MCPcopy Index your code
hub / github.com/reugn/auth-server

github.com/reugn/auth-server @v0.5.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.5.0 ↗ · + Follow
114 symbols 273 edges 24 files 98 documented · 86% 2 cross-repo links updated 5mo agov0.5.0 · 2026-01-16★ 85
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

auth-server

Build PkgGoDev Go Report Card

This project offers a toolkit for building and configuring a tailored authentication and authorization service.

auth-server can act as a proxy middleware or be configured in a stand-alone mode. It doesn't require any third-party software integration. Leverage existing backend storage repositories for storing security policies or develop a custom one to suit your specific requirements. For information on how to configure repositories using environment variables, refer to the repository configuration page.

[!NOTE] This project's security has not been thoroughly evaluated. Proceed with caution when setting up your own auth provider.

Introduction

  • Authentication is used by a server when the server needs to know exactly who is accessing their information or site.
  • Authorization is a process by which a server determines if the client has permission to use a resource or access a file.

The inherent complexity of crafting an authentication and authorization strategy raises a barrage of immediate questions:

  • Would it be beneficial to utilize separate services for authentication and authorization purposes?
  • What is the process for creating access tokens, and who is tasked with this responsibility?
  • Is it necessary to adapt our REST service to support an authorization flow?

The auth-server project aims to address these concerns by serving as a transparent authentication and authorization proxy middleware.

Architecture

architecture_diagram

  1. The user requests an access token (JWT), using a basic authentication header: GET /token HTTP/1.1 Host: localhost:8081 Authorization: Basic YWRtaW46MTIzNA==

  2. The proxy server routes this request to auth-server to issue a token.
    Response body:
    {"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...","token_type":"Bearer","expires_in":3600000}

  3. The user sends an authenticated request to the proxy server: GET /foo HTTP/1.1 Host: localhost:8081 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

  4. Proxy invokes auth-server as an authentication/authorization middleware. In case the token was successfully authenticated/authorized, the request will be routed to the target service. Otherwise, an auth error code will be returned to the client.

Installation and Prerequisites

  • auth-server is written in Go (1.24+). To install the latest stable version of Go, visit the releases page.

  • Read the following instructions to generate keys required to sign the token. Specify the location of the generated certificates in the service configuration file. An example of the configuration file can be found here.

  • The following example shows how to run the service using a configuration file: ./auth -c service_config.yml

  • To run the project using Docker, visit their page to get started. Docker images are available under the GitHub Packages.

  • Install Docker to get started with the examples.

Configuration

Proxy Providers

The proxy setting in your configuration determines how auth-server parses incoming requests to extract the original method and URI. This is important when running behind a reverse proxy that may modify or forward request details via headers.

Provider Description Headers Used
direct No proxy, use actual request values None
nginx Nginx with auth_request module X-Forwarded-Method, X-Forwarded-Uri
traefik Traefik with ForwardAuth middleware X-Forwarded-Method, X-Forwarded-Uri, X-Forwarded-Prefix
envoy Envoy with ext_authz filter X-Original-*, X-Envoy-Original-*, X-Forwarded-* (priority order)
haproxy HAProxy with external auth X-Forwarded-Method, X-Forwarded-Uri, X-Original-URI
kong Kong API Gateway X-Forwarded-Method, X-Forwarded-Path, X-Forwarded-Prefix

Example configuration:

proxy: direct  # or nginx, traefik, envoy, haproxy, kong

Examples

Examples are available under the examples folder.

Traefik

Run auth-server as a Traefik ForwardAuth middleware:

cd examples/traefik
docker compose up -d

Nginx

Run auth-server with Nginx using the auth_request module:

cd examples/nginx
docker compose up -d

Envoy

Run auth-server with Envoy using the ext_authz filter:

cd examples/envoy
docker compose up -d

License

Licensed under the Apache 2.0 License.

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

Shape

Function 45
Method 41
Struct 23
TypeAlias 3
Interface 2

Languages

Go100%

Modules by API surface

internal/proxy/parser.go13 symbols
internal/repository/repository.go10 symbols
internal/http/server.go10 symbols
internal/http/rate_limiter.go8 symbols
internal/config/service.go8 symbols
internal/repository/vault.go6 symbols
internal/repository/aerospike.go6 symbols
internal/auth/keys.go6 symbols
internal/auth/jwt_validator.go6 symbols
internal/repository/local.go5 symbols
internal/config/logger.go5 symbols
internal/config/http_server.go5 symbols

Used by 2 indexed graphs manifest dependencies, hub-wide

For agents

$ claude mcp add auth-server \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page