mizchi · October 9, 2025 11:49
diff --git a/discord-oidc-worker.js b/discord-oidc-worker.js
 /**
 Discord Auth for Cloudflare Access

 based on https://github.com/Erisa/discord-oidc-worker

 # Create discord application

 - Get client id and secret
 - Set redirect URL to `https://<cloudflare-name>.cloudflareaccess.com/cdn-cgi/access/callback`

 # Set oidc.json

 oidc.json
 {
  "clientId": "<discord-client-id>",
  "clientSecret": "<discord-secret>",
  "redirectURL": "https://<cloudflare-name>.cloudflareaccess.com/cdn-cgi/access/callback",
  "serversToCheckRolesFor": ["<discord-server-id-to-check>"]
 }

 # Wrangler with KV

 ```
 $ npx wrangler kv:namespace create discord-popopo-keys
 ```

 wrangler.json
 {
  "name": "discord-popopo-oidc",
  "compatibility_date": "2025-10-08",
  "main": "main.js",
  "kv_namespaces": [
    {
      "binding": "KV",
      "id": "<kv-namespace-id>"
    }
  ]
 }

 deploy `wrangler deploy`

 ## Cloudflare Access Settings

 - Cloudflare Access -> Application

 https://one.dash.cloudflare.com/<your-cf-id>/settings/authentication

 - Login method -> Add new -> OIDC
  - App ID => `<discord-client-id>`
  - Secret => `<discord-client-secret>`
  - Token URL => `<your-deployment-url>/token`
  - Auth URL => `<your-deployment-url>/authorize/guilds
  - Authorization URL => `<your-deployment-url>/token`
  - Certificate URL => `<your-deployment-url>/jwks.json`
  - PKCE => Enabled
  - OIDC Claims
    - id
    - email
    - discriminator
    - guilds

 Auth user

 - Compute(Workers) -> [Worker]
 - Settings -> Domain & Routes -> Cloudflare Access

 */
 import config from "./oidc.json" with { type: "json" };
 import { Hono } from "hono";
 import * as jose from "jose";

 const algorithm = {
  name: "RSASSA-PKCS1-v1_5",
  modulusLength: 2048,
  publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
  hash: { name: "SHA-256" },
 };

 const importAlgo = {
  name: "RSASSA-PKCS1-v1_5",
  hash: { name: "SHA-256" },
 };

 async function loadOrGenerateKeyPair(KV) {
  let keyPair = {};
  let keyPairJson = await KV.get("keys", { type: "json" });

  if (keyPairJson !== null) {
    keyPair.publicKey = await crypto.subtle.importKey(
      "jwk",
      keyPairJson.publicKey,
      importAlgo,
      true,
      ["verify"]
    );
    keyPair.privateKey = await crypto.subtle.importKey(
      "jwk",
      keyPairJson.privateKey,
      importAlgo,
      true,
      ["sign"]
    );

    return keyPair;
  } else {
    keyPair = await crypto.subtle.generateKey(algorithm, true, [
      "sign",
      "verify",
    ]);

    await KV.put(
      "keys",
      JSON.stringify({
        privateKey: await crypto.subtle.exportKey("jwk", keyPair.privateKey),
        publicKey: await crypto.subtle.exportKey("jwk", keyPair.publicKey),
      })
    );

    return keyPair;
  }
 }

 const app = new Hono();

 app.get("/authorize/:scopemode", async (c) => {
  if (
    c.req.query("client_id") !== config.clientId ||
    c.req.query("redirect_uri") !== config.redirectURL ||
    !["guilds", "email"].includes(c.req.param("scopemode"))
  ) {
    return c.text("Bad request.", 400);
  }

  const params = new URLSearchParams({
    client_id: config.clientId,
    redirect_uri: config.redirectURL,
    response_type: "code",
    scope:
      c.req.param("scopemode") == "guilds"
        ? "identify email guilds"
        : "identify email",
    state: c.req.query("state"),
    prompt: "none",
  }).toString();

  return c.redirect("https://discord.com/oauth2/authorize?" + params);
 });

 app.post("/token", async (c) => {
  const body = await c.req.parseBody();
  const code = body["code"];
  const params = new URLSearchParams({
    client_id: config.clientId,
    client_secret: config.clientSecret,
    redirect_uri: config.redirectURL,
    code: code,
    grant_type: "authorization_code",
    scope: "identify email",
  }).toString();

  const r = await fetch("https://discord.com/api/v10/oauth2/token", {
    method: "POST",
    body: params,
    headers: {
      "Content-Type": "application/x-www-form-urlencoded",
    },
  }).then((res) => res.json());

  if (r === null) return new Response("Bad request.", { status: 400 });
  const userInfo = await fetch("https://discord.com/api/v10/users/@me", {
    headers: {
      Authorization: "Bearer " + r["access_token"],
    },
  }).then((res) => res.json());

  if (!userInfo["verified"]) return c.text("Bad request.", 400);

  let servers = [];

  const serverResp = await fetch(
    "https://discord.com/api/v10/users/@me/guilds",
    {
      headers: {
        Authorization: "Bearer " + r["access_token"],
      },
    }
  );

  if (serverResp.status === 200) {
    const serverJson = await serverResp.json();
    servers = serverJson.map((item) => {
      return item["id"];
    });
  }

  let roleClaims = {};

  if (c.env.DISCORD_TOKEN && "serversToCheckRolesFor" in config) {
    await Promise.all(
      config.serversToCheckRolesFor.map(async (guildId) => {
        if (servers.includes(guildId)) {
          let memberPromise = fetch(
            `https://discord.com/api/v10/guilds/${guildId}/members/${userInfo["id"]}`,
            {
              headers: {
                Authorization: "Bot " + c.env.DISCORD_TOKEN,
              },
            }
          );
          // i had issues doing this any other way?
          const memberResp = await memberPromise;
          const memberJson = await memberResp.json();

          roleClaims[`roles:${guildId}`] = memberJson.roles;
        }
      })
    );
  }

  let preferred_username = userInfo["username"];

  if (userInfo["discriminator"] && userInfo["discriminator"] !== "0") {
    preferred_username += `#${userInfo["discriminator"]}`;
  }

  let displayName = userInfo["global_name"] ?? userInfo["username"];

  const idToken = await new jose.SignJWT({
    iss: "https://cloudflare.com",
    aud: config.clientId,
    preferred_username,
    ...userInfo,
    ...roleClaims,
    email: userInfo["email"],
    global_name: userInfo["global_name"],
    name: displayName,
    guilds: servers,
  })
    .setProtectedHeader({ alg: "RS256" })
    .setExpirationTime("1h")
    .setAudience(config.clientId)
    .sign((await loadOrGenerateKeyPair(c.env.KV)).privateKey);

  return c.json({
    ...r,
    scope: "identify email",
    id_token: idToken,
  });
 });

 app.get("/jwks.json", async (c) => {
  let publicKey = (await loadOrGenerateKeyPair(c.env.KV)).publicKey;
  return c.json({
    keys: [
      {
        alg: "RS256",
        kid: "jwtRS256",
        ...(await crypto.subtle.exportKey("jwk", publicKey)),
      },
    ],
  });
 });

 export default app;
	/**
	Discord Auth for Cloudflare Access

	based on https://github.com/Erisa/discord-oidc-worker

	# Create discord application

	- Get client id and secret
	- Set redirect URL to `https://<cloudflare-name>.cloudflareaccess.com/cdn-cgi/access/callback`

	# Set oidc.json

	oidc.json
	{
	"clientId": "<discord-client-id>",
	"clientSecret": "<discord-secret>",
	"redirectURL": "https://<cloudflare-name>.cloudflareaccess.com/cdn-cgi/access/callback",
	"serversToCheckRolesFor": ["<discord-server-id-to-check>"]
	}

	# Wrangler with KV

	```
	$ npx wrangler kv:namespace create discord-popopo-keys
	```

	wrangler.json
	{
	"name": "discord-popopo-oidc",
	"compatibility_date": "2025-10-08",
	"main": "main.js",
	"kv_namespaces": [
	{
	"binding": "KV",
	"id": "<kv-namespace-id>"
	}
	]
	}

	deploy `wrangler deploy`

	## Cloudflare Access Settings

	- Cloudflare Access -> Application

	https://one.dash.cloudflare.com/<your-cf-id>/settings/authentication

	- Login method -> Add new -> OIDC
	- App ID => `<discord-client-id>`
	- Secret => `<discord-client-secret>`
	- Token URL => `<your-deployment-url>/token`
	- Auth URL => `<your-deployment-url>/authorize/guilds
	- Authorization URL => `<your-deployment-url>/token`
	- Certificate URL => `<your-deployment-url>/jwks.json`
	- PKCE => Enabled
	- OIDC Claims
	- id
	- email
	- discriminator
	- guilds

	Auth user

	- Compute(Workers) -> [Worker]
	- Settings -> Domain & Routes -> Cloudflare Access

	*/
	import config from "./oidc.json" with { type: "json" };
	import { Hono } from "hono";
	import * as jose from "jose";

	const algorithm = {
	name: "RSASSA-PKCS1-v1_5",
	modulusLength: 2048,
	publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
	hash: { name: "SHA-256" },
	};

	const importAlgo = {
	name: "RSASSA-PKCS1-v1_5",
	hash: { name: "SHA-256" },
	};

	async function loadOrGenerateKeyPair(KV) {
	let keyPair = {};
	let keyPairJson = await KV.get("keys", { type: "json" });

	if (keyPairJson !== null) {
	keyPair.publicKey = await crypto.subtle.importKey(
	"jwk",
	keyPairJson.publicKey,
	importAlgo,
	true,
	["verify"]
	);
	keyPair.privateKey = await crypto.subtle.importKey(
	"jwk",
	keyPairJson.privateKey,
	importAlgo,
	true,
	["sign"]
	);

	return keyPair;
	} else {
	keyPair = await crypto.subtle.generateKey(algorithm, true, [
	"sign",
	"verify",
	]);

	await KV.put(
	"keys",
	JSON.stringify({
	privateKey: await crypto.subtle.exportKey("jwk", keyPair.privateKey),
	publicKey: await crypto.subtle.exportKey("jwk", keyPair.publicKey),
	})
	);

	return keyPair;
	}
	}

	const app = new Hono();

	app.get("/authorize/:scopemode", async (c) => {
	if (
	c.req.query("client_id") !== config.clientId \|\|
	c.req.query("redirect_uri") !== config.redirectURL \|\|
	!["guilds", "email"].includes(c.req.param("scopemode"))
	) {
	return c.text("Bad request.", 400);
	}

	const params = new URLSearchParams({
	client_id: config.clientId,
	redirect_uri: config.redirectURL,
	response_type: "code",
	scope:
	c.req.param("scopemode") == "guilds"
	? "identify email guilds"
	: "identify email",
	state: c.req.query("state"),
	prompt: "none",
	}).toString();

	return c.redirect("https://discord.com/oauth2/authorize?" + params);
	});

	app.post("/token", async (c) => {
	const body = await c.req.parseBody();
	const code = body["code"];
	const params = new URLSearchParams({
	client_id: config.clientId,
	client_secret: config.clientSecret,
	redirect_uri: config.redirectURL,
	code: code,
	grant_type: "authorization_code",
	scope: "identify email",
	}).toString();

	const r = await fetch("https://discord.com/api/v10/oauth2/token", {
	method: "POST",
	body: params,
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	}).then((res) => res.json());

	if (r === null) return new Response("Bad request.", { status: 400 });
	const userInfo = await fetch("https://discord.com/api/v10/users/@me", {
	headers: {
	Authorization: "Bearer " + r["access_token"],
	},
	}).then((res) => res.json());

	if (!userInfo["verified"]) return c.text("Bad request.", 400);

	let servers = [];

	const serverResp = await fetch(
	"https://discord.com/api/v10/users/@me/guilds",
	{
	headers: {
	Authorization: "Bearer " + r["access_token"],
	},
	}
	);

	if (serverResp.status === 200) {
	const serverJson = await serverResp.json();
	servers = serverJson.map((item) => {
	return item["id"];
	});
	}

	let roleClaims = {};

	if (c.env.DISCORD_TOKEN && "serversToCheckRolesFor" in config) {
	await Promise.all(
	config.serversToCheckRolesFor.map(async (guildId) => {
	if (servers.includes(guildId)) {
	let memberPromise = fetch(
	`https://discord.com/api/v10/guilds/${guildId}/members/${userInfo["id"]}`,
	{
	headers: {
	Authorization: "Bot " + c.env.DISCORD_TOKEN,
	},
	}
	);
	// i had issues doing this any other way?
	const memberResp = await memberPromise;
	const memberJson = await memberResp.json();

	roleClaims[`roles:${guildId}`] = memberJson.roles;
	}
	})
	);
	}

	let preferred_username = userInfo["username"];

	if (userInfo["discriminator"] && userInfo["discriminator"] !== "0") {
	preferred_username += `#${userInfo["discriminator"]}`;
	}

	let displayName = userInfo["global_name"] ?? userInfo["username"];

	const idToken = await new jose.SignJWT({
	iss: "https://cloudflare.com",
	aud: config.clientId,
	preferred_username,
	...userInfo,
	...roleClaims,
	email: userInfo["email"],
	global_name: userInfo["global_name"],
	name: displayName,
	guilds: servers,
	})
	.setProtectedHeader({ alg: "RS256" })
	.setExpirationTime("1h")
	.setAudience(config.clientId)
	.sign((await loadOrGenerateKeyPair(c.env.KV)).privateKey);

	return c.json({
	...r,
	scope: "identify email",
	id_token: idToken,
	});
	});

	app.get("/jwks.json", async (c) => {
	let publicKey = (await loadOrGenerateKeyPair(c.env.KV)).publicKey;
	return c.json({
	keys: [
	{
	alg: "RS256",
	kid: "jwtRS256",
	...(await crypto.subtle.exportKey("jwk", publicKey)),
	},
	],
	});
	});

	export default app;
No results found