sh
+ docker run -i -t --rm ghcr.io/steveiliop56/tinyauth:v5 oidc create beszel
+ ```
+
+
+ ```sh
+ ./tinyauth oidc create beszel
+ ```
+
+
+
+
+
+
+From the output, make sure to note down the client ID and secret as we will need them later for the Beszel configuration.
+
+Now, we can pass our configuration to Tinyauth using environment variables:
+
+```sh
+TINYAUTH_OIDC_PRIVATEKEYPATH=/path/to/private/key.pem
+TINYAUTH_OIDC_PUBLICKEYPATH=/path/to/public/key.pem
+TINYAUTH_OIDC_CLIENTS_BESZEL_CLIENTID=client-id
+TINYAUTH_OIDC_CLIENTS_BESZEL_CLIENTSECRET=ta-client-secret
+TINYAUTH_OIDC_CLIENTS_BESZEL_TRUSTEDREDIRECTURIS=https://your-beszel-instance.com/api/oauth2-redirect
+TINYAUTH_OIDC_CLIENTS_BESZEL_NAME=Beszel
+```
+
+Restart your Tinyauth instance to apply the new configuration.
+
+## Beszel Configuration
+
+Next, we need to add the OAuth provider to Beszel. First, toggle the
+**Hide collection create and edit controls** setting under `https://your-beszel-instance.com/_/#/settings`
+(you can log in to PocketBase with your Beszel credentials).
+
+
+
+Then, go to the **Collections** tab and click on the **users** collection. In the users collection, click
+the little gear icon, then **Options**, **OAuth2** (make sure it's enabled) and **Add provider**. In the provider
+selection, select OpenID Connect (1, 2, 3 doesn't matter).
+
+
+
+In the new window, fill in the following values.
+
+| Name | Value |
+| - | - |
+| Client ID | The client ID you generated from the previous step. |
+| Client Secret | The client secret you generated from the previous step. |
+| Display Name | Use whatever you like, for example, Tinyauth. |
+| Auth URL | `https://tinyauth.example.com/authorize` |
+| Token URL | `https://tinyauth.example.com/api/oidc/token` |
+| Fetch user info from | User info URL |
+| User info URL | `https://tinyauth.example.com/api/oidc/userinfo` |
+| Support PKCE | Yes, checked. |
+
+
+
+Finally, click **Set provider config**.
+
+:::caution
+If your provider email does not match the Beszel email, you will need to set
+`USER_CREATION=true` in the Beszel docker-compose so that it creates your user. After you
+log in with your provider, you will need to go to the `systems` collection and for each system,
+assign your new user account.
+
+
+:::
+
+## Try it out
+
+After configuring the PocketBase backend of Beszel, you should see a new Tinyauth option in the login screen.
+
+
+
+Login and enjoy!
+
+:::note
+In case you are using multiple email addresses to log in to Tinyauth and thus Beszel, you may not be able
+to log in with your second email address. This is because PocketBase doesn't support multiple email addresses from
+one provider. If this issue occurs, you will need to go to the PocketBase admin and in the Collections tab, under
+System, delete everything from the `_externalAuths` collection (assuming you only have Tinyauth as an OpenID Connect
+provider), then try to log in again.
+
+
+:::
+
+
+
diff --git a/src/content/docs/docs/integrations/tailscale.mdx b/src/content/docs/docs/integrations/tailscale.mdx
new file mode 100644
index 0000000..5124f70
--- /dev/null
+++ b/src/content/docs/docs/integrations/tailscale.mdx
@@ -0,0 +1,95 @@
+---
+title: Tailscale
+description: Use the Tinyauth OpenID Connect provider to authenticate in Tailscale.
+---
+
+import { Steps } from '@astrojs/starlight/components';
+import { Tabs, TabItem } from '@astrojs/starlight/components';
+import CreateOIDCClientTool from "../../../../components/create-oidc-client-tool.astro";
+
+Tinyauth meets all of the criteria to be used as an OpenID Connect provider for Tailscale. This includes
+support for all of the required OpenID Connect scopes, claims and endpoints. Tinyauth also includes support
+for WebFinger which is required for Tailscale to discover the OpenID Connect provider.
+
+## Requirements
+
+- A Tailscale account
+- A Tinyauth instance
+- A domain name
+
+:::caution
+You will need to run Tinyauth with HTTPS to use it as an OpenID Connect provider.
+:::
+
+:::caution
+Tinyauth will need to be accessible from the internet for Tailscale to be able to reach it.
+This means that you will need to have a public domain name and a valid SSL certificate for
+your Tinyauth instance.
+:::
+
+
+## Tinyauth Configuration
+
+To begin with, we need to generate a client ID and secret in Tinyauth for Tailscale. This can be done by running the following command:
+
+
+
+ ```sh
+ docker run -i -t --rm ghcr.io/steveiliop56/tinyauth:v5 oidc create tailscale
+ ```
+
+
+ ```sh
+ ./tinyauth oidc create tailscale
+ ```
+
+
+
+
+
+
+From the output, make sure to note down the client ID and secret as we will need them later for the Tinyauth configuration.
+
+Now, we can pass our configuration to Tinyauth using environment variables:
+
+```sh
+TINYAUTH_OIDC_PRIVATEKEYPATH=/path/to/private/key.pem
+TINYAUTH_OIDC_PUBLICKEYPATH=/path/to/public/key.pem
+TINYAUTH_OIDC_CLIENTS_TAILSCALE_CLIENTID=client-id
+TINYAUTH_OIDC_CLIENTS_TAILSCALE_CLIENTSECRET=ta-client-secret
+TINYAUTH_OIDC_CLIENTS_TAILSCALE_TRUSTEDREDIRECTURIS=https://login.tailscale.com/a/oauth_response
+TINYAUTH_OIDC_CLIENTS_TAILSCALE_NAME=Tailscale
+```
+
+## Sign-up in Tailscale
+
+:::note
+These steps are quoted from the [Tailscale documentation](https://tailscale.com/docs/integrations/identity/custom-oidc#tailscale-setup).
+:::
+
+
+
+1. Go to the [Sign up with OIDC](https://login.tailscale.com/start/oidc) page of the admin console or
+ when signing-up for a new account, select the **Sign up with OIDC** option.
+
+
+
+2. In the Email address field, enter the administrator's full email address.
+ The domain in the email address must match the domain where the WebFinger endpoint is served, and the domain you will use for Tailscale.
+
+3. Select **Get OIDC** Issuer. If Tailscale is able to retrieve the issuer from Tinyauth, it will be displayed in the Issuer field.
+
+4. In the Client ID field, enter the client ID we generated previously.
+
+5. Likewise, in the Client Secret, enter the Client Secret.
+
+6. If you like, you can skip the consent screen of Tinyauth by selecting the `none` prompt.
+
+7. Select **Sign up with OIDC**. You will be redirected to Tinyauth for authentication.
+
+8. Log in to your provider using the email you entered in step 2. Upon authentication, you will be redirected to the Tailscale admin console.
+
+
+
+The user that configures OIDC for Tailscale becomes the first user in the tailnet and Owner of the tailnet.
diff --git a/src/content/docs/docs/integrations/zerobyte.mdx b/src/content/docs/docs/integrations/zerobyte.mdx
index d7cedd1..0ec29d4 100644
--- a/src/content/docs/docs/integrations/zerobyte.mdx
+++ b/src/content/docs/docs/integrations/zerobyte.mdx
@@ -4,6 +4,7 @@ description: Use the Tinyauth OpenID Connect provider to authenticate users with
---
import { Tabs, TabItem } from '@astrojs/starlight/components';
+import CreateOIDCClientTool from "../../../../components/create-oidc-client-tool.astro";
[Zerobyte](https://github.com/nicotsx/zerobyte) is a popular self-hosted backup automation solution based on restic. It allows users to easily manage and automate their backup tasks through a user-friendly web interface. By integrating Tinyauth as an OpenID Connect provider, you can enhance the security of your Zerobyte instance by enabling single sign-on (SSO) and centralized authentication.
@@ -32,6 +33,9 @@ To begin with, we need to generate a client ID and secret in Tinyauth for Zeroby
./tinyauth oidc create zerobyte
```
+
+
+
From the output, make sure to note down the client ID and secret as we will need them later for the Zerobyte configuration.
diff --git a/src/content/docs/docs/reference/changelog.mdx b/src/content/docs/docs/reference/changelog.mdx
index 96e71f1..3d919c8 100644
--- a/src/content/docs/docs/reference/changelog.mdx
+++ b/src/content/docs/docs/reference/changelog.mdx
@@ -3,6 +3,76 @@ title: Changelog
description: Overview of changes and updates in Tinyauth versions.
---
+## v5.1.0
+
+> [!NOTE]
+> Tinyauth has moved! All repositories now live under the new [Tinyauth](https://github.com/tinyauthapp) organization. Pull the new image from `ghcr.io/tinyauthapp/tinyauth`. The old image under my personal account **will no longer be updated**, so switch over when you can.
+
+> [!NOTE]
+> The config file is now a **stable** feature. Please switch your configuration file flag to `--configfile` (or `TINYAUTH_CONFIGFILE` for environment variables).
+
+> [!WARNING]
+> This release contains **security fixes**. Please update as soon as possible.
+
+> [!WARNING]
+> Tinyauth v5.1.0 includes some hardening in the trusted proxies. In case you are using any of the IP ACLs, you may need to specify your proxy IP in `TINYAUTH_AUTH_TRUSTEDPROXIES`.
+
+### New Features
+
+**Authentication & Access Controls**
+
+- Support for authentication through Tailscale
+- Deny-by-default access controls
+- Annotation-based access controls in Kubernetes @contre95
+- Global bypass by IP @scottmckendry
+- Provider-specific OAuth whitelists @puneetdixit200
+- OAuth whitelist file support @djedditt
+- Allow for `NO_PROXY`, `HTTP_PROXY` and `HTTPS_PROXY` for OAuth requests @florianilch
+
+**OpenID Connect**
+
+- Expose all OpenID Connect claims through user attributes @scottmckendry
+- Run Tinyauth on a top-level domain to use it as a standalone OIDC provider @jacekkow
+- `POST` request support on the OIDC authorize endpoint
+- WebFinger support
+- Support for `prompt` parameter in OIDC
+- Support for `max_age` in OIDC
+
+**Database & Config**
+
+- PostgreSQL as a database backend @scottmckendry
+- LDAP bind password file support @Rycochet
+- Config file loading is now stable, you will need to rename your CLI flag from `--experimental.configfile` to `--configfile`
+- Option to disable lockdown mode
+- Attempt to reconnect to LDAP server on start-up
+- Support for anonymous LDAP bind @nv6
+
+**Frontend**
+
+- Merge language and theme selector in new quick actions menu
+
+### Improvements
+
+- Preserve login parameters throughout the frontend
+- Graceful shutdown on `SIGTERM`
+- Pass through the LDAP mail attribute instead of crafting one when it's available
+- Rework CLI commands for simpler and more intuitive output
+
+### Fixes
+
+- Fix open redirect vulnerability in the OpenID Connect server @Dredsen
+- Use the loaded public key in the OpenID Connect server when available @Dredsen
+- Fix lax trusted proxies configuration in IP ACLs
+- Remove lockdown mode and rework rate-limiting
+
+### Technical
+
+- Rework dependency injection with Dig
+- Rework the user context middleware
+- Rework frontend user/app context API paths (changes in `/api/context/app` and `/api/context/user`)
+- Switch package manager from Bun to PNPM
+- Update dependencies and translations
+
## v5.0.7
### Improvements
diff --git a/src/content/docs/docs/reference/configuration.mdx b/src/content/docs/docs/reference/configuration.mdx
index 2cbee53..c1e0523 100644
--- a/src/content/docs/docs/reference/configuration.mdx
+++ b/src/content/docs/docs/reference/configuration.mdx
@@ -5,156 +5,26 @@ description: Reference on Tinyauth's configuration.
Tinyauth can be configured using environment variables or CLI flags. The table below provides a comprehensive list of configuration options.
-:::note
- Configuration options with a `FILE_` equivalent (e.g., `TINYAUTH_AUTH_USERS`/`--auth.users` and
- `TINYAUTH_AUTH_USERSFILE`/`--auth.usersfile`) allow the `FILE_` environment variable or CLI flag to be used as
- an alternative.
-:::
-
-## General Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_APPURL` | `--appurl` | The base URL where the app is hosted. | `` |
-
-## Database Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_DATABASE_PATH` | `--database.path` | The path to the database, including file name. | `./tinyauth.db` |
-
-## Analytics Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_ANALYTICS_ENABLED` | `--analytics.enabled` | Enable periodic version information collection. | `true` |
-
-## Resources Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_RESOURCES_ENABLED` | `--resources.enabled` | Enable the resources server. | `true` |
-| `TINYAUTH_RESOURCES_PATH` | `--resources.path` | The directory where resources are stored. | `./resources` |
-
-## Server Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_SERVER_PORT` | `--server.port` | The port on which the server listens. | `3000` |
-| `TINYAUTH_SERVER_ADDRESS` | `--server.address` | The address on which the server listens. | `0.0.0.0` |
-| `TINYAUTH_SERVER_SOCKETPATH` | `--server.socketpath` | The path to the Unix socket. | `` |
+## Configuration
-## Authentication Configuration
+import GeneratedConfiguration from "../../../../gen/generated_configuration.mdx"
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_AUTH_IP_ALLOW` | `--auth.ip.allow` | List of allowed IPs or CIDR ranges. | `` |
-| `TINYAUTH_AUTH_IP_BLOCK` | `--auth.ip.block` | List of blocked IPs or CIDR ranges. | `` |
-| `TINYAUTH_AUTH_USERS` | `--auth.users` | Comma-separated list of users (username:hashed_password). | `` |
-| `TINYAUTH_AUTH_USERSFILE` | `--auth.usersfile` | Path to the users file. | `` |
-| `TINYAUTH_AUTH_SECURECOOKIE` | `--auth.securecookie` | Enable secure cookies. | `false` |
-| `TINYAUTH_AUTH_SESSIONEXPIRY` | `--auth.sessionexpiry` | Session expiry time in seconds. | `86400` |
-| `TINYAUTH_AUTH_SESSIONMAXLIFETIME` | `--auth.sessionmaxlifetime` | Maximum session lifetime in seconds. | `0` |
-| `TINYAUTH_AUTH_LOGINTIMEOUT` | `--auth.logintimeout` | Login timeout in seconds. | `300` |
-| `TINYAUTH_AUTH_LOGINMAXRETRIES` | `--auth.loginmaxretries` | Maximum login retries. | `3` |
-| `TINYAUTH_AUTH_TRUSTEDPROXIES` | `--auth.trustedproxies` | Comma-separated list of trusted proxy addresses. | `` |
+
-## ACLs Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_APPS_[NAME]_CONFIG_DOMAIN` | `--apps.[name].config.domain` | The domain of the app. | `` |
-| `TINYAUTH_APPS_[NAME]_USERS_ALLOW` | `--apps.[name].users.allow` | Comma-separated list of allowed users. | `` |
-| `TINYAUTH_APPS_[NAME]_USERS_BLOCK` | `--apps.[name].users.block` | Comma-separated list of blocked users. | `` |
-| `TINYAUTH_APPS_[NAME]_OAUTH_WHITELIST` | `--apps.[name].oauth.whitelist` | Comma-separated list of allowed OAuth groups. | `` |
-| `TINYAUTH_APPS_[NAME]_OAUTH_GROUPS` | `--apps.[name].oauth.groups` | Comma-separated list of required OAuth groups. | `` |
-| `TINYAUTH_APPS_[NAME]_IP_ALLOW` | `--apps.[name].ip.allow` | List of allowed IPs or CIDR ranges. | `` |
-| `TINYAUTH_APPS_[NAME]_IP_BLOCK` | `--apps.[name].ip.block` | List of blocked IPs or CIDR ranges. | `` |
-| `TINYAUTH_APPS_[NAME]_IP_BYPASS` | `--apps.[name].ip.bypass` | List of IPs or CIDR ranges that bypass authentication. | `` |
-| `TINYAUTH_APPS_[NAME]_RESPONSE_HEADERS` | `--apps.[name].response.headers` | Custom headers to add to the response. | `` |
-| `TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_USERNAME` | `--apps.[name].response.basicauth.username` | Basic auth username. | `` |
-| `TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_PASSWORD` | `--apps.[name].response.basicauth.password` | Basic auth password. | `` |
-| `TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_PASSWORDFILE` | `--apps.[name].response.basicauth.passwordfile` | Path to the file containing the basic auth password. | `` |
-| `TINYAUTH_APPS_[NAME]_PATH_ALLOW` | `--apps.[name].path.allow` | Comma-separated list of allowed paths. | `` |
-| `TINYAUTH_APPS_[NAME]_PATH_BLOCK` | `--apps.[name].path.block` | Comma-separated list of blocked paths. | `` |
-| `TINYAUTH_APPS_[NAME]_LDAP_GROUPS` | `--apps.[name].ldap.groups` | Comma-separated list of required LDAP groups. | `` |
-
-## OAuth Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_OAUTH_WHITELIST` | `--oauth.whitelist` | Comma-separated list of allowed OAuth domains. | `` |
-| `TINYAUTH_OAUTH_AUTOREDIRECT` | `--oauth.autoredirect` | The OAuth provider to use for automatic redirection. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTID` | `--oauth.providers.[name].clientid` | OAuth client ID. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTSECRET` | `--oauth.providers.[name].clientsecret` | OAuth client secret. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTSECRETFILE` | `--oauth.providers.[name].clientsecretfile` | Path to the file containing the OAuth client secret. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_SCOPES` | `--oauth.providers.[name].scopes` | OAuth scopes. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_REDIRECTURL` | `--oauth.providers.[name].redirecturl` | OAuth redirect URL. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_AUTHURL` | `--oauth.providers.[name].authurl` | OAuth authorization URL. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_TOKENURL` | `--oauth.providers.[name].tokenurl` | OAuth token URL. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_USERINFOURL` | `--oauth.providers.[name].userinfourl` | OAuth userinfo URL. | `` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_INSECURE` | `--oauth.providers.[name].insecure` | Allow insecure OAuth connections. | `false` |
-| `TINYAUTH_OAUTH_PROVIDERS_[NAME]_NAME` | `--oauth.providers.[name].name` | Provider name in UI. | `` |
+## Notes
:::note
- Using `google` or `github` as provider IDs, triggers automatic filling of the
- required information (e.g., auth URLs, scopes). You will only have to
- provide the client ID and secret.
+Configuration options with a `FILE_` equivalent (e.g., `TINYAUTH_AUTH_USERS`/`--auth.users` and
+`TINYAUTH_AUTH_USERSFILE`/`--auth.usersfile`) allow the `FILE_` environment variable or CLI flag to be used as
+an alternative.
:::
-## OIDC Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_OIDC_PRIVATEKEYPATH` | `--oidc.privatekeypath` | Path to the private key file, including file name. | `./tinyauth_oidc_key` |
-| `TINYAUTH_OIDC_PUBLICKEYPATH` | `--oidc.publickeypath` | Path to the public key file, including file name. | `./tinyauth_oidc_key.pub` |
-| `TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTID` | `--oidc.clients.[name].clientid` | OIDC client ID. | `` |
-| `TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTSECRET` | `--oidc.clients.[name].clientsecret` | OIDC client secret. | `` |
-| `TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTSECRETFILE` | `--oidc.clients.[name].clientsecretfile` | Path to the file containing the OIDC client secret. | `` |
-| `TINYAUTH_OIDC_CLIENTS_[NAME]_TRUSTEDREDIRECTURIS` | `--oidc.clients.[name].trustedredirecturis` | List of trusted redirect URIs. | `` |
-| `TINYAUTH_OIDC_CLIENTS_[NAME]_NAME` | `--oidc.clients.[name].name` | Client name in UI. | `` |
-
-## UI Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_UI_TITLE` | `--ui.title` | The title of the UI. | `Tinyauth` |
-| `TINYAUTH_UI_FORGOTPASSWORDMESSAGE` | `--ui.forgotpasswordmessage` | Message displayed on the forgot password page. | `You can change your password by changing the configuration.` |
-| `TINYAUTH_UI_BACKGROUNDIMAGE` | `--ui.backgroundimage` | Path to the background image. | `/background.jpg` |
-| `TINYAUTH_UI_WARNINGSENABLED` | `--ui.warningsenabled` | Enable UI warnings. | `true` |
-
-## LDAP Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_LDAP_ADDRESS` | `--ldap.address` | LDAP server address. | `` |
-| `TINYAUTH_LDAP_BINDDN` | `--ldap.binddn` | Bind DN for LDAP authentication. | `` |
-| `TINYAUTH_LDAP_BINDPASSWORD` | `--ldap.bindpassword` | Bind password for LDAP authentication. | `` |
-| `TINYAUTH_LDAP_BASEDN` | `--ldap.basedn` | Base DN for LDAP searches. | `` |
-| `TINYAUTH_LDAP_INSECURE` | `--ldap.insecure` | Allow insecure LDAP connections. | `false` |
-| `TINYAUTH_LDAP_SEARCHFILTER` | `--ldap.searchfilter` | LDAP search filter. | `(uid=%s)` |
-| `TINYAUTH_LDAP_AUTHCERT` | `--ldap.authcert` | Certificate for mTLS authentication. | `` |
-| `TINYAUTH_LDAP_AUTHKEY` | `--ldap.authkey` | Certificate key for mTLS authentication. | `` |
-| `TINYAUTH_LDAP_GROUPCACHETTL` | `--ldap.groupcachettl` | Cache duration for LDAP group membership in seconds. | `900` |
-
:::note
- For Windows LDAP, use the following search filter: `(&(sAMAccountName=%s))`.
+Using `google` or `github` as provider IDs, triggers automatic filling of the
+required information (e.g., auth URLs, scopes). You will only have to
+provide the client ID and secret.
:::
-## Logging Configuration
-
-| Environment | Flag | Description | Default |
-| - | - | - | - |
-| `TINYAUTH_LOG_LEVEL` | `--log.level` | Log level (trace, debug, info, warn, error). | `info` |
-| `TINYAUTH_LOG_JSON` | `--log.json` | Enable JSON formatted logs. | `false` |
-| `TINYAUTH_LOG_STREAMS_HTTP_ENABLED` | `--log.streams.http.enabled` | Enable this log stream. | `true` |
-| `TINYAUTH_LOG_STREAMS_HTTP_LEVEL` | `--log.streams.http.level` | Log level for this stream. Use global if empty. | `` |
-| `TINYAUTH_LOG_STREAMS_APP_ENABLED` | `--log.streams.app.enabled` | Enable this log stream. | `true` |
-| `TINYAUTH_LOG_STREAMS_APP_LEVEL` | `--log.streams.app.level` | Log level for this stream. Use global if empty. | `` |
-| `TINYAUTH_LOG_STREAMS_AUDIT_ENABLED` | `--log.streams.audit.enabled` | Enable this log stream. | `false` |
-| `TINYAUTH_LOG_STREAMS_AUDIT_LEVEL` | `--log.streams.audit.level` | Log level for this stream. Use global if empty. | `` |
-
-:::caution
- The `trace` log level will log sensitive information such as usernames, emails
- and access controls. Use with caution.
+:::note
+For Windows LDAP, use the following search filter: `(&(sAMAccountName=%s))`.
:::
diff --git a/src/gen/generated_configuration.mdx b/src/gen/generated_configuration.mdx
new file mode 100644
index 0000000..d8cf5c4
--- /dev/null
+++ b/src/gen/generated_configuration.mdx
@@ -0,0 +1,527 @@
+{/* This part is automatically generated by gen/gen_md.go in the main repository. DO NOT EDIT. */}
+
+import { Tabs, TabItem } from '@astrojs/starlight/components';
+
+
+
+ ### main
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_APPURL` | The base URL where the app is hosted. | `` |
+ | `TINYAUTH_CONFIGFILE` | Path to config file. | `` |
+ | `TINYAUTH_LABELPROVIDER` | Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment. | `auto` |
+
+ ### database
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_DATABASE_DRIVER` | The database driver to use. Valid values: sqlite, postgres, memory. | `sqlite` |
+ | `TINYAUTH_DATABASE_PATH` | The path to the SQLite database file, or connection URL when driver is postgres. | `./tinyauth.db` |
+
+ ### analytics
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_ANALYTICS_ENABLED` | Enable periodic version information collection. | `true` |
+
+ ### resources
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_RESOURCES_ENABLED` | Enable the resources server. | `true` |
+ | `TINYAUTH_RESOURCES_PATH` | The directory where resources are stored. | `./resources` |
+
+ ### server
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_SERVER_PORT` | The port on which the server listens. | `3000` |
+ | `TINYAUTH_SERVER_ADDRESS` | The address on which the server listens. | `0.0.0.0` |
+ | `TINYAUTH_SERVER_SOCKETPATH` | The path to the Unix socket. | `` |
+
+ ### auth
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_AUTH_IP_ALLOW` | List of allowed IPs or CIDR ranges. | `` |
+ | `TINYAUTH_AUTH_IP_BLOCK` | List of blocked IPs or CIDR ranges. | `` |
+ | `TINYAUTH_AUTH_IP_BYPASS` | List of IPs or CIDR ranges that bypass authentication entirely. | `` |
+ | `TINYAUTH_AUTH_USERS` | Comma-separated list of users (username:hashed_password). | `` |
+ | `TINYAUTH_AUTH_SUBDOMAINSENABLED` | Enable subdomains support. | `true` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_NAME` | Full name of the user. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_GIVENNAME` | Given (first) name of the user. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_FAMILYNAME` | Family (last) name of the user. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_MIDDLENAME` | Middle name of the user. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_NICKNAME` | Nickname of the user. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_PROFILE` | URL of the user's profile page. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_PICTURE` | URL of the user's profile picture. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_WEBSITE` | URL of the user's website. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_EMAIL` | Email address of the user. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_GENDER` | Gender of the user. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_BIRTHDATE` | Birthdate of the user (YYYY-MM-DD). | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_ZONEINFO` | Time zone of the user (e.g. Europe/Athens). | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_LOCALE` | Locale of the user (e.g. en-US). | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_PHONENUMBER` | Phone number of the user. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_ADDRESS_FORMATTED` | Full mailing address, formatted for display. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_ADDRESS_STREETADDRESS` | Street address. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_ADDRESS_LOCALITY` | City or locality. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_ADDRESS_REGION` | State, province, or region. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_ADDRESS_POSTALCODE` | Zip or postal code. | `` |
+ | `TINYAUTH_AUTH_USERATTRIBUTES_[NAME]_ADDRESS_COUNTRY` | Country. | `` |
+ | `TINYAUTH_AUTH_USERSFILE` | Path to the users file. | `` |
+ | `TINYAUTH_AUTH_SECURECOOKIE` | Enable secure cookies. | `false` |
+ | `TINYAUTH_AUTH_SESSIONEXPIRY` | Session expiry time in seconds. | `86400` |
+ | `TINYAUTH_AUTH_SESSIONMAXLIFETIME` | Maximum session lifetime in seconds. | `0` |
+ | `TINYAUTH_AUTH_LOGINTIMEOUT` | Login timeout in seconds. | `300` |
+ | `TINYAUTH_AUTH_LOGINMAXRETRIES` | Maximum login retries. | `3` |
+ | `TINYAUTH_AUTH_TRUSTEDPROXIES` | Comma-separated list of trusted proxy addresses. | `` |
+ | `TINYAUTH_AUTH_ACLS_POLICY` | ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow. | `allow` |
+
+ ### apps
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_APPS_[NAME]_CONFIG_DOMAIN` | The domain of the app. | `` |
+ | `TINYAUTH_APPS_[NAME]_USERS_ALLOW` | Comma-separated list of allowed users. | `` |
+ | `TINYAUTH_APPS_[NAME]_USERS_BLOCK` | Comma-separated list of blocked users. | `` |
+ | `TINYAUTH_APPS_[NAME]_OAUTH_WHITELIST` | Comma-separated list of allowed OAuth groups. | `` |
+ | `TINYAUTH_APPS_[NAME]_OAUTH_GROUPS` | Comma-separated list of required OAuth groups. | `` |
+ | `TINYAUTH_APPS_[NAME]_IP_ALLOW` | List of allowed IPs or CIDR ranges. | `` |
+ | `TINYAUTH_APPS_[NAME]_IP_BLOCK` | List of blocked IPs or CIDR ranges. | `` |
+ | `TINYAUTH_APPS_[NAME]_IP_BYPASS` | List of IPs or CIDR ranges that bypass authentication. | `` |
+ | `TINYAUTH_APPS_[NAME]_RESPONSE_HEADERS` | Custom headers to add to the response. | `` |
+ | `TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_USERNAME` | Basic auth username. | `` |
+ | `TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_PASSWORD` | Basic auth password. | `` |
+ | `TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_PASSWORDFILE` | Path to the file containing the basic auth password. | `` |
+ | `TINYAUTH_APPS_[NAME]_PATH_ALLOW` | Comma-separated list of allowed paths. | `` |
+ | `TINYAUTH_APPS_[NAME]_PATH_BLOCK` | Comma-separated list of blocked paths. | `` |
+ | `TINYAUTH_APPS_[NAME]_LDAP_GROUPS` | Comma-separated list of required LDAP groups. | `` |
+
+ ### oauth
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_OAUTH_WHITELIST` | Comma-separated list of allowed OAuth domains. | `` |
+ | `TINYAUTH_OAUTH_WHITELISTFILE` | Path to the OAuth whitelist file. | `` |
+ | `TINYAUTH_OAUTH_AUTOREDIRECT` | The OAuth provider to use for automatic redirection. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTID` | OAuth client ID. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTSECRET` | OAuth client secret. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTSECRETFILE` | Path to the file containing the OAuth client secret. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_WHITELIST` | Comma-separated list of allowed OAuth domains for this provider. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_WHITELISTFILE` | Path to the OAuth whitelist file for this provider. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_SCOPES` | OAuth scopes. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_REDIRECTURL` | OAuth redirect URL. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_AUTHURL` | OAuth authorization URL. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_TOKENURL` | OAuth token URL. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_USERINFOURL` | OAuth userinfo URL. | `` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_INSECURE` | Allow insecure OAuth connections. | `false` |
+ | `TINYAUTH_OAUTH_PROVIDERS_[NAME]_NAME` | Provider name in UI. | `` |
+
+ ### oidc
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_OIDC_PRIVATEKEYPATH` | Path to the private key file, including file name. | `./tinyauth_oidc_key` |
+ | `TINYAUTH_OIDC_PUBLICKEYPATH` | Path to the public key file, including file name. | `./tinyauth_oidc_key.pub` |
+ | `TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTID` | OIDC client ID. | `` |
+ | `TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTSECRET` | OIDC client secret. | `` |
+ | `TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTSECRETFILE` | Path to the file containing the OIDC client secret. | `` |
+ | `TINYAUTH_OIDC_CLIENTS_[NAME]_TRUSTEDREDIRECTURIS` | List of trusted redirect URIs. | `` |
+ | `TINYAUTH_OIDC_CLIENTS_[NAME]_NAME` | Client name in UI. | `` |
+
+ ### ui
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_UI_TITLE` | The title of the UI. | `Tinyauth` |
+ | `TINYAUTH_UI_FORGOTPASSWORDMESSAGE` | Message displayed on the forgot password page. | `You can change your password by changing the configuration.` |
+ | `TINYAUTH_UI_BACKGROUNDIMAGE` | Path to the background image. | `/background.jpg` |
+ | `TINYAUTH_UI_WARNINGSENABLED` | Enable UI warnings. | `true` |
+
+ ### ldap
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_LDAP_ADDRESS` | LDAP server address. | `` |
+ | `TINYAUTH_LDAP_BINDDN` | Bind DN for LDAP authentication. | `` |
+ | `TINYAUTH_LDAP_BINDPASSWORD` | Bind password for LDAP authentication. | `` |
+ | `TINYAUTH_LDAP_BINDPASSWORDFILE` | Path to the Bind password. | `` |
+ | `TINYAUTH_LDAP_BASEDN` | Base DN for LDAP searches. | `` |
+ | `TINYAUTH_LDAP_INSECURE` | Allow insecure LDAP connections. | `false` |
+ | `TINYAUTH_LDAP_SEARCHFILTER` | LDAP search filter. | `(uid=%s)` |
+ | `TINYAUTH_LDAP_AUTHCERT` | Certificate for mTLS authentication. | `` |
+ | `TINYAUTH_LDAP_AUTHKEY` | Certificate key for mTLS authentication. | `` |
+ | `TINYAUTH_LDAP_GROUPCACHETTL` | Cache duration for LDAP group membership in seconds. | `900` |
+
+ ### tailscale
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_TAILSCALE_ENABLED` | Enable Tailscale integration. | `false` |
+ | `TINYAUTH_TAILSCALE_APITOKEN` | Tailscale API token. | `` |
+ | `TINYAUTH_TAILSCALE_APITOKENFILE` | Path to the file containing the Tailscale API token. | `` |
+ | `TINYAUTH_TAILSCALE_TAILNET` | Tailnet name. | `` |
+ | `TINYAUTH_TAILSCALE_CACHEDURATION` | Cache duration for Tailscale device and user lists in seconds. | `300` |
+
+ ### log
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `TINYAUTH_LOG_LEVEL` | Log level (trace, debug, info, warn, error). | `info` |
+ | `TINYAUTH_LOG_JSON` | Enable JSON formatted logs. | `false` |
+ | `TINYAUTH_LOG_STREAMS_HTTP_ENABLED` | Enable this log stream. | `true` |
+ | `TINYAUTH_LOG_STREAMS_HTTP_LEVEL` | Log level for this stream. Use global if empty. | `` |
+ | `TINYAUTH_LOG_STREAMS_APP_ENABLED` | Enable this log stream. | `true` |
+ | `TINYAUTH_LOG_STREAMS_APP_LEVEL` | Log level for this stream. Use global if empty. | `` |
+ | `TINYAUTH_LOG_STREAMS_AUDIT_ENABLED` | Enable this log stream. | `false` |
+ | `TINYAUTH_LOG_STREAMS_AUDIT_LEVEL` | Log level for this stream. Use global if empty. | `` |
+
+
+ ### main
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--appurl` | The base URL where the app is hosted. | `` |
+ | `--configfile` | Path to config file. | `` |
+ | `--labelprovider` | Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment. | `auto` |
+
+ ### database
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--database.driver` | The database driver to use. Valid values: sqlite, postgres, memory. | `sqlite` |
+ | `--database.path` | The path to the SQLite database file, or connection URL when driver is postgres. | `./tinyauth.db` |
+
+ ### analytics
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--analytics.enabled` | Enable periodic version information collection. | `true` |
+
+ ### resources
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--resources.enabled` | Enable the resources server. | `true` |
+ | `--resources.path` | The directory where resources are stored. | `./resources` |
+
+ ### server
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--server.port` | The port on which the server listens. | `3000` |
+ | `--server.address` | The address on which the server listens. | `0.0.0.0` |
+ | `--server.socketpath` | The path to the Unix socket. | `` |
+
+ ### auth
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--auth.ip.allow` | List of allowed IPs or CIDR ranges. | `` |
+ | `--auth.ip.block` | List of blocked IPs or CIDR ranges. | `` |
+ | `--auth.ip.bypass` | List of IPs or CIDR ranges that bypass authentication entirely. | `` |
+ | `--auth.users` | Comma-separated list of users (username:hashed_password). | `` |
+ | `--auth.subdomainsenabled` | Enable subdomains support. | `true` |
+ | `--auth.userAttributes.[name].name` | Full name of the user. | `` |
+ | `--auth.userAttributes.[name].givenname` | Given (first) name of the user. | `` |
+ | `--auth.userAttributes.[name].familyname` | Family (last) name of the user. | `` |
+ | `--auth.userAttributes.[name].middlename` | Middle name of the user. | `` |
+ | `--auth.userAttributes.[name].nickname` | Nickname of the user. | `` |
+ | `--auth.userAttributes.[name].profile` | URL of the user's profile page. | `` |
+ | `--auth.userAttributes.[name].picture` | URL of the user's profile picture. | `` |
+ | `--auth.userAttributes.[name].website` | URL of the user's website. | `` |
+ | `--auth.userAttributes.[name].email` | Email address of the user. | `` |
+ | `--auth.userAttributes.[name].gender` | Gender of the user. | `` |
+ | `--auth.userAttributes.[name].birthdate` | Birthdate of the user (YYYY-MM-DD). | `` |
+ | `--auth.userAttributes.[name].zoneinfo` | Time zone of the user (e.g. Europe/Athens). | `` |
+ | `--auth.userAttributes.[name].locale` | Locale of the user (e.g. en-US). | `` |
+ | `--auth.userAttributes.[name].phonenumber` | Phone number of the user. | `` |
+ | `--auth.userAttributes.[name].address.formatted` | Full mailing address, formatted for display. | `` |
+ | `--auth.userAttributes.[name].address.streetaddress` | Street address. | `` |
+ | `--auth.userAttributes.[name].address.locality` | City or locality. | `` |
+ | `--auth.userAttributes.[name].address.region` | State, province, or region. | `` |
+ | `--auth.userAttributes.[name].address.postalcode` | Zip or postal code. | `` |
+ | `--auth.userAttributes.[name].address.country` | Country. | `` |
+ | `--auth.usersfile` | Path to the users file. | `` |
+ | `--auth.securecookie` | Enable secure cookies. | `false` |
+ | `--auth.sessionexpiry` | Session expiry time in seconds. | `86400` |
+ | `--auth.sessionmaxlifetime` | Maximum session lifetime in seconds. | `0` |
+ | `--auth.logintimeout` | Login timeout in seconds. | `300` |
+ | `--auth.loginmaxretries` | Maximum login retries. | `3` |
+ | `--auth.trustedproxies` | Comma-separated list of trusted proxy addresses. | `` |
+ | `--auth.acls.policy` | ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow. | `allow` |
+
+ ### apps
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--apps.[name].config.domain` | The domain of the app. | `` |
+ | `--apps.[name].users.allow` | Comma-separated list of allowed users. | `` |
+ | `--apps.[name].users.block` | Comma-separated list of blocked users. | `` |
+ | `--apps.[name].oauth.whitelist` | Comma-separated list of allowed OAuth groups. | `` |
+ | `--apps.[name].oauth.groups` | Comma-separated list of required OAuth groups. | `` |
+ | `--apps.[name].ip.allow` | List of allowed IPs or CIDR ranges. | `` |
+ | `--apps.[name].ip.block` | List of blocked IPs or CIDR ranges. | `` |
+ | `--apps.[name].ip.bypass` | List of IPs or CIDR ranges that bypass authentication. | `` |
+ | `--apps.[name].response.headers` | Custom headers to add to the response. | `` |
+ | `--apps.[name].response.basicauth.username` | Basic auth username. | `` |
+ | `--apps.[name].response.basicauth.password` | Basic auth password. | `` |
+ | `--apps.[name].response.basicauth.passwordfile` | Path to the file containing the basic auth password. | `` |
+ | `--apps.[name].path.allow` | Comma-separated list of allowed paths. | `` |
+ | `--apps.[name].path.block` | Comma-separated list of blocked paths. | `` |
+ | `--apps.[name].ldap.groups` | Comma-separated list of required LDAP groups. | `` |
+
+ ### oauth
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--oauth.whitelist` | Comma-separated list of allowed OAuth domains. | `` |
+ | `--oauth.whitelistfile` | Path to the OAuth whitelist file. | `` |
+ | `--oauth.autoredirect` | The OAuth provider to use for automatic redirection. | `` |
+ | `--oauth.providers.[name].clientid` | OAuth client ID. | `` |
+ | `--oauth.providers.[name].clientsecret` | OAuth client secret. | `` |
+ | `--oauth.providers.[name].clientsecretfile` | Path to the file containing the OAuth client secret. | `` |
+ | `--oauth.providers.[name].whitelist` | Comma-separated list of allowed OAuth domains for this provider. | `` |
+ | `--oauth.providers.[name].whitelistfile` | Path to the OAuth whitelist file for this provider. | `` |
+ | `--oauth.providers.[name].scopes` | OAuth scopes. | `` |
+ | `--oauth.providers.[name].redirecturl` | OAuth redirect URL. | `` |
+ | `--oauth.providers.[name].authurl` | OAuth authorization URL. | `` |
+ | `--oauth.providers.[name].tokenurl` | OAuth token URL. | `` |
+ | `--oauth.providers.[name].userinfourl` | OAuth userinfo URL. | `` |
+ | `--oauth.providers.[name].insecure` | Allow insecure OAuth connections. | `false` |
+ | `--oauth.providers.[name].name` | Provider name in UI. | `` |
+
+ ### oidc
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--oidc.privatekeypath` | Path to the private key file, including file name. | `./tinyauth_oidc_key` |
+ | `--oidc.publickeypath` | Path to the public key file, including file name. | `./tinyauth_oidc_key.pub` |
+ | `--oidc.clients.[name].clientid` | OIDC client ID. | `` |
+ | `--oidc.clients.[name].clientsecret` | OIDC client secret. | `` |
+ | `--oidc.clients.[name].clientsecretfile` | Path to the file containing the OIDC client secret. | `` |
+ | `--oidc.clients.[name].trustedredirecturis` | List of trusted redirect URIs. | `` |
+ | `--oidc.clients.[name].name` | Client name in UI. | `` |
+
+ ### ui
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--ui.title` | The title of the UI. | `Tinyauth` |
+ | `--ui.forgotpasswordmessage` | Message displayed on the forgot password page. | `You can change your password by changing the configuration.` |
+ | `--ui.backgroundimage` | Path to the background image. | `/background.jpg` |
+ | `--ui.warningsenabled` | Enable UI warnings. | `true` |
+
+ ### ldap
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--ldap.address` | LDAP server address. | `` |
+ | `--ldap.binddn` | Bind DN for LDAP authentication. | `` |
+ | `--ldap.bindpassword` | Bind password for LDAP authentication. | `` |
+ | `--ldap.bindpasswordfile` | Path to the Bind password. | `` |
+ | `--ldap.basedn` | Base DN for LDAP searches. | `` |
+ | `--ldap.insecure` | Allow insecure LDAP connections. | `false` |
+ | `--ldap.searchfilter` | LDAP search filter. | `(uid=%s)` |
+ | `--ldap.authcert` | Certificate for mTLS authentication. | `` |
+ | `--ldap.authkey` | Certificate key for mTLS authentication. | `` |
+ | `--ldap.groupcachettl` | Cache duration for LDAP group membership in seconds. | `900` |
+
+ ### tailscale
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--tailscale.enabled` | Enable Tailscale integration. | `false` |
+ | `--tailscale.apitoken` | Tailscale API token. | `` |
+ | `--tailscale.apitokenfile` | Path to the file containing the Tailscale API token. | `` |
+ | `--tailscale.tailnet` | Tailnet name. | `` |
+ | `--tailscale.cacheduration` | Cache duration for Tailscale device and user lists in seconds. | `300` |
+
+ ### log
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `--log.level` | Log level (trace, debug, info, warn, error). | `info` |
+ | `--log.json` | Enable JSON formatted logs. | `false` |
+ | `--log.streams.http.enabled` | Enable this log stream. | `true` |
+ | `--log.streams.http.level` | Log level for this stream. Use global if empty. | `` |
+ | `--log.streams.app.enabled` | Enable this log stream. | `true` |
+ | `--log.streams.app.level` | Log level for this stream. Use global if empty. | `` |
+ | `--log.streams.audit.enabled` | Enable this log stream. | `false` |
+ | `--log.streams.audit.level` | Log level for this stream. Use global if empty. | `` |
+
+
+ ### main
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `appUrl` | The base URL where the app is hosted. | `` |
+ | `labelProvider` | Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment. | `auto` |
+
+ ### database
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `database.driver` | The database driver to use. Valid values: sqlite, postgres, memory. | `sqlite` |
+ | `database.path` | The path to the SQLite database file, or connection URL when driver is postgres. | `./tinyauth.db` |
+
+ ### analytics
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `analytics.enabled` | Enable periodic version information collection. | `true` |
+
+ ### resources
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `resources.enabled` | Enable the resources server. | `true` |
+ | `resources.path` | The directory where resources are stored. | `./resources` |
+
+ ### server
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `server.port` | The port on which the server listens. | `3000` |
+ | `server.address` | The address on which the server listens. | `0.0.0.0` |
+ | `server.socketPath` | The path to the Unix socket. | `` |
+
+ ### auth
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `auth.ip.allow` | List of allowed IPs or CIDR ranges. | `` |
+ | `auth.ip.block` | List of blocked IPs or CIDR ranges. | `` |
+ | `auth.ip.bypass` | List of IPs or CIDR ranges that bypass authentication entirely. | `` |
+ | `auth.users` | Comma-separated list of users (username:hashed_password). | `` |
+ | `auth.subdomainsEnabled` | Enable subdomains support. | `true` |
+ | `auth.userAttributes.[name].name` | Full name of the user. | `` |
+ | `auth.userAttributes.[name].givenName` | Given (first) name of the user. | `` |
+ | `auth.userAttributes.[name].familyName` | Family (last) name of the user. | `` |
+ | `auth.userAttributes.[name].middleName` | Middle name of the user. | `` |
+ | `auth.userAttributes.[name].nickname` | Nickname of the user. | `` |
+ | `auth.userAttributes.[name].profile` | URL of the user's profile page. | `` |
+ | `auth.userAttributes.[name].picture` | URL of the user's profile picture. | `` |
+ | `auth.userAttributes.[name].website` | URL of the user's website. | `` |
+ | `auth.userAttributes.[name].email` | Email address of the user. | `` |
+ | `auth.userAttributes.[name].gender` | Gender of the user. | `` |
+ | `auth.userAttributes.[name].birthdate` | Birthdate of the user (YYYY-MM-DD). | `` |
+ | `auth.userAttributes.[name].zoneinfo` | Time zone of the user (e.g. Europe/Athens). | `` |
+ | `auth.userAttributes.[name].locale` | Locale of the user (e.g. en-US). | `` |
+ | `auth.userAttributes.[name].phoneNumber` | Phone number of the user. | `` |
+ | `auth.userAttributes.[name].address.formatted` | Full mailing address, formatted for display. | `` |
+ | `auth.userAttributes.[name].address.streetAddress` | Street address. | `` |
+ | `auth.userAttributes.[name].address.locality` | City or locality. | `` |
+ | `auth.userAttributes.[name].address.region` | State, province, or region. | `` |
+ | `auth.userAttributes.[name].address.postalCode` | Zip or postal code. | `` |
+ | `auth.userAttributes.[name].address.country` | Country. | `` |
+ | `auth.usersFile` | Path to the users file. | `` |
+ | `auth.secureCookie` | Enable secure cookies. | `false` |
+ | `auth.sessionExpiry` | Session expiry time in seconds. | `86400` |
+ | `auth.sessionMaxLifetime` | Maximum session lifetime in seconds. | `0` |
+ | `auth.loginTimeout` | Login timeout in seconds. | `300` |
+ | `auth.loginMaxRetries` | Maximum login retries. | `3` |
+ | `auth.trustedProxies` | Comma-separated list of trusted proxy addresses. | `` |
+ | `auth.acls.policy` | ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow. | `allow` |
+
+ ### apps
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `apps.[name].config.domain` | The domain of the app. | `` |
+ | `apps.[name].users.allow` | Comma-separated list of allowed users. | `` |
+ | `apps.[name].users.block` | Comma-separated list of blocked users. | `` |
+ | `apps.[name].oauth.whitelist` | Comma-separated list of allowed OAuth groups. | `` |
+ | `apps.[name].oauth.groups` | Comma-separated list of required OAuth groups. | `` |
+ | `apps.[name].ip.allow` | List of allowed IPs or CIDR ranges. | `` |
+ | `apps.[name].ip.block` | List of blocked IPs or CIDR ranges. | `` |
+ | `apps.[name].ip.bypass` | List of IPs or CIDR ranges that bypass authentication. | `` |
+ | `apps.[name].response.headers` | Custom headers to add to the response. | `` |
+ | `apps.[name].response.basicauth.username` | Basic auth username. | `` |
+ | `apps.[name].response.basicauth.password` | Basic auth password. | `` |
+ | `apps.[name].response.basicauth.passwordFile` | Path to the file containing the basic auth password. | `` |
+ | `apps.[name].path.allow` | Comma-separated list of allowed paths. | `` |
+ | `apps.[name].path.block` | Comma-separated list of blocked paths. | `` |
+ | `apps.[name].ldap.groups` | Comma-separated list of required LDAP groups. | `` |
+
+ ### oauth
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `oauth.whitelist` | Comma-separated list of allowed OAuth domains. | `` |
+ | `oauth.whitelistFile` | Path to the OAuth whitelist file. | `` |
+ | `oauth.autoRedirect` | The OAuth provider to use for automatic redirection. | `` |
+ | `oauth.providers.[name].clientId` | OAuth client ID. | `` |
+ | `oauth.providers.[name].clientSecret` | OAuth client secret. | `` |
+ | `oauth.providers.[name].clientSecretFile` | Path to the file containing the OAuth client secret. | `` |
+ | `oauth.providers.[name].whitelist` | Comma-separated list of allowed OAuth domains for this provider. | `` |
+ | `oauth.providers.[name].whitelistFile` | Path to the OAuth whitelist file for this provider. | `` |
+ | `oauth.providers.[name].scopes` | OAuth scopes. | `` |
+ | `oauth.providers.[name].redirectUrl` | OAuth redirect URL. | `` |
+ | `oauth.providers.[name].authUrl` | OAuth authorization URL. | `` |
+ | `oauth.providers.[name].tokenUrl` | OAuth token URL. | `` |
+ | `oauth.providers.[name].userinfoUrl` | OAuth userinfo URL. | `` |
+ | `oauth.providers.[name].insecure` | Allow insecure OAuth connections. | `false` |
+ | `oauth.providers.[name].name` | Provider name in UI. | `` |
+
+ ### oidc
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `oidc.privateKeyPath` | Path to the private key file, including file name. | `./tinyauth_oidc_key` |
+ | `oidc.publicKeyPath` | Path to the public key file, including file name. | `./tinyauth_oidc_key.pub` |
+ | `oidc.clients.[name].clientId` | OIDC client ID. | `` |
+ | `oidc.clients.[name].clientSecret` | OIDC client secret. | `` |
+ | `oidc.clients.[name].clientSecretFile` | Path to the file containing the OIDC client secret. | `` |
+ | `oidc.clients.[name].trustedRedirectUris` | List of trusted redirect URIs. | `` |
+ | `oidc.clients.[name].name` | Client name in UI. | `` |
+
+ ### ui
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `ui.title` | The title of the UI. | `Tinyauth` |
+ | `ui.forgotPasswordMessage` | Message displayed on the forgot password page. | `You can change your password by changing the configuration.` |
+ | `ui.backgroundImage` | Path to the background image. | `/background.jpg` |
+ | `ui.warningsEnabled` | Enable UI warnings. | `true` |
+
+ ### ldap
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `ldap.address` | LDAP server address. | `` |
+ | `ldap.bindDn` | Bind DN for LDAP authentication. | `` |
+ | `ldap.bindPassword` | Bind password for LDAP authentication. | `` |
+ | `ldap.bindPasswordFile` | Path to the Bind password. | `` |
+ | `ldap.baseDn` | Base DN for LDAP searches. | `` |
+ | `ldap.insecure` | Allow insecure LDAP connections. | `false` |
+ | `ldap.searchFilter` | LDAP search filter. | `(uid=%s)` |
+ | `ldap.authCert` | Certificate for mTLS authentication. | `` |
+ | `ldap.authKey` | Certificate key for mTLS authentication. | `` |
+ | `ldap.groupCacheTTL` | Cache duration for LDAP group membership in seconds. | `900` |
+
+ ### tailscale
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `tailscale.enabled` | Enable Tailscale integration. | `false` |
+ | `tailscale.apiToken` | Tailscale API token. | `` |
+ | `tailscale.apiTokenFile` | Path to the file containing the Tailscale API token. | `` |
+ | `tailscale.tailnet` | Tailnet name. | `` |
+ | `tailscale.cacheDuration` | Cache duration for Tailscale device and user lists in seconds. | `300` |
+
+ ### log
+
+ | Option | Description | Default |
+ | - | - | - |
+ | `log.level` | Log level (trace, debug, info, warn, error). | `info` |
+ | `log.json` | Enable JSON formatted logs. | `false` |
+ | `log.streams.http.enabled` | Enable this log stream. | `true` |
+ | `log.streams.http.level` | Log level for this stream. Use global if empty. | `` |
+ | `log.streams.app.enabled` | Enable this log stream. | `true` |
+ | `log.streams.app.level` | Log level for this stream. Use global if empty. | `` |
+ | `log.streams.audit.enabled` | Enable this log stream. | `false` |
+ | `log.streams.audit.level` | Log level for this stream. Use global if empty. | `` |
+
+
diff --git a/src/pages/index.astro b/src/pages/index.astro
index f94aef4..11c7ee7 100644
--- a/src/pages/index.astro
+++ b/src/pages/index.astro
@@ -33,14 +33,14 @@ import { Card } from "@astrojs/starlight/components";
template: "splash",
banner: {
content:
- "Tinyauth v5 is out! Check out how to upgrade in the migration guide.",
+ "Tinyauth is now an OpenID Connect™ Certified provider!",
},
}}
>
Tinyauth
- Tinyauth is a tiny OpenID Connect (OIDC) authentication and
+ Tinyauth is the tiniest OpenID Connect™ Certified authentication and
authorization server for your self-hosted applications.
@@ -77,8 +77,8 @@ import { Card } from "@astrojs/starlight/components";
>With Tinyauth you can easily log in to your apps using your
favorite OAuth providers or by using a centralized LDAP server.
- Tinyauth is the tiniest OIDC server you have ever seen. It is
+ Tinyauth is the tiniest OpenID Connect™ Certified server you have ever seen. It is
designed to be simple and easy to use, with a focus on security
and performance.
@@ -111,5 +111,6 @@ import { Card } from "@astrojs/starlight/components";
+
diff --git a/src/styles/home.css b/src/styles/home.css
index 26be6d2..df97151 100644
--- a/src/styles/home.css
+++ b/src/styles/home.css
@@ -32,7 +32,7 @@ main:has(.home-container) {
align-items: center;
padding: 1rem;
text-align: center;
- gap: 1.25rem;
+ gap: 1.5rem;
}
.home-title {
diff --git a/src/styles/theme.css b/src/styles/theme.css
index 4795b3c..b7eb117 100644
--- a/src/styles/theme.css
+++ b/src/styles/theme.css
@@ -20,6 +20,10 @@
height: 2rem;
}
+main {
+ padding-bottom: 0 !important;
+}
+
td,
th {
padding-left: 0.5rem;
diff --git a/src/styles/tools.css b/src/styles/tools.css
index 32467eb..ff7b328 100644
--- a/src/styles/tools.css
+++ b/src/styles/tools.css
@@ -17,7 +17,7 @@
flex-direction: column;
gap: 0.25rem;
font-size: var(--sl-text-sm);
- font-weight: 600;
+ font-weight: 500;
color: var(--sl-color-text);
}
@@ -77,9 +77,9 @@
border-radius: 0.5rem;
font-size: 0.875rem;
line-height: 1.25rem;
- font-weight: 600;
+ font-weight: 500;
color: var(--sl-color-text);
- transition-property: border-color, color;
+ transition-property: border, color;
transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1);
transition-duration: 100ms;
transition-delay: 50ms;
@@ -90,8 +90,5 @@
.tool-submit:is(:hover, :focus-visible) {
cursor: pointer;
color: var(--sl-color-text-accent);
- outline: none;
- box-shadow: 0 0 0 2px var(--sl-color-accent);
- border-color: transparent;
+ border: 1px solid var(--sl-color-accent);
}
-