// the find
vouch/vouch-proxy
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
Vouch Proxy is a small Go service that sits between Nginx and your apps, using Nginx's `auth_request` module to enforce OAuth/OIDC login before requests get through. You run one Vouch instance, point every protected vhost at it, and users get SSO across your entire domain. It's for self-hosters and platform teams who want to gate internal tools without touching each app's code.
The `auth_request` integration is well thought out — Vouch passes user identity as HTTP headers (`X-Vouch-User`, `X-Vouch-IdP-Claims-*`) so downstream apps can consume auth without knowing anything about OAuth. The `/validate` endpoint is stateless and fast enough that the README's claim of sub-1ms response on localhost is plausible. Provider coverage is wide (20+ IdPs including GitHub teams/orgs, Keycloak, Azure AD, Pocket ID) with named example configs for each, which makes initial setup much less guesswork. The open redirect mitigations on `/login` and `/logout` are explicit and correctly implemented — domain overlap checks, no chained URL parameters.
The cookie-sharing model is a hard architectural constraint that trips up every new user: Vouch and all protected apps must share a domain, which means you can't protect apps on different TLDs without running multiple Vouch instances. The Travis CI badge still points to travis-ci.org (dead), suggesting CI hygiene has slipped — the actual GitHub Actions workflows look functional but the disconnect is a signal. JWT storage in cookies means large claim sets (groups, access tokens) get split across multiple cookies and require Nginx buffer tuning, which is fragile and poorly documented for the failure case. There's no built-in session revocation — if you need to kick a user out before their JWT expires, you're reaching for the `vouch.cookie.maxAge` hammer rather than any per-session invalidation.