Authentication middleware that secures WAI application

Version on this page:
LTS Haskell 18.28:
Stackage Nightly 2022-02-05:
Latest on Hackage:

See all snapshots wai-middleware-auth appears in

MIT licensed by Alexey Kuleshevich
Maintained by [email protected]
This version can be pinned in stack with:wai-middleware-auth-,2780


Middleware that secures WAI application


$ stack install wai-middleware-auth


$ cabal install wai-middleware-auth


Along with middleware this package ships with an executbale wai-auth, which can function as a protected file server or a reverse proxy. Right from the box it supports OAuth2 authentication as well as it’s custom implementations for Google and Github.

Configuration is done using a yaml config file. Here is a sample file that will configure wai-auth to run a file server with google and github authentication on http://localhost:3000:

app_root: "_env:APPROOT:http://localhost:3000"
app_port: 3000
cookie_age: 3600
secret_key: "...+vwscbKR4DyPT"
  root_folder: "/path/to/html/files"
  redirect_to_index: true
  add_trailing_slash: true
    client_id: "...94cc"
    client_secret: "...166f"
    app_name: "Dev App for wai-middleware-auth"
      - "^[a-zA-Z0-9._%+-][email protected]$"
    client_id: "...qlj.apps.googleusercontent.com"
    client_secret: "...oxW"
      - "^[a-zA-Z0-9._%+-][email protected]$"

Above configuration will also block access to users that don’t have an email with example.com domain. There is also a secret_key field which will be used to encrypt the session cookie. In order to generate a new random key run this command:

$ echo $(wai-auth key --base64)

Make sure you have proper callback/redirect urls registered with google/github apps, eg: http://localhost:3000/_auth_middleware/google/complete.

After configuration file is ready, running application is very easy:

$ wai-auth --config-file=/path/to/config.yaml
Listening on port 3000


  • Compatibility with hoauth2-1.3.0 - fixed: #4

  • Implemented compatibility with hoauth2 >= 1.0.0 - fixed: #3

  • Disallow empty userIdentity to produce a successfull login.
  • Produces a 404 on /favicon.ico page if not logged in: work around for issue with Chrome requesting it first and messing up the redirect url.
  • Added JQuery to the template, since it’s bootstrap’s requirement.

  • Fixed whitelist email regex matching for Github and Google auth.

  • Initial implementation.