# docker-tinyauth: Run TinyAuth Rootless, Distroless, and Truly Tiny

This repository profile is provided by osrepos.com, an open source repository discovery platform.

Source: osrepos.com
Repository profile: https://osrepos.com/repo/11notes-docker-tinyauth
Generated for open source discovery and AI-assisted research.

docker-tinyauth provides a highly secure and optimized Docker image for TinyAuth, a simple authentication middleware. It enables running TinyAuth rootless, distroless, and truly tiny, enhancing security and efficiency for your containerized applications. This image offers features like automatic updates, health checks, and CVE scanning, making it a robust choice for authentication needs.

GitHub: https://github.com/11notes/docker-tinyauth
OSRepos URL: https://osrepos.com/repo/11notes-docker-tinyauth

## Summary

docker-tinyauth provides a highly secure and optimized Docker image for TinyAuth, a simple authentication middleware. It enables running TinyAuth rootless, distroless, and truly tiny, enhancing security and efficiency for your containerized applications. This image offers features like automatic updates, health checks, and CVE scanning, making it a robust choice for authentication needs.

## Topics

- Docker
- Authentication
- Middleware
- Go
- Security
- Container
- Rootless
- Distroless

## Repository Information

Last analyzed by OSRepos: Sun Oct 12 2025 16:01:10 GMT+0100 (Western European Summer Time)
Detail views: 8
GitHub clicks: 5

## Safety Notice

OSRepos shares public repositories for knowledge and discovery only. Review source code, dependencies, licenses, and security implications before running or installing anything.

## Content

## Introduction
**docker-tinyauth** provides a highly optimized and secure Docker image for TinyAuth, a simple yet powerful authentication middleware. TinyAuth is designed to add a login screen or integrate OAuth with providers like Google and GitHub to your Docker applications. It seamlessly supports popular proxies such as Traefik, Nginx, and Caddy, making it a versatile solution for securing access to your services. This repository focuses on delivering TinyAuth in a rootless, distroless, and truly tiny container, prioritizing security and efficiency.

## Installation
To get started with docker-tinyauth, you can pull the image from various registries. It's recommended to use a specific version tag for stability, for example, `4.0.0`.

bash
docker pull 11notes/tinyauth:4.0.0
# Or from other registries:
docker pull ghcr.io/11notes/tinyauth:4.0.0
docker pull quay.io/11notes/tinyauth:4.0.0


For a basic setup using Docker Compose, you can define the `tinyauth` service as follows. Remember to replace placeholder values like `${FQDN_TINYAUTH}`, `${SECRET}`, and the default `USERS` password with your own secure configurations.

yaml
services:
  tinyauth:
    image: "11notes/tinyauth:4.0.0"
    read_only: true
    environment:
      APP_URL: "https://${FQDN_TINYAUTH}"
      # secret must be a 32 Byte long string (32 characters)
      SECRET: ${SECRET}
      # admin / admin, please do not use in production!
      USERS: "admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)"
      - "traefik.http.routers.tinyauth.entrypoints=https"
      - "traefik.http.routers.tinyauth.tls=true"
      - "traefik.http.routers.tinyauth.service=tinyauth"
      - "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
      - "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
    networks:
      - backend

For more details on changing the default UID/GID, consult the [how-to.changeUIDGID](https://github.com/11notes/RTFM/blob/main/linux/container/image/11notes/how-to.changeUIDGID.md#change-uidgid-the-correct-way){target="_blank"} section of the [RTFM](https://github.com/11notes/RTFM){target="_blank"}.

## Examples
The provided `docker-compose.yml` in the repository demonstrates a comprehensive setup integrating `tinyauth` with Traefik, `socket-proxy`, and a `whoami` service to showcase its functionality. The `tinyauth` service is configured with Traefik labels to enable forward authentication, securing access to other services like `whoami`.

yaml
services:
  tinyauth:
    image: "11notes/tinyauth:4.0.0"
    read_only: true
    environment:
      APP_URL: "https://${FQDN_TINYAUTH}"
      SECRET: ${SECRET}
      USERS: "admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)"
      - "traefik.http.routers.tinyauth.entrypoints=https"
      - "traefik.http.routers.tinyauth.tls=true"
      - "traefik.http.routers.tinyauth.service=tinyauth"
      - "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
      - "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
    networks:
      backend:

  whoami:
    image: "traefik/whoami:latest"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`${FQDN_WHOAMI}`)"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.middlewares=tinyauth" # This line applies tinyauth middleware
      - "traefik.http.routers.whoami.service=whoami"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
    networks:
      backend:

In this example, the `whoami` service is protected by the `tinyauth` middleware, meaning users must authenticate via TinyAuth before accessing `whoami`.

## Why use docker-tinyauth?
This Docker image stands out due to its extreme focus on security, simplicity, and optimization. Here are the key reasons to choose `11notes/tinyauth`:
*   **Rootless Execution**: Runs as user `1000:1000`, significantly reducing potential attack surfaces.
*   **Distroless**: The image has no shell and is built on a minimal `scratch` base with only essential components, further enhancing security by removing unnecessary binaries.
*   **Truly Tiny**: At just 12MB, it's remarkably small, leading to faster downloads and reduced resource consumption compared to other images (e.g., `steveiliop56/tinyauth` at 35MB).
*   **Automated Updates**: Continuously updated to the latest version via CI/CD, ensuring you always have the most recent features and security patches.
*   **Health Checks**: Includes a built-in health check for reliable service monitoring.
*   **Read-Only Operation**: Designed to run in read-only mode for enhanced security.
*   **CVE Scanning**: Automatically scanned for Common Vulnerabilities and Exposures (CVEs) both before and after publishing.
*   **Secure CI/CD**: Created via a secure and pinned CI/CD process, guaranteeing integrity from build to deployment.

If you prioritize robust security, minimal footprint, and streamlined operations for your authentication middleware, `docker-tinyauth` is an excellent choice.

## Links
*   **GitHub Repository**: [https://github.com/11notes/docker-tinyauth](https://github.com/11notes/docker-tinyauth){target="_blank"}
*   **Docker Hub**: [https://hub.docker.com/r/11notes/tinyauth/tags?name=4.0.0](https://hub.docker.com/r/11notes/tinyauth/tags?name=4.0.0){target="_blank"}
*   **GitHub Container Registry (GHCR)**: `ghcr.io/11notes/tinyauth:4.0.0`
*   **Quay.io**: `quay.io/11notes/tinyauth:4.0.0`
*   **Original TinyAuth Project**: [https://github.com/steveiliop56/tinyauth](https://github.com/steveiliop56/tinyauth){target="_blank"}
*   **Parent Image (distroless)**: [https://github.com/11notes/docker-distroless](https://github.com/11notes/docker-distroless){target="_blank"}