Amazon Cognito
Customer identity and access management service for adding user sign-up, sign-in, and authentication to apps
Open-Source Projects
Discover top open-source software, updated regularly with real-world adoption signals.
Discover top open-source software, updated regularly with real-world adoption signals.
Unified SSO gateway for Nginx using OAuth and OIDC
Vouch Proxy adds single sign‑on to Nginx, authenticating visitors via dozens of OAuth/OIDC providers and sharing session cookies across subdomains for seamless access to multiple web applications.
Vouch Proxy acts as a lightweight authentication gateway for Nginx. When a visitor reaches a protected site, Nginx forwards a /validate request to Vouch Proxy, which checks a signed session cookie. If the cookie is missing or invalid, the user is redirected to the configured Identity Provider (IdP) for login. After successful authentication, Vouch Proxy sets a domain‑wide cookie and returns user attributes—email, name, tokens—as HTTP headers, allowing the downstream application to trust the identity without managing its own user store.
The solution is aimed at DevOps engineers and system administrators who already run Nginx as a reverse proxy and need SSO across multiple web applications in the same domain. It works with any OAuth2 or OpenID Connect provider, including Google, GitHub, Okta, Azure AD, Keycloak, and many others. Vouch Proxy can be run as a binary, Docker container, or Kubernetes pod, and when co‑located with Nginx the validation latency is typically under 1 ms.
Deploy by configuring vouch.domains to share the cookie across subdomains, adding an auth_request /validate block in Nginx, and pointing the IdP callback to /auth. Official Docker images simplify containerized setups, and Helm charts are available for Kubernetes environments.
When teams consider Vouch Proxy, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Protect multiple microservices behind a single domain
Users authenticate once via Google and gain access to all services without re‑login.
Add SSO to legacy web apps without code changes
Nginx forwards authentication to Vouch Proxy, injecting user headers for the apps to consume.
Deploy SSO in Kubernetes using Ingress
Vouch Proxy runs as a sidecar or separate service, handling auth for Ingress‑exposed apps.
Centralize authentication for internal dashboards
Corporate IdP (Okta) validates users, and Vouch Proxy passes email and groups as headers to each dashboard.
Vouch Proxy works with any OAuth2 or OpenID Connect provider, including Google, GitHub, Okta, Azure AD, Keycloak, and many others listed in the documentation.
When Vouch Proxy runs on the same host as Nginx, the `/validate` endpoint typically responds in under 1 ms because it only checks a signed cookie.
No code changes are required; Vouch Proxy injects user information via HTTP headers that the application can read.
Yes, official Docker images are provided and can be orchestrated with Docker Compose or Kubernetes.
Authentication attempts will fail and users receive a 401 response; existing sessions remain valid until the cookie expires.
Project at a glance
StableLast synced 4 days ago
