TinyauthTinyauth
Guides

Access controls

Tinyauth has support for docker label-based access controls.

Tinyauth supports basic access controls with Docker labels. These labels can restrict or allow access to applications.

Modifying the Tinyauth Container

To enable access controls, add the following volume to the Tinyauth container:

services:
  tinyauth:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

Restart Tinyauth after setting the volume.

For increased security, use a Docker socket proxy like Tecnativa's. Configure Tinyauth to use the proxy by adding the following environment variable:

services:
  tinyauth:
    environment:
      DOCKER_HOST: tcp://docker-socket-proxy:2375

Ensure Tinyauth can reach the Docker socket proxy container.

Label Structure

Access control labels follow this structure:

tinyauth.apps.[app].[key]: [value]

Where [app] is the name of the app to protect. This app ID must be unique for each protected app.

Label Discovery

Tinyauth uses the app ID in labels and the request subdomain to match labels with the app. For example, a request to app1.example.com triggers Tinyauth to search for containers with the tinyauth.apps.app1.foo: bar label. To use the domain instead, add the following label:

tinyauth.apps.myapp.config.domain: myapp.example.com

Tinyauth will now use the domain to match labels instead of the app ID.

User ACLs

To restrict access to specific users, use the users.allow label:

tinyauth.apps.myapp.users.allow: user1

Only user1 will be able to access the app. To block specific users, use the users.block label:

tinyauth.apps.myapp.users.block: user2

Both users.allow and users.block labels can accept a comma-separated list of users or a regex string (enclosed with /).

These labels also apply to LDAP users.

OAuth Whitelist

To restrict access to specific OAuth users, use the oauth.whitelist label:

tinyauth.apps.myapp.oauth.whitelist: user1@example.com

Only user1@example.com will be able to access the app.

The oauth.whitelist label can accept a comma-separated list of users or a regex string (enclosed with /).

Path ACLs

To skip authentication for specific paths, use the path.allow label:

tinyauth.apps.myapp.path.allow: ^\/api

To block access to specific paths, use the path.block label:

tinyauth.apps.myapp.path.block: ^\/admin

Path labels use regex strings. For example, ^\/api matches paths starting with /api, while ^\/ping$ matches the exact path /ping.

IP-Based Access Controls

To allow access based on IP addresses or CIDRs, use the ip.allow label:

tinyauth.apps.myapp.ip.allow: 10.10.5.5,10.10.10.0/24

To block specific IPs or subnets, use the ip.block label:

tinyauth.apps.myapp.ip.block: 192.168.1.1,192.168.0.0/16

Bypassing Authentication for IPs

To disable authentication for specific IPs or subnets, use the ip.bypass label:

tinyauth.apps.myapp.ip.bypass: 10.10.5.5,10.10.10.0/24

Access Controls Using OIDC Groups

Some OIDC servers, like Pocket ID, support user groups in the OIDC response. To use groups, ensure the groups scope is included in the OAuth provider configuration. Then, add the oauth.groups label:

tinyauth.apps.myapp.oauth.groups: admin

Only users in the admin group will be allowed to access the app.

The oauth.groups label is only supported for custom OAuth providers, not for Google or GitHub.

Getting Started

Learn how to set up and configure Tinyauth.

Advanced

Guides and tips for advanced setups.

On this page

Modifying the Tinyauth ContainerLabel StructureLabel DiscoveryUser ACLsOAuth WhitelistPath ACLsIP-Based Access ControlsBypassing Authentication for IPsAccess Controls Using OIDC Groups