AgentSkillsCN

sso-guide

Fort-Nix 服务的 SSO 集成指南。在为服务添加身份验证、选择 SSO 模式、配置 oauth2-proxy 或排查身份验证问题时使用。触发条件包括 fort.cluster.services 的 SSO 配置、oauth2-proxy 设置、OIDC 集成或身份验证头注入。

SKILL.md
--- frontmatter
name: sso-guide
description: SSO integration guidance for fort-nix services. Use when adding authentication to a service, choosing an SSO mode, configuring oauth2-proxy, or troubleshooting auth issues. Triggers on fort.cluster.services sso config, oauth2-proxy setup, OIDC integration, or auth header injection.

SSO Integration Guide

Configure authentication for services exposed via fort.cluster.services.

Quick Reference: SSO Modes

ModeUse Whenfort.nix ProvidesYou Provide
noneNo auth needed, or app handles its ownPlain reverse proxyNothing
oidcApp supports OIDC nativelyCredential delivery to /var/lib/fort-auth/<svc>/OIDC config in app
headersApp reads X-Auth-* headersoauth2-proxy + nginx wiringHeader consumption in app
basicauthApp only supports HTTP Basic Authoauth2-proxy translating to BasicBasic auth config in app
gatekeeperLogin wall, no identity neededoauth2-proxy blocking unauthenticatedNothing

Mode Selection Flowchart

code
Does the app need authentication?
├─ No → mode = "none"
└─ Yes → Does the app support OIDC natively?
         ├─ Yes → mode = "oidc" (see references/oidc.md)
         └─ No → Can the app read X-Auth-* headers?
                  ├─ Yes → mode = "headers" (see references/headers.md)
                  └─ No → Does it support HTTP Basic Auth?
                           ├─ Yes → mode = "basicauth" (see references/basicauth.md)
                           └─ No → Just need login gate? → mode = "gatekeeper" (see references/gatekeeper.md)

Detailed Mode Documentation

Common Options

All SSO modes support:

nix
sso = {
  mode = "headers";  # or oidc, basicauth, gatekeeper
  groups = [ "admin" ];  # Restrict access to specific LDAP groups
};

Group Restrictions

The groups option restricts service access to users in specific LDAP groups. Groups are enforced at two levels:

  1. pocket-id (OIDC provider): The OIDC client is configured with allowedUserGroups. Users outside those groups are rejected at login - they can't even get tokens.

  2. oauth2-proxy: For non-oidc modes, --allowed-group flags filter after OIDC authentication.

This provides defense-in-depth: pocket-id blocks unauthorized users before token issuance, and oauth2-proxy validates group membership for proxy-mediated flows.

Example: Restricting to admins only:

nix
fort.cluster.services = [{
  name = "admin-panel";
  port = 8080;
  sso = {
    mode = "gatekeeper";
    groups = [ "admin" ];  # Only admin group can access
  };
}];