The proxy that enables applications using OpenID Connect (OIDC) authentication to authenticate users through Discord's OAuth2 system.
English | Japanese
Cloudflare Workers + Hono + pnpm
What's this?
discord-oidc-proxy is a proxy that runs on Cloudflare Workers, allowing applications that use OpenID Connect (OIDC) authentication to authenticate users using their Discord accounts.
With discord-oidc-proxy, you can perform authentication and authorization in your application based on Discord usernames, user IDs, email addresses, whether the user belongs to a pre-configured server (guild), or role IDs.
The Discord API only provides OAuth2 endpoints and does not provide OIDC-compliant endpoints. This causes compatibility issues with applications that expect a standard OIDC flow. This proxy exposes OIDC-compliant endpoints (discovery, authorization, token, userinfo) while internally managing Discord's OAuth2 authentication. This allows for easy integration of Discord authentication with OIDC clients without requiring modifications to accommodate Discord's specific OAuth2 implementation.
Requirements
To run Discord OIDC Proxy, you need the following accounts and software:
- Discord Developer account (available at [Discord for Developers https://discord.com/developers/])
- Cloudflare account
- pnpm
- Signed-in wrangler (Cloudflare Workers CLI) (can be logged in with
wrangler login) - OpenSSL
Usage for Server
- Access the Discord Developer Portal and create an application.
- Open the OAuth2 page and make a note of the Client ID and Client Secret.
- Run
pnpx wrangler kv namespace create “AUTH_KV”to create Workers KV. - Replace
<YOUR_KV_NAMESPACE_ID>inwrangler.jsoncwith the generated KV ID. - Run
setup.shand follow the instructions to enter the Client ID and Client Secret. Make a note of the generated OIDC Client ID and OIDC Client Secret. - Run
pnpm install && pnpm releaseonce. - Replace
https://<YOUR_WORKERS>.workers.devinwrangler.jsoncwith the displayed deployment URL (https://hoge.workers.dev). - Run
pnpm releaseto complete.
Usage for Clients
About Scopes
The following shows the correspondence between scopes and retrievable claims.
| Scope | Claims |
|---|---|
| openid | sub |
| profile | name, preferred_username, picture, locale |
| email, email_verified | |
| guild | is_member_of_target_guild, roles |
Cloudflare Access
To use Discord as the authentication method for Cloudflare Access, click Add New under Cloudflare ZeroTrust > Settings > Authentication > Login Methods, select OpenID Connect (OIDC), and configure the settings as follows.
| Setting | Value |
|---|---|
| Name | Any name (e.g., Discord) |
| App ID | Generated OIDC Client ID |
| Client Secret | Generated OIDC Client Secret |
| Authentication URL | Deployment URL+“/authorize” |
| Token URL | Deployment URL+“/token” |
| Certificate URL | Deployment URL+“/.well-known/jwks.json” |
| Proof Key for Code Exchange (PKCE) | On |
Configuration Example
AWS Cognito
To use Discord as an authentication method for AWS Cognito, click Add Identity Provider under Cognito > User Pools > User Pool Name > Social Providers and External Providers, select OpenID Connect (OIDC), and configure the settings as follows.
| Setting Item | Value |
|---|---|
| Provider Name | Any name (e.g., Discord) |
| Client ID | Generated OIDC Client ID |
| Client Secret | Generated OIDC Client Secret |
| Allowed Scopes | Scopes of information to be retrieved via OIDC (e.g., openid, email, profile, identify) |
| Attribute Request Method | POST |
| Setup Method | Automatic input via Issuer URL |
| Issuer URL | Deployment URL |
Configuration example
| Configuration item | Value |
|---|---|
| Provider name | Discord |
| Client ID | 1234567890123 |
| Client secret | My.....secret |
| Authorized scope | openid email profile identify |
| Attribute request method | POST |
| Setup method | Automatic input via issuer URL |
| Issuer URL | Deployment destination URL |
Security
If you discover a security vulnerability in this software, please do NOT create an Issue or Pull Request. Instead, please report it using one of the following methods:
- Post GitHub's Security Advisory
- Contact taiseiue@wsnet.jp directly (PGP key available from OpenPGP)
If an Issue related to a security vulnerability is created, the information will be saved, but the Issue itself will be deleted.
Support
This project receives support from GMO FlattSecurity's “GMO Open Source Developer Support Program” and regularly conducts security assessments using “Takumi byGMO.”
I'd be grateful if you could support this project!
