Erisa/discord-oidc-worker Erisa/discord-oidc-worker

  • Stars
    star
    107
  • Rank 322,009 (Top 7 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created almost 2 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Erisa/discord-oidc-worker
github

Erisa

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Sign into Discord on Cloudflare Access, powered by Cloudflare Workers!

Discord OIDC Provider for Cloudflare Access

Simply put: Allows you to authorise with Cloudflare Access using your Discord account via a Cloudflare Worker. Wraps OIDC around the Discord OAuth2 API to achieve this, storing signing keys in KV.

Process flow was inspired by kimcore/discord-oidc but rewritten entirely for Cloudflare Workers and Hono.

Some ideas were also taken from eidam/cf-access-workers-oidc.

Show them some love!

Setup

Requirements:

  • A Cloudflare Access account - make sure you've gone through the onboarding flow and have a NAME.cloudflareaccess.com subddomain.
  • A Discord developer application to use for OAuth2.
    • Add a redirect URI https://YOURNAME.cloudflareaccess.com/cdn-cgi/access/callback to the Discord application.
  • An installation of Node.js

Steps:

  • Clone the repository and cd into it: git clone https://github.com/Erisa/discord-oidc-worker.git && cd discord-oidc-worker
  • Install dependencies: npm install
  • Create a KV namespace on Cloudflare here.
  • Edit wrangler.toml to use your new KV namespace ID.
  • Copy config.sample.json to config.json.
  • Add your Discord application ID and OAuth2 secret to config.json.
  • Edit your Cloudflare Access subdomain into config.json under redirectURL. This should be the same URL you added to Discord.
  • Publish the Worker with npx wrangler publish!

Usage

  • Go to the Cloudflare Zero Trust dashboard
  • Navigate to Settings > Authentication, select "Add new" under Login methods, select OpenID Connect.
  • Fill the following fields:
    • Name: Whatever you want, e.g. Discord
    • App ID: Your Discord application ID.
    • Client secret: Your Discord application OAuth2 secret.
    • Auth URL: https://discord-oidc.YOURNAME.workers.dev/authorize/email or swap out /email for /guilds to include the Guilds scope.
    • Token URL: https://discord-oidc.YOURNAME.workers.dev/token
    • Certificate URL: https://discord-oidc.YOURNAME.workers.dev/jwks.json
    • Proof Key for Code Exchange (PKCE): Enabled
    • OIDC Claims:
      • Email is included automatically without being set here.
      • It would be recommended to add id here, as the users unique Discord user ID.
      • preferred_username will map to the users username and discrim if they have one e.g. Erisa#9999 or erisachu
      • name will map to the non-unique Display Name of the user, or username if there is none. E.g. Erisa. Basically a safer form of global_name, which might sometimes be null.
      • If the Auth URL is /guilds then the guilds claim can be used to provide a list of guild IDs.
      • Anything else from here will work: https://discord.com/developers/docs/resources/user#user-object-user-structure
  • See the Examples section below for help with constructing policies.

Usage with roles

  • Follow the above setup, making sure to use the /guilds auth URL.
  • Create a Discord Bot for the OAuth2 application, generate an OAuth2 URL with the bot scope and use it to invite the bot to your server.
    • The bot does not need any permissions, it just needs to exist in the server.
  • Generate a bot token and paste it into npx wrangler secret put DISCORD_TOKEN.
  • Populate config.json with a list of server IDs that you wish to check user roles for. Make sure the bot is a member of all servers in this list.
  • Edit the OIDC provider in Cloudflare Access and add the server IDs as claims prefixed with roles:, e.g. roles:438781053675634713
  • When creating a policy, reference the roles: claims as the name, and use the role ID as the claim value. This will match users in that server who have that role.

Example config for a roles setup:

{
    "clientId": "1056005449054429204",
    "clientSecret": "aaaaaaaaaaaaa",
    "redirectURL": "https://erisa.cloudflareaccess.com/cdn-cgi/access/callback",
    "serversToCheckRolesFor": [
        "438781053675634713"
    ]
}

Examples

My setup, as an example:

To use this in a policy, simply enable it as an Identity provider in your Access application and then create a rule using OIDC Claims and the relevant claim above. Make sure the claim has been added to your provider in the steps above.

With roles:

This example would allow me to access the application if I was myself on Discord or if I was a member of a specific server:

Security

If you find a security vulnerability in this repository, do NOT create an Issue or Pull Request. Please contact me through email or message (There are links on my GitHub profile). If you create an issue for an active security vulnerability I will save the information and delete the issue.

Alternatively, you can try out a new GitHub feature for Security Advisories: https://github.com/Erisa/discord-oidc-worker/security

More Repositories

1

cloudflared-docker

Simple Alpine-built scratch-runtime Dockerfile for cloudflared, with support for multiple architectures.
Dockerfile
136
star
2

Cliptok

Moderation Discord bot for Microsoft Community.
C#
61
star
3

worker-links

A simple URL Shortener for Cloudflare Workers!
TypeScript
47
star
4

save-all-tab-urls

Save all the open tabs as a list of URLs to go back to!
CSS
33
star
5

download-image

No save as prompts! Extension to add a context menu item which allows you to directly download an image!
JavaScript
29
star
6

domain-redirect

Easily redirect one entire domain to another with a serverless Cloudflare Worker.
JavaScript
19
star
7

multi-render

Serve multiple R2 buckets from the same Worker, with different settings
TypeScript
19
star
8

erisa.uk

It's a website!
Astro
18
star
9

colour-me

Colour me! is a simple Discord bot running on Cloudflare Workers that allows server admins to give users the ability to change the colour of their own assigned colour roles!
TypeScript
18
star
10

Lykos

Private Discord bot for misc things.
C#
15
star
11

hetzner-firewall-cfworker

Use Cloudflare Workers Cron Triggers to keep your Hetzner Cloud Firewall allowing the latest list of Cloudflare IPs, or any other lists!
TypeScript
15
star
12

dis.cord.gift

IMPORTANT: This is just a rickroll. There is nothing malicious and never will be. Send any legal requests to my email.
HTML
14
star
13

how-many-servers

Find out how many Discord servers you're in.
TypeScript
12
star
14

FrostCleverbot-rb

Super simple Cleverbot inspired by https://github.com/jagrosh/FrostCleverbot
Ruby
11
star
15

Simplepad

A simple Notepad clone for Windows. Supports Unix line endings!
Visual Basic .NET
11
star
16

redis-exposer

Serve read-only Redis data over a HTTP API with auth
JavaScript
10
star
17

dbots-guild-count

Cloudflare Worker cron to sync Discord bot guild count to discord.bots.gg API
TypeScript
10
star
18

discordsh

Run Shell commands from within Discord! Uses sh on Linux, and CMD on Windows.
Ruby
10
star
19

NaughtyGirlBanner

Simple anti-raid bot for Discord.
Ruby
10
star
20

element.awau.uk

Element on Cloudflare Pages
HTML
9
star
21

resizing-worker

Proxy that resizes where requested
JavaScript
8
star
22

EmojiDumper

Ruby script to download all emoji images from all servers you're in.
Ruby
8
star
23

sdxl-worker

Stable Diffusion XL Workers AI demo
TypeScript
8
star
24

simple-r2-form

HTML
8
star
25

new-reddit-redirect

Always use your preferred Reddit design when someone links you to the old Reddit.
JavaScript
6
star
26

awau.uk

nothing to see here
HTML
6
star
27

discord-voice-curfew

Lock and unlock a Discord voice channel at certain times of day
Python
5
star
28

cf-cache-clear-worker-webook

Cloudflare Worker that clears all cache in a given zone when called. Designed to be used as a webhook.
JavaScript
5
star
29

erisa-games-archive

epic gamer
HTML
5
star
30

Discord-DarkPink

Modified colorize theme. For personal use, use it if you want.
4
star
31

RPG-Maker-Scripts

Various scripts and plugins I've created for RPG Maker engines over the years.
Ruby
4
star
32

erisa.dev

giscus discussions
3
star
33

Heartosoft

Based on Naamloos/ModCore, customised for Microsoft Community
C#
3
star
34

nginx-configs

Doesn't include keys for obvious reasons.
3
star
35

DiscordTouchpadBugWorkaround

Hacky workaround for a rare Discord bug when scrolling on a touchpad.
C#
3
star
36

codespaces

Shell
3
star
37

PokeParse

Simple script to convert a Pokemon Essentials pokemon.txt into a database (But not back again :D). Don't ask lol
Ruby
3
star
38

RC24-MailPatch-Portable

A simple, light and portable version of the Mail Patcher for RiiConnect24
Ruby
3
star
39

personal-batch-scripts

Personal batch (.bat) scripts used on Windows.
Batchfile
3
star
40

seafile-gateway

welcome to the edge.
HTML
2
star
41

testgithubpages

shh ignore this
HTML
2
star
42

mee6-to-cliptok

MEE6 to Cliptok infraction/warning migration
Ruby
2
star
43

mraow.party

A Cloudflare Worker serving a single HTML file for the mraow.party root page.
HTML
2
star
44

docs.erisa.uk

Erisa documentation
JavaScript
2
star
45

Cliptok-aprilfools2022

C#
2
star
46

erisa.network

CSS
1
star
47

.github

1
star
48

webuy-stock-alerts

Monitor CeX WeBuy Stock and get notified when something is in stock
JavaScript
1
star
49

whoisapi

Dockerfile
1
star
50

serverauction-ng

WIP Discord bot for interacting with Hetzner Server Auction
Ruby
1
star
51

erisa.github.io

literally just a redirect. nothing special
1
star
52

colour-me-site

Website for Colour Me!
CSS
1
star
53

kernel_samsung_sm-a405fn

Android kernel for Samsung A40, with some additional features (Wireguard, exFAT..)
C
1
star
54

wrangler-testing

testing wrangler-action
HTML
1
star