gitwtfhub

wtf is go-sso?

fanhuacloud/go-sso — explained in plain English

Analysis updated 2026-07-18

33GoAudience · ops devopsComplexity · 3/5Setup · moderate

TL;DR

A minimal, single-binary Go server that acts as an OpenID Connect identity provider so you can connect your own login system to ChatGPT Enterprise's SSO feature, with no external database needed.

Mindmap

mindmap
  root((go-sso))
    What it does
      OIDC identity provider
      Signs JWT tokens
      Connects to ChatGPT Enterprise
    Tech Stack
      Go
      RSA JWT signing
      Single binary
    Use Cases
      Restrict login by email domain
      Issue OIDC tokens
      Run behind a reverse proxy
    Audience
      Ops or DevOps teams
      Self-hosters

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Give ChatGPT Enterprise a simple, self-hosted SSO identity provider without standing up a full auth platform.

REASON 2

Restrict login to users with an email address matching an approved domain suffix, like @example.edu.

REASON 3

Run a compact identity provider as a single binary with no external database to manage.

REASON 4

Deploy behind Nginx or Caddy for TLS, or use the server's built-in HTTPS support directly.

What's in the stack?

GoOIDCJWT

How it stacks up

fanhuacloud/go-sso0hardik1/kubesplaininghuoji120/code_review_agent
Stars333333
LanguageGoGoGo
Setup difficultymoderateeasymoderate
Complexity3/53/53/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 1h+

Requires a publicly reachable HTTPS issuer URL, and a fixed private key file for stable production tokens.

Wtf does this do

This is a minimal single sign-on (SSO) server written in Go that implements the OpenID Connect (OIDC) protocol. It is designed specifically to act as the identity provider when connecting a self-hosted authentication system to ChatGPT Enterprise's SSO feature. The server is intentionally small: the whole project compiles to a single binary with no external database required. The way it works is straightforward. A user visits the server's login page and enters their email address and a fixed authorization code set in the server's configuration. If the email matches an allowed domain suffix (such as @example.edu) and the code is correct, the server signs a JWT token with an RSA key and returns it to the calling service. OpenAI's systems then verify that token against the server's public JWKS endpoint. All configuration lives in a single .env file. You set the OIDC issuer URL (which must be a publicly accessible HTTPS address for OpenAI to reach it), a client ID and secret, the allowed email suffixes, and the authorization code users must enter to log in. If you do not specify a private key file, the server generates a temporary RSA key on each startup, meaning the keys change after every restart. For production, the README recommends a fixed private key file. Optional features include Cloudflare Turnstile bot protection on the login page and direct HTTPS support built into the binary. The server can also run behind a reverse proxy like Nginx or Caddy, in which case it stays on HTTP internally and the proxy handles TLS. The README is written in Chinese. It covers running the server, building a Linux binary from Windows, configuring each .env value, applying for Cloudflare Turnstile keys, and both HTTPS options step by step. The issued ID tokens include the standard claims: sub, email, email_verified, given_name, and family_name.

Yoink these prompts

Prompt 1
Walk me through configuring the .env file for go-sso to restrict logins to my organization's email domain.
Prompt 2
Show me how to set up a fixed RSA private key file so my go-sso tokens stay valid across server restarts.
Prompt 3
Explain how go-sso's login flow issues and signs a JWT token for ChatGPT Enterprise to verify.
Prompt 4
Help me put go-sso behind an Nginx reverse proxy so it handles TLS while the server stays on HTTP internally.
Prompt 5
How do I enable Cloudflare Turnstile bot protection on the go-sso login page?

Frequently asked questions

wtf is go-sso?

A minimal, single-binary Go server that acts as an OpenID Connect identity provider so you can connect your own login system to ChatGPT Enterprise's SSO feature, with no external database needed.

What language is go-sso written in?

Mainly Go. The stack also includes Go, OIDC, JWT.

How hard is go-sso to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is go-sso for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.