PickYourTechPickYourTech home
Vouch Proxy logo

Vouch Proxy

Unified SSO gateway for Nginx using OAuth and OIDC

Identity & SSO

Vouch Proxy adds single sign‑on to Nginx, authenticating visitors via dozens of OAuth/OIDC providers and sharing session cookies across subdomains for seamless access to multiple web applications.

Overview

Overview

Vouch Proxy acts as a lightweight authentication gateway for Nginx. When a visitor reaches a protected site, Nginx forwards a /validate request to Vouch Proxy, which checks a signed session cookie. If the cookie is missing or invalid, the user is redirected to the configured Identity Provider (IdP) for login. After successful authentication, Vouch Proxy sets a domain‑wide cookie and returns user attributes—email, name, tokens—as HTTP headers, allowing the downstream application to trust the identity without managing its own user store.

Who Should Use It

The solution is aimed at DevOps engineers and system administrators who already run Nginx as a reverse proxy and need SSO across multiple web applications in the same domain. It works with any OAuth2 or OpenID Connect provider, including Google, GitHub, Okta, Azure AD, Keycloak, and many others. Vouch Proxy can be run as a binary, Docker container, or Kubernetes pod, and when co‑located with Nginx the validation latency is typically under 1 ms.

Deployment Highlights

Deploy by configuring vouch.domains to share the cookie across subdomains, adding an auth_request /validate block in Nginx, and pointing the IdP callback to /auth. Official Docker images simplify containerized setups, and Helm charts are available for Kubernetes environments.

Highlights

Supports 30+ OAuth and OpenID Connect providers
Integrates via Nginx auth_request module
Domain‑wide cookie sharing for seamless SSO
Fast validation (<1 ms) when co‑located with Nginx

Pros

  • Broad provider compatibility
  • Simple Nginx configuration
  • Low‑latency session validation
  • Flexible deployment (binary, Docker, Kubernetes)

Considerations

  • Requires Nginx with auth_request module
  • Cookie domain setup can be tricky
  • No built‑in user management UI
  • Depends on external IdP availability

Managed products teams compare with

When teams consider Vouch Proxy, these hosted platforms usually appear on the same shortlist.

Amazon Cognito logo

Amazon Cognito

Customer identity and access management service for adding user sign-up, sign-in, and authentication to apps

Auth0 logo

Auth0

Cloud-based identity management platform for adding user authentication and authorization to applications

Clerk logo

Clerk

User authentication and identity APIs for web and mobile apps

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Organizations needing SSO across multiple internal apps
  • Teams already using Nginx as a reverse proxy
  • Environments with an existing OAuth/OIDC IdP
  • Deployments that prefer a lightweight proxy over full IAM

Not ideal when

  • Use cases requiring a native user database
  • Stacks without Nginx or auth_request support
  • High‑throughput APIs where an extra hop adds latency
  • Projects that need an out‑of‑the‑box user self‑service portal

How teams use it

Protect multiple microservices behind a single domain

Users authenticate once via Google and gain access to all services without re‑login.

Add SSO to legacy web apps without code changes

Nginx forwards authentication to Vouch Proxy, injecting user headers for the apps to consume.

Deploy SSO in Kubernetes using Ingress

Vouch Proxy runs as a sidecar or separate service, handling auth for Ingress‑exposed apps.

Centralize authentication for internal dashboards

Corporate IdP (Okta) validates users, and Vouch Proxy passes email and groups as headers to each dashboard.

Tech snapshot

Go94%
Shell6%
Dockerfile1%
CSS1%

Tags

jwtoauth2ssonginxsso-loginnginx-proxysso-solutiongolangauthenticationlasso

Frequently asked questions

Which Identity Providers are supported?

Vouch Proxy works with any OAuth2 or OpenID Connect provider, including Google, GitHub, Okta, Azure AD, Keycloak, and many others listed in the documentation.

How is validation latency kept low?

When Vouch Proxy runs on the same host as Nginx, the `/validate` endpoint typically responds in under 1 ms because it only checks a signed cookie.

Do I need to modify my application code?

No code changes are required; Vouch Proxy injects user information via HTTP headers that the application can read.

Can Vouch Proxy be run in Docker?

Yes, official Docker images are provided and can be orchestrated with Docker Compose or Kubernetes.

What happens if the IdP is unavailable?

Authentication attempts will fail and users receive a 401 response; existing sessions remain valid until the cookie expires.

Project at a glance

Stable
View repo
Stars
3,213
Watchers
3,213
Forks
328
LicenseMIT
Repo age8 years old
Last commit6 months ago
Primary languageGo

Last synced 13 hours ago