Tobab
tl;dr⌗
A poor mans version of beyondcorp, an identity-aware proxy (IAP) that can authenticate and authorize users with third party authenticators (currently only google is supported.
Find it on github: tobab
history⌗
When I switched from running stuff in my kubernetes cluster to running stuff in Google App Engine, I decided that beyondauth was now deprecated.
However, after the initial honeymoon period with GAE, some projects became too expensive to run and I started hosting them on my own devices again.
After a while it started bothering me again that all the self-hosted projects either had no auth (prometheus) or their own auth solution (booksing, gdo, pturn). So I set out to replicate my earlier setup but then a bit simpler. BeyondAuth was pretty good, but it also needed traefik, and both of these were more tedious to maintain and configure then I would like.
So I set out to build my own solution, and Tobab is the result.
features⌗
- http proxy
- sign in with google (for now, more identity providers could easily be supported)
- letsencrypt integration (non-optional, http->https redirect is mandatory)
- glob matching based authorization
- routes can be added through the API or the CLI
- stateless, secure tokens with paseto
acknowledgements⌗
Building this I truly started to appreciate the meaning of standing on the shoulders of giants, the Go libraries I’ve used are extensive and made this application a lot easier to create.
technologies⌗
- golang
- letsencrypt
- paseto
- openid connect