Skip to content

stck/oidc-inline

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

oidc-inline

A headless OIDC authentication client for authentik that replaces the browser in OAuth2 authorization code flows. It programmatically completes login (username, password, TOTP) and consent stages, then delivers the authorization code to the local callback.

Designed to be used as a BROWSER replacement for CLI tools like NetBird that open a browser for OIDC login.

How it works

  1. Receives the OAuth2 authorization URL as an argument (the URL a CLI tool would normally open in a browser).
  2. Follows the HTTP redirect chain through the relay/proxy to authentik's /application/o/authorize/ endpoint.
  3. Discovers the authentication flow and its query parameters from authentik's redirect to /if/flow/:slug/.
  4. Executes the flow via authentik's API (/api/v3/flows/executor/:slug/), solving each stage:
    • Identification -- submits the username/email
    • Password -- submits the password
    • TOTP -- generates and submits a time-based one-time password
    • Consent -- accepts the consent challenge
  5. After authentication, follows the redirect back to the authorize endpoint which triggers the authorization flow (consent/code issuance).
  6. Follows the final redirect chain (relay callback -> localhost callback) to deliver the authorization code, just as a browser would.

Installation

go build -o oidc-inline main.go

Configuration

Create a config.yaml in the working directory or next to the binary:

base_url: https://authentik.example.com/
username: [email protected]
password: your-password
totp_secret: YOUR_TOTP_SECRET_BASE32
socks5: socks5://user:pass@proxy:1080  # optional
log_file: /var/log/oidc-inline.log     # optional
Field Required Description
base_url Yes Base URL of your authentik instance
username Yes Username or email for authentication
password Yes Account password
totp_secret Yes Base32-encoded TOTP secret for 2FA
socks5 No SOCKS5 proxy URL (localhost traffic bypasses proxy)
log_file No Path to log file (defaults to stderr if not set)

Usage

# Direct invocation
./oidc-inline 'https://relay.example.com/oauth2/auth?client_id=my-app&...'

# As a BROWSER env for NetBird
export BROWSER=/path/to/oidc-inline
netbird up

# With custom config path
./oidc-inline --config /etc/oidc-inline/config.yaml 'https://...'

Docker

The published Docker image is based on https://github.com/11notes/docker-netbird-client with oidc-inline pre-installed at /etc/oidc-inline and BROWSER env set accordingly.

docker pull ghcr.io/stck/oidc-inline:latest

Mount your config.yaml into the container:

docker run -v ./config.yaml:/etc/oidc-inline/config.yaml ghcr.io/stck/oidc-inline:latest

About

browserless netbird-authentic companion to auth without browser

Topics

golang authentik netbird authentik-api

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v1.1 Release Latest
May 26, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages