oauth2-proxy/docs/5_endpoints.md

---
layout: default
title: Endpoints
permalink: /endpoints
nav_order: 5
---

## Endpoint Documentation

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable.

- /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
- /ping - returns a 200 OK response, which is intended for use with health checks
- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
- /oauth2/sign_out - this URL is used to clear the session cookie
- /oauth2/start - a URL that will redirect to start the OAuth cycle
- /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
- /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
- /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the [Nginx `auth_request` directive](#nginx-auth-request)

### Sign out

To sign the user out, redirect them to `/oauth2/sign_out`. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the `rd` query parameter, i.e. redirect the user to something like (notice the url-encoding!):

```
/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page
```

Alternatively, include the redirect URL in the `X-Auth-Request-Redirect` header:

```
GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...
```

(The "sign_out_page" should be the [`end_session_endpoint`](https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1) from [the metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (`my-oidc-provider.example.com` in the example) must be added to the [`--whitelist-domain`](configuration) configuration option otherwise the redirect will be ignored.
split README.MD into pages 2019-03-26 18:04:59 +02:00			`---`
			`layout: default`
			`title: Endpoints`
			`permalink: /endpoints`
			`nav_order: 5`
			`---`

			`## Endpoint Documentation`

			OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable.

			`- /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info`
			`- /ping - returns a 200 OK response, which is intended for use with health checks`
			`- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)`
Add sign_out endpoint to endpoint documentation page (#383) 2020-02-05 18:28:51 +02:00			`- /oauth2/sign_out - this URL is used to clear the session cookie`
split README.MD into pages 2019-03-26 18:04:59 +02:00			`- /oauth2/start - a URL that will redirect to start the OAuth cycle`
			`- /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.`
Added userinfo endpoint (#300) * Added userinfo endpoint * Added documentation for the userinfo endpoint * Update oauthproxy.go Co-Authored-By: Dan Bond <pm@danbond.io> * Suggested fixes : Streaming json to rw , header set after error check * Update oauthproxy.go Co-Authored-By: Dan Bond <pm@danbond.io> * fix session.Email * Ported tests and updated changelog 2019-11-08 00:38:36 +02:00			`- /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.`
split README.MD into pages 2019-03-26 18:04:59 +02:00			- /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the [Nginx `auth_request` directive](#nginx-auth-request)
Document how to use the sign_out endpoint (#443) Fixes #441 + a minor link fix 2020-03-14 12:07:23 +02:00
			`### Sign out`

Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:54:36 +02:00			To sign the user out, redirect them to `/oauth2/sign_out`. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the `rd` query parameter, i.e. redirect the user to something like (notice the url-encoding!):
Document how to use the sign_out endpoint (#443) Fixes #441 + a minor link fix 2020-03-14 12:07:23 +02:00
			```
			`/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page`
			```

			Alternatively, include the redirect URL in the `X-Auth-Request-Redirect` header:

			```
			`GET /oauth2/sign_out HTTP/1.1`
			`X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page`
			`...`
			```
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:54:36 +02:00
Document how to use the sign_out endpoint (#443) Fixes #441 + a minor link fix 2020-03-14 12:07:23 +02:00			(The "sign_out_page" should be the [`end_session_endpoint`](https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1) from [the metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) if your OIDC provider supports Session Management and Discovery.)

Use double dashes in docs (#530) We only supports double dash (`--`) now, so update docs to reflect this. 2020-05-09 16:39:47 +02:00			BEWARE that the domain you want to redirect to (`my-oidc-provider.example.com` in the example) must be added to the [`--whitelist-domain`](configuration) configuration option otherwise the redirect will be ignored.