A minimal reverse proxy that acts as an OpenID Connect identity provider, using exe.dev's authentication headers as the source of truth.
When an app (Plane, Zulip, Gitea, etc.) initiates an OIDC login, the browser
is redirected to this proxy's authorization endpoint. Because the proxy sits
behind exe.dev's HTTPS proxy, the X-ExeDev-Email and X-ExeDev-UserID
headers are already present — so the OIDC flow completes instantly with zero
user interaction.
User → exe.dev proxy (adds X-ExeDev-Email/X-ExeDev-UserID)
→ exe-oidc-proxy (port 8000)
├── OIDC IdP endpoints (/_oidc/*)
└── reverse proxy → upstream app (e.g. Plane on :3000)
go install github.com/boldsoftware/exe-oidc-proxy@latest
exe-oidc-proxy \
-listen :8000 \
-upstream http://localhost:3000 \
-issuer https://myvm.exe.xyz/_oidc \
-client-id myapp \
-client-secret mysecret
All flags can also be set via environment variables:
| Flag | Env | Description |
|---|---|---|
-listen |
LISTEN |
Address to listen on (default :8000) |
-upstream |
UPSTREAM |
URL of the upstream app to proxy to |
-issuer |
ISSUER |
OIDC issuer URL (your VM's public URL + /_oidc) |
-client-id |
CLIENT_ID |
OIDC client ID the app will use |
-client-secret |
CLIENT_SECRET |
OIDC client secret the app will use |
- App has no session → redirects browser to
/_oidc/authorize - exe.dev's proxy has already added
X-ExeDev-Emailto the request - The authorize endpoint reads the header, generates an auth code, and redirects back to the app's callback URL instantly
- App exchanges the code for tokens at
/_oidc/token - App verifies the id_token using keys from
/_oidc/jwks - User is logged in
If the user isn't authenticated yet (no X-ExeDev-Email header), the
authorize endpoint redirects to /__exe.dev/login first.
| Path | Description |
|---|---|
/_oidc/.well-known/openid-configuration |
Discovery document |
/_oidc/authorize |
Authorization endpoint |
/_oidc/token |
Token endpoint |
/_oidc/userinfo |
UserInfo endpoint |
/_oidc/jwks |
JSON Web Key Set |
MIT