Self-hosted auth server Tinyauth gets official OpenID Connect certification
Tinyauth is a lightweight and authorization server, positioned as an alternative to Authentik and Keycloak. It works two ways: as forward-auth middleware that sits between a and apps lacking their own login system, and as an OIDC provider that centralizes login across multiple apps. It's compatible with proxies like Traefik, Nginx, Caddy, and Envoy.
With version 5.1.0, its OIDC provider earned Basic OP certification from the OpenID Foundation, granted at no cost. New features include Kubernetes annotation-based s (useful for k3s setups), a deny-by-default access policy, a stable -file format as an alternative to CLI flags or , and login via Tailscale connections.
Key points
- Earned Basic OP certification from the OpenID Foundation in v5.1.0
- Supports both forward-auth (proxy-level protection) and OIDC provider (centralized login) modes
- Added Kubernetes annotation-based , deny-by-default policy, a stable config file, and Tailscale login
- Works with major proxies: Traefik, Nginx, Caddy, Envoy
- A lighter, simpler self-hosted alternative to Authentik or Keycloak