2.1 Prerequisites
Domain Name
Before you even host Blink, you'll need a domain of your choosing (for example, https://bit.ly) and think about how you want Blink to shorten your links.
In the .env
file, you'll notice that there are HOMEPAGE
and BASE_URL
variables you can configure. The HOMEPAGE
is the page you are redirected to when you visit the "base" path (e.g. https://bit.ly -> https://bitly.com), and the BASE_URL
forms the "base" path of any link you shorten (e.g. with BASE_URL
of https://bit.ly, your shortened links will be https://bit.ly/abcd).
In fact, it's not even required to host Blink with the root domain (e.g. https://bit.ly) but instead use a subdomain as the BASE_URL
(e.g. https://links.bitly.com).
So far we have always specified the protocol (https://) in our links. Technically, you can omit the protocol and just set HOMEPAGE
/BASE_URL
to, say, bit.ly/bitly.com, but it is recommended that you:
- Always include https:// (and NOT http://)
- Strip out the www.
The links, once shortened, exhibit similar behaviour: by default, we always force https:// and strip out the www, so if you shorten http://www.nodejs.org or just www.nodejs.org, the shortened link will always redirect to https://nodejs.org instead.
Identity Provider
One thing you'll need no matter which approach you take to install Blink is an external identity provider (SSO) that speaks OIDC protocol. In short, it is a central place to register and manage users, and Blink will use the information provided by the SSO to provision users locally, without needing to get the user's credentials/passwords.
In general, any SSO nowadays support the OIDC protocol, which means Blink can work with it. SSOs with OIDC support include:
- Keycloak (which is what we use for development as well)
- Azure Active Directory
- Google Workspace Identity
- Okta
- Auth0
etc.
Note that if you only have LDAP directories, you can use Keycloak or similar "gateway" software (such as dex or any of the "commercial" SSO products) to expose your user directory via OIDC.
OIDC Configuration
Once you have your identity provider, you will need to configure the Blink server to talk to your SSO and the SSO to talk to the Blink server. I will use Keycloak's documentation for example below, but note that I am only using features that are part of the standard OIDC protocol, so the same process applies for all OIDC SSOs, whether you're using AD or Okta.
Client
First, you must create an OIDC client for Blink so that Blink can talk to the OIDC/SSO server. See https://www.keycloak.org/docs/latest/server_admin/#oidc-clients for an example of how to do so (similar principles/steps should apply for other SSO providers).
You'll need to find/set a client id (it may be autogenerated by your identity provider; if not, simply set it as blink-app
). Additionally, you should allow CORS/redirect to your BASE_URL
/*, so that once users have signed in with your SSO, it can redirect users back to Blink.
Once you're done, set the OIDC_CLIENT_ID
environment variable to the client ID of the OIDC client you just created, and set OIDC_ISSUER_BASE_URL
to the OIDC issuer's base url or its .well-known
endpoint if you happen to know it (the latter is recommended).
To learn more about how to set environment variables, please visit the Configuration page.
If you identity provider is reachable by both the public and private/internal network, use the internal address, as the provider will give out the public addresses via its .well-known
endpoint regardless. This is useful in cases where you are self-hosting your identity provider as well and communicates via the internal network (e.g. docker/docker-compose network).
OIDC Protocol
While the default settings should work in most cases, to be safe, you should configure the OIDC protocol of your client/realm/domain to work with Blink.
First, enable the Standard Flow protocol for accessing OIDC (it should be enabled by default in most cases). Blink does not use Implicit Flow or need Direct Access Grants to authenticate with your SSO.
Second, the provider should allow token_endpoint_auth_method
of none
(again, in most cases, it should by default). This allows Blink to authenticate with your identity provider without passing out the OIDC client secret. You can check with your identity provider's OIDC .well-known endpoint to see if none
is a supported method.
The reason we are able to use the token endpoint without authenticating with the client secret is that we use an asymmetric signing algorithm (such as RS256) to verify whatever tokens we get back without the need for a client secret!
And as the asymmetric signing algorithm may suggest, this means that Blink is indeed a public application (which means a very specific thing in the OAuth2 spec), not expected to hold any secrets. Therefore, you should ensure that the OIDC provider does support public applications like this.
themoreyouknow.gif