Why this exists

Fluxer’s self-hosted SSO configuration expects a single OIDC provider. If you want to offer both Discord and GitHub sign-in, the simplest shape is a broker that presents both providers and speaks one OIDC issuer back to Fluxer. The repo includes a Cloudflare Worker app for this under fluxer_oidc_broker/.

What the broker does

  • Publishes /.well-known/openid-configuration and jwks.json
  • Accepts Fluxer’s authorization-code + PKCE flow
  • Shows a provider picker for Discord and GitHub
  • Exchanges the upstream OAuth code and fetches verified email claims
  • Returns OIDC access_token, id_token, and userinfo
  • Stores short-lived broker state and single-use auth codes in Workers KV

Worker deployment shape

The Worker lives in fluxer_oidc_broker/ and expects:
  • one KV namespace bound as OIDC_BROKER_KV
  • one downstream OIDC client for Fluxer itself
  • one RSA signing key in JWK form
  • one Discord OAuth app
  • one GitHub OAuth app

Required worker vars

Downstream Fluxer client

  • OIDC_ISSUER
  • OIDC_CLIENT_ID
  • OIDC_CLIENT_SECRET
  • OIDC_ALLOWED_REDIRECT_URIS
  • OIDC_PRIVATE_JWK

Branding and policy

  • OIDC_BRAND_NAME
  • OIDC_ALLOWED_EMAIL_DOMAINS
  • OIDC_DEFAULT_PROVIDER

Discord

  • DISCORD_CLIENT_ID
  • DISCORD_CLIENT_SECRET

GitHub

  • GITHUB_CLIENT_ID
  • GITHUB_CLIENT_SECRET

Upstream callback URLs

Register these callback URLs in the upstream OAuth apps:
  • Discord: https://YOUR_ISSUER/callback/discord
  • GitHub: https://YOUR_ISSUER/callback/github

Fluxer admin SSO settings

Set Fluxer’s SSO config to point at the broker issuer.
  • Issuer: https://YOUR_ISSUER
  • Client ID: OIDC_CLIENT_ID
  • Client Secret: OIDC_CLIENT_SECRET
  • Scope: openid email profile
Fluxer can discover the remaining endpoints from the broker’s OIDC metadata automatically.

Generate the signing key

From fluxer_oidc_broker/: 
npm install
npm run keys
That prints a private RSA JWK suitable for OIDC_PRIVATE_JWK.

Create the KV namespace

npx wrangler kv namespace create OIDC_BROKER_KV
npx wrangler kv namespace create OIDC_BROKER_KV --preview
Copy the returned IDs into fluxer_oidc_broker/wrangler.toml.

Deploy

cd fluxer_oidc_broker
npm install
npx wrangler deploy

Practical caveat

The code path is complete, but the upstream Discord and GitHub OAuth apps still need their real client credentials configured before users can authenticate through the broker.