npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@aaroncadillac/oidc-reverse-proxy

v2.1.0

Published

A simple reverse proxy to protect paths with OIDC based on fastify

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

aaroncadillacaaroncadillac

Keywords

fastifyoidcreverseproxyauthopenid

Readme

oidc-reverse-proxy

oidc-rproxy is a command-line utility that launches a reverse proxy secured with OpenID Connect (OIDC). It reads a JSON configuration file that can be fully parameterised via environment variables.

Installation

npm install -g @aaroncadillac/oidc-reverse-proxy

Basic usage

oidc-rproxy run http://localhost

This command starts the OIDC-authenticated reverse-proxy server. You can override the default host, port and config file path:

oidc-rproxy run http://localhost:8080 --host 0.0.0.0 --port 8080 --config ~/custom-config.json

For every successful request the proxy injects an Authorization: Bearer <access_token> header containing the user’s OIDC access-token. Your upstream services can therefore handle sessions without additional middleware.

Commands

run

Starts the reverse-proxy server.

Global options

| Option | Description | Default | |--------|-------------|---------| | --host, -h | $OIDC_RPROXY_HOST Host interface to bind | localhost | | --port, -p | $OIDC_RPROXY_PORT TCP port to listen on | 3000 | | --config, -c | Path to the JSON config file | ~/oidc-rproxy.json |

Examples

oidc-rproxy run http://localhost:8080
oidc-rproxy run https://example.com --host 127.0.0.1 --port 9000 --config ~/config.json

Configuration file (oidc-rproxy.json)

The configuration file is a JSON array, where each object defines how users are authenticated and how requests are routed to backend services.

It assumes that your issuer supports the OIDC Discovery protocol, so you don't need to manually specify:

  • authorization_endpoint
  • token_endpoint
  • user_info_endpoint

Each object in the array maps one or more path prefixes to a single OIDC provider, meaning you can protect different paths with different identity providers in a single configuration.

Example configuration

[
  {
    "issuer": "https://auth.example.com",
    "client_id": "example-client",
    "client_secret": "••••••••••",
    "scope": "openid email profile",
    "session_cookie_name": "oidc_session",
    "email_domains": ["example.com"],
    "paths": {
      "/api/": { "upstream": "http://127.0.0.1:4000" },
      "/docs/": { "upstream": "http://127.0.0.1:4001", "healthcheck": "health" }
      "/docs/": { "upstream": "http://127.0.0.1:4001", "healthcheckRootPath": "/health" } /*This path is accessible without base path*/ 
    }
  },
  {
    "issuer": "https://login.partner.com",
    "client_id": "partner-client",
    "client_secret": "••••••••••",
    "paths": {
      "/partner/": { "upstream": "https://partner-backend.internal" }
    }
  }
]

Required fields (per array element)

  • issuer
  • client_id
  • client_secret
  • session_cookie_secret - Secret key for session cookie encryption
  • session_cookie_name – name of the session cookie (default: oidc_session)
  • paths
    • each key in paths must end with a / and must define an upstream URL

Optional fields

  • scope – OIDC scopes to request (default: openid email profile)
  • email_domains – restrict access to specified email domains
  • on_unauthenticated_request – action when a request is unauthenticated ("deny", "redirect", etc.)
  • paths.*.healthcheck – relative health-check path (e.g. "health")

Authentication flow

  1. A user lands on a protected path.
  2. The proxy initiates the OIDC Authorisation Code flow with PKCE.
  3. After a successful login the user is redirected back with an ID-token and access-token.
  4. The proxy stores the ID-token in an encrypted session cookie (session_cookie_name).
  5. For every subsequent request the proxy:
    • validates the cookie,
    • refreshes tokens if necessary,
    • adds Authorization: <access_token> to the outgoing request, and
    • forwards the request to the configured upstream service.

Health checks

If a healthcheck property is defined for a path, the proxy will periodically poll upstream/healthcheck and mark the backend as unavailable when the endpoint does not return HTTP 2xx.

Licence

Licensed under the MPL-2.0.