Use this broker when you want Fluxer to trust one OIDC issuer while still offering both Discord and GitHub sign-in. The Worker lives in fluxer_oidc_broker/.

Flow

  • Publishes /.well-known/openid-configuration and jwks.json
  • Accepts Fluxer’s authorization-code + PKCE flow
  • Shows a provider picker for Discord and GitHub
  • Exchanges the upstream OAuth code and fetches verified email claims
  • Returns OIDC access_token, id_token, and userinfo
  • Stores short-lived broker state and single-use auth codes in Workers KV

Requirements

The broker expects:
  • one KV namespace bound as OIDC_BROKER_KV
  • one downstream OIDC client for Fluxer itself
  • one RSA signing key in JWK form
  • one Discord OAuth app
  • one GitHub OAuth app

Worker variables

Fluxer client

  • OIDC_ISSUER
  • OIDC_CLIENT_ID
  • OIDC_CLIENT_SECRET
  • OIDC_ALLOWED_REDIRECT_URIS
  • OIDC_PRIVATE_JWK

Branding and policy

  • OIDC_BRAND_NAME
  • OIDC_ALLOWED_EMAIL_DOMAINS
  • OIDC_DEFAULT_PROVIDER

Discord

  • DISCORD_CLIENT_ID
  • DISCORD_CLIENT_SECRET

GitHub

  • GITHUB_CLIENT_ID
  • GITHUB_CLIENT_SECRET

Upstream callback URLs

Register these callback URLs in the Discord and GitHub OAuth apps:
  • Discord: https://YOUR_ISSUER/callback/discord
  • GitHub: https://YOUR_ISSUER/callback/github

Fluxer SSO settings

Point Fluxer’s SSO config at the broker issuer:
  • Issuer: https://YOUR_ISSUER
  • Client ID: OIDC_CLIENT_ID
  • Client Secret: OIDC_CLIENT_SECRET
  • Scope: openid email profile
  • Redirect URI: https://YOUR_FLUXER_HOST/auth/sso/callback
Fluxer can discover the remaining endpoints from the broker’s OIDC metadata automatically.

Generate the signing key

From fluxer_oidc_broker/: 
npm install
npm run keys
That prints a private RSA JWK suitable for OIDC_PRIVATE_JWK.

Create the KV namespace

npx wrangler kv namespace create OIDC_BROKER_KV
npx wrangler kv namespace create OIDC_BROKER_KV --preview
Copy the returned IDs into fluxer_oidc_broker/wrangler.toml.

Deploy

cd fluxer_oidc_broker
npm install
npx wrangler deploy
Before you enable SSO in Fluxer, set the real Discord and GitHub client credentials in the Worker and confirm both upstream callback URLs match the OAuth app settings.