We reserve the right to make breaking changes to the features detailed within this page with no notice.</p><p>Options described in this page may be changed, removed, renamed or moved without prior warning.
Please beware of this before you use alpha configuration options.</p></div></div><p>This page details a set of <strong>alpha</strong> configuration options in a new format.
Going forward we are intending to add structured configuration in YAML format to
replace the existing TOML based configuration file and flags.</p><p>Below is a reference for the structure of the configuration, with
of the new configuration format.</p><h2class="anchor anchorWithStickyNavbar_LWe7"id="using-alpha-configuration">Using Alpha Configuration<ahref="#using-alpha-configuration"class="hash-link"aria-label="Direct link to Using Alpha Configuration"title="Direct link to Using Alpha Configuration"></a></h2><p>To use the new <strong>alpha</strong> configuration, generate a YAML file based on the format
described in the <ahref="#configuration-reference">reference</a> below.</p><p>Provide the path to this file using the <code>--alpha-config</code> flag.</p><divclass="theme-admonition theme-admonition-note alert alert--secondary admonition_LlT9"><divclass="admonitionHeading_tbUL"><spanclass="admonitionIcon_kALy"><svgviewBox="0 0 14 16"><pathfill-rule="evenodd"d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</div><divclass="admonitionContent_S0QG"><p>When using the <code>--alpha-config</code> flag, some options are no longer available.
See <ahref="#removed-options">removed options</a> below for more information.</p></div></div><h3class="anchor anchorWithStickyNavbar_LWe7"id="converting-configuration-to-the-new-structure">Converting configuration to the new structure<ahref="#converting-configuration-to-the-new-structure"class="hash-link"aria-label="Direct link to Converting configuration to the new structure"title="Direct link to Converting configuration to the new structure"></a></h3><p>Before adding the new <code>--alpha-config</code> option, start OAuth2 Proxy using the
<code>convert-config-to-alpha</code> flag to convert existing configuration to the new format.</p><divclass="language-bash codeBlockContainer_Ckt0 theme-code-block"style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><divclass="codeBlockContent_biex"><pretabindex="0"class="prism-code language-bash codeBlock_bY9V thin-scrollbar"><codeclass="codeBlockLines_e6Vv"><spanclass="token-line"style="color:#bfc7d5"><spanclass="token plain">oauth2-proxy --convert-config-to-alpha --config ./path/to/existing/config.cfg</span><br></span></code></pre><divclass="buttonGroup__atx"><buttontype="button"aria-label="Copy code to clipboard"title="Copy"class="clean-btn"><spanclass="copyButtonIcons_eSgA"aria-hidden="true"><svgviewBox="0 0 24 24"class="copyButtonIcon_y97N"><pathfill="currentColor"d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svgviewBox="0 0 24 24"class="copyButtonSuccessIcon_LjdS"><pathfill="currentColor"d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>This will convert any options supported by the new format to YAML and print the
the new config.</p><divclass="language-bash codeBlockContainer_Ckt0 theme-code-block"style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><divclass="codeBlockContent_biex"><pretabindex="0"class="prism-code language-bash codeBlock_bY9V thin-scrollbar"><codeclass="codeBlockLines_e6Vv"><spanclass="token-line"style="color:#bfc7d5"><spanclass="token plain">oauth2-proxy --alpha-config ./path/to/new/config.yaml --config ./path/to/existing/config.cfg</span><br></span></code></pre><divclass="buttonGroup__atx"><buttontype="button"aria-label="Copy code to clipboard"title="Copy"class="clean-btn"><spanclass="copyButtonIcons_eSgA"aria-hidden="true"><svgviewBox="0 0 24 24"class="copyButtonIcon_y97N"><pathfill="currentColor"d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svgviewBox="0 0 24 24"class="copyButtonSuccessIcon_LjdS"><pathfill="currentColor"d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h2class="anchor anchorWithStickyNavbar_LWe7"id="removed-options">Removed options<ahref="#removed-options"class="hash-link"aria-label="Direct link to Removed options"title="Direct link to Removed options"></a></h2><p>The following flags/options and their respective environment variables are no
longer available when using alpha configuration:</p><ul><li><code>flush-interval</code>/<code>flush_interval</code></li><li><code>pass-host-header</code>/<code>pass_host_header</code></li><li><code>proxy-websockets</code>/<code>proxy_websockets</code></li><li><code>ssl-upstream-insecure-skip-verify</code>/<code>ssl_upstream_insecure_skip_verify</code></li><li><code>upstream</code>/<code>upstreams</code></li></ul><ul><li><code>pass-basic-auth</code>/<code>pass_basic_auth</code></li><li><code>pass-access-token</code>/<code>pass_access_token</code></li><li><code>pass-user-headers</code>/<code>pass_user_headers</code></li><li><code>pass-authorization-header</code>/<code>pass_authorization_header</code></li><li><code>set-basic-auth</code>/<code>set_basic_auth</code></li><li><code>set-xauthrequest</code>/<code>set_xauthrequest</code></li><li><code>set-authorization-header</code>/<code>set_authorization_header</code></li><li><code>prefer-email-to-user</code>/<code>prefer_email_to_user</code></li><li><code>basic-auth-password</code>/<code>basic_auth_password</code></li><li><code>skip-auth-strip-headers</code>/<code>skip_auth_strip_headers</code></li></ul><p>Attempting to use these options via flags or via config when <code>--alpha-config</code>
set will result in an error.</p><divclass="theme-admonition theme-admonition-important alert alert--info admonition_LlT9"><divclass="admonitionHeading_tbUL"><spanclass="admonitionIcon_kALy"><svgviewBox="0 0 14 16"><pathfill-rule="evenodd"d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><divclass="admonitionContent_S0QG"><p>You must remove these options before starting OAuth2 Proxy with <code>--alpha-config</code></p></div></div><h2class="anchor anchorWithStickyNavbar_LWe7"id="configuration-reference">Configuration Reference<ahref="#configuration-reference"class="hash-link"aria-label="Direct link to Configuration Reference"title="Direct link to Configuration Reference"></a></h2><h3class="anchor anchorWithStickyNavbar_LWe7"id="alphaoptions">AlphaOptions<ahref="#alphaoptions"class="hash-link"aria-label="Direct link to AlphaOptions"title="Direct link to AlphaOptions"></a></h3><p>AlphaOptions contains alpha structured configuration options.
available as part of the primary configuration structure for OAuth2 Proxy.</p><divclass="theme-admonition theme-admonition-warning alert alert--danger admonition_LlT9"><divclass="admonitionHeading_tbUL"><spanclass="admonitionIcon_kALy"><svgviewBox="0 0 12 16"><pathfill-rule="evenodd"d="M5.05.31c.81 2.17.41 3.38-.52 4.31C3.55 5.67 1.98 6.45.9 7.98c-1.45 2.05-1.7 6.53 3.53 7.7-2.2-1.16-2.67-4.52-.3-6.61-.61 2.03.53 3.33 1.94 2.86 1.39-.47 2.3.53 2.27 1.67-.02.78-.31 1.44-1.13 1.81 3.42-.59 4.78-3.42 4.78-5.56 0-2.84-2.53-3.22-1.25-5.61-1.52.13-2.03 1.13-1.89 2.75.09 1.08-1.02 1.8-1.86 1.33-.67-.41-.66-1.19-.06-1.78C8.18 5.31 8.68 2.45 5.05.32L5.03.3l.02.01z"></path></svg></span>danger</div><divclass="admonitionContent_S0QG"><p>The options within this structure are considered alpha.
They may change between releases without notice.</p></div></div><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>upstreams</code></td><td><em><ahref="#upstreams">Upstreams</a></em></td><td>Upstreams is used to configure upstream servers.<br>Once a user is authenticated, requests to the server will be proxied to<br>these upstream servers based on the path mappings defined in this list.</td></tr><tr><td><code>injectRequestHeaders</code></td><td><em><ahref="#header">[]Header</a></em></td><td>InjectRequestHeaders is used to configure headers that should be added<br>to requests to upstream servers.<br>Headers may source values from either the authenticated user's session<br>or from a static secret value.</td></tr><tr><td><code>injectResponseHeaders</code></td><td><em><ahref="#header">[]Header</a></em></td><td>InjectResponseHeaders is used to configure headers that should be added<br>to responses from the proxy.<br>This is typically used when using the proxy as an external authentication<br>provider in conjunction with another proxy such as NGINX and its<br>auth_request module.<br>Headers may source values from either the authenticated user's session<br>or from a static secret value.</td></tr><tr><td><code>server</code></td><td><em><ahref="#server">Server</a></em></td><td>Server is used to configure the HTTP(S) server for the proxy application.<br>You may choose to run both HTTP and HTTPS servers simultaneously.<br>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br>To use the secure server you must configure a TLS certificate and key.</td></tr><tr><td><code>metricsServer</code></td><td><em><ahref="#server">Server</a></em></td><td>MetricsServer is used to configure the HTTP(S) server for metrics.<br>You may choose to run both HTTP and HTTPS servers simultaneously.<br>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br>To use the secure server you must configure a TLS certificate and key.</td></tr></tbody></table><h3class="anchor anchorWithStickyNavbar_LWe7"id="claimsource">ClaimSource<ahref="#claimsource"class="hash-link"aria-label="Direct link to ClaimSource"title="Direct link to ClaimSource"></a></h3><p>(<strong>Appears on:</strong><ahref="#headervalue">HeaderValue</a>)</p><p>ClaimSource allows loading a header value from a claim within the session</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>claim</code></td><td><em>string</em></td><td>Claim is the name of the claim in the session that the value should be<br>loaded from.</td></tr><tr><td><code>prefix</code></td><td><em>string</em></td><td>Prefix is an optional prefix that will be prepended to the value of the<br>claim if it is non-empty.</td></tr><tr><td><code>basicAuthPassword</code></td><td><em><ahref="#secretsource">SecretSource</a></em></td><td>BasicAuthPassword converts this claim into a basic auth header.<br>Note the value of claim will become the basic auth username and the<br>basicAuthPassword will be used as the password value.</td></tr></tbody></table><h3class="anchor anchorWithStickyNavbar_LWe7"id="duration">Duration<ahref="#duration"class="hash-link"aria-label="Direct link to Duration"title="Direct link to Duration"></a></h3><h4class="anchor anchorWithStickyNavbar_LWe7"id="string-alias">(<code>string</code> alias)<ahref="#string-alias"class="hash-link"aria-label="Direct link to string-alias"title="Direct link to string-alias"></a></h4><p>(<strong>Appears on:</strong><ahref="#upstream">Upstream</a>)</p><p>Duration is as string representation of a period of time.
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".</p><h3class="anchor anchorWithStickyNavbar_LWe7"id="header">Header<ahref="#header"class="hash-link"aria-label="Direct link to Header"title="Direct link to Header"></a></h3><p>(<strong>Appears on:</strong><ahref="#alphaoptions">AlphaOptions</a>)</p><p>Header represents an individual header that will be added to a request or
response header.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>name</code></td><td><em>string</em></td><td>Name is the header name to be used for this set of values.<br>Names should be unique within a list of Headers.</td></tr><tr><td><code>preserveRequestValue</code></td><td><em>bool</em></td><td>PreserveRequestValue determines whether any values for this header<br>should be preserved for the request to the upstream server.<br>This option only applies to injected request headers.<br>Defaults to false (headers that match this header will be stripped).</td></tr><tr><td><code>values</code></td><td><em><ahref="#headervalue">[]HeaderValue</a></em></td><td>Values contains the desired values for this header</td></tr></tbody></table><h3class="anchor anchorWithStickyNavbar_LWe7"id="headervalue">HeaderValue<ahref="#headervalue"class="hash-link"aria-label="Direct link to HeaderValue"title="Direct link to HeaderValue"></a></h3><p>(<strong>Appears on:</strong><ahref="#header">Header</a>)</p><p>HeaderValue represents a single header value and the sources that can
make up the header value</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr><tr><td><code>claim</code></td><td><em>string</em></td><td>Claim is the name of the claim in the session that the value should be<br>loaded from.</td></tr><tr><td><code>prefix</code></td><td><em>string</em></td><td>Prefix is an optional prefix that will be prepended to the value of the<br>claim if it is non-empty.</td></tr><tr><td><code>basicAuthPassword</code></td><td><em><ahref="#secretsource">SecretSource</a></em></td><td>BasicAuthPassword converts this claim into a basic auth header.<br>Note the value of claim will become the basic auth username and the<br>basicAuthPassword will be used as the password value.</td></tr></tbody></table><h3class="anchor anchorWithStickyNavbar_LWe7"id="secretsource">SecretSource<ahref="#secretsource"class="hash-link"aria-label="Direct link to SecretSource"title="Direct link to SecretSource"></a></h3><p>(<strong>Appears on:</strong><ahref="#claimsource">ClaimSource</a>, <ahref="#headervalue">HeaderValue</a>, <ahref="#tls">TLS</a>)</p><p>SecretSource references an individual secret value.
Only one source within the struct should be defined at any time.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr></tbody></table><h3class="anchor anchorWithStickyNavbar_LWe7"id="server">Server<ahref="#server"class="hash-link"aria-label="Direct link to Server"title="Direct link to Server"></a></h3><p>(<strong>Appears on:</strong><ahref="#alphaoptions">AlphaOptions</a>)</p><p>Server represents the configuration for an HTTP(S) server</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>BindAddress</code></td><td><em>string</em></td><td>BindAddress is the address on which to serve traffic.<br>Leave blank or set to "-" to disable.</td></tr><tr><td><code>SecureBindAddress</code></td><td><em>string</em></td><td>SecureBindAddress is the address on which to serve secure traffic.<br>Leave blank or set to "-" to disable.</td></tr><tr><td><code>TLS</code></td><td><em><ahref="#tls">TLS</a></em></td><td>TLS contains the information for loading the certificate and key for the<br>secure traffic.</td></tr></tbody></table><h3class="anchor anchorWithStickyNavbar_LWe7"id="tls">TLS<ahref="#tls"class="hash-link"aria-label="Direct link to TLS"title="Direct link to TLS"></a></h3><p>(<strong>Appears on:</strong><ahref="#server">Server</a>)</p><p>TLS contains the information for loading a TLS certifcate and key.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>Key</code></td><td><em><ahref="#secretsource">SecretSource</a></em></td><td>Key is the TLS key data to use.<br>Typically this will come from a file.</td></tr><tr><td><code>Cert</code></td><td><em><ahref="#secretsource">SecretSource</a></em></td><td>Cert is the TLS certificate data to use.<br>Typically this will come from a file.</td></tr></tbody></table><h3class="anchor anchorWithStickyNavbar_LWe7"id="upstream">Upstream<ahref="#upstream"class="hash-link"aria-label="Direct link to Upstream"title="Direct link to Upstream"></a></h3><p>(<strong>Appears on:</strong><ahref="#upstreams">Upstreams</a>)</p><p>Upstream represents the configuration for an upstream server.
Requests will be proxied to this upstream if the path matches the request path.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the upstream.<br>This value is required for all upstreams.</td></tr><tr><td><code>path</code></td><td><em>string</em></td><td>Path is used to map requests to the upstream server.<br>The closest match will take precedence and all Paths must be unique.</td></tr><tr><td><code>uri</code></td><td><em>string</em></td><td>The URI of the upstream server. This may be an HTTP(S) server of a File<br>based URL. It may include a path, in which case all requests will be served<br>under that path.<br>Eg:<br>- http://localhost:8080<br>- <ahref="https://service.localhost"target="_blank"rel="noopener noreferrer">https://service.localhost</a><br>- <ahref="https://service.localhost/path"target="_blank"rel="noopener noreferrer">https://service.localhost/path</a><br>- file://host/path<br>If the URI's path is "/base" and the incoming request was for "/dir",<br>the upstream request will be for "/base/dir".</td></tr><tr><td><code>insecureSkipTLSVerify</code></td><td><em>bool</em></td><td>InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br>This option is insecure and will allow potential Man-In-The-Middle attacks<br>betweem OAuth2 Proxy and the usptream server.<br>Defaults to false.</td></tr><tr><td><code>static</code></td><td><em>bool</em></td><td>Static will make all requests to this upstream have a static response.<br>The response will have a body of "Authenticated" and a response code<br>matching StaticCode.<br>If StaticCode is not set, the response will return a 200 response.</td></tr><tr><td><code>staticCode</code></td><td><em>int</em></td><td>StaticCode determines the response code for the Static response.<br>This option can only be used with Static enabled.</td></tr><tr><td><code>flushInterval</code></td><td><em><ahref="#duration">Duration</a></em></td><td>FlushInterval is the period between flushing the response buffer when<br>streaming response from the upstream.<br>Defaults to 1 second.</td></tr><tr><td><code>passHostHeader</code></td><td><em>bool</em></td><td>PassHostHeader determines whether the request host header should be proxied<br>to the upstream server.<br>Defaults to true.</td></tr><tr><td><code>proxyWebSockets</code></td><td><em>bool</em></td><td>ProxyWebSockets enables proxying of websockets to upstream servers<br>Defaults to true.</td></tr></tbody></table><h3class="anchor anchorWithStickyNavbar_LWe7"id="upstreams">Upstreams<ahref="#upstreams"class="hash-link"aria-label="Direct link to Upstreams"title="Direct link to Upstreams"></a></h3><h4class="anchor anchorWithStickyNavbar_LWe7"id="upstream-alias">(<ahref="#upstream">[]Upstream</a> alias)<ahref="#upstream-alias"class="hash-link"aria-label="Direct link to upstream-alias"title="Direct link to upstream-alias"></a></h4><p>(<strong>Appears on:</strong><ahref="#alphaoptions">AlphaOptions</a>)</p><p>Upstreams is a collection of definitions for upstream servers.</p></div><footerclass="theme-doc-footer docusaurus-mt-lg"><divclass="theme-doc-footer-edit-meta-row row"><divclass="col"><ahref="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/configuration/alpha_config.md"target="_blank"rel="noreferrer noopener"class="theme-edit-this-page"><svgfill="currentColor"height="20"width="20"viewBox="0 0 40 40"class="iconEdit_Z9Sw"aria-hidden="true"><g><pathd="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><divclass="col lastUpdated_vwxv"></div></div></footer></article><navclass="pagination-nav docusaurus-mt-lg"aria-label="Docs pages"><aclass="pagination-nav__link pagination-nav__link--prev"href="/oauth2-proxy/docs/7.1.x/configuration/tls"><divcla
