oauth2-proxy/docs/configuration/session_storage/index.html

<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user&#x27;s authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user&#x27;s authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
<link rel="preload" href="/oauth2-proxy/runtime~main.fb9fd5a8.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.cbf36231.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.f1e55c3c.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.aa6394ae.js" as="script">
<link rel="preload" href="/oauth2-proxy/48.92c41b73.js" as="script">
<link rel="preload" href="/oauth2-proxy/50.68e502a3.js" as="script">
<link rel="preload" href="/oauth2-proxy/cecf159a.959c6ebf.js" as="script">
<link rel="preload" href="/oauth2-proxy/17896441.687011d6.js" as="script">
<link rel="preload" href="/oauth2-proxy/1999cd7b.259ed10e.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/configuration/session_storage">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/configuration/session_storage">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/configuration/session_storage">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/configuration/session_storage">Next</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/configuration/session_storage">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/configuration/session_storage">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list
requests to a service.</p><p>The OAuth2 Proxy uses a Cookie to track user sessions and will store the session
data in one of the available session storage backends.</p><p>At present the available backends are (as passed to <code>--session-store-type</code>):</p><ul><li><a href="#cookie-storage">cookie</a> (default)</li><li><a href="#redis-storage">redis</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="cookie-storage"></a>Cookie Storage<a aria-hidden="true" tabindex="-1" class="hash-link" href="#cookie-storage" title="Direct link to heading">#</a></h3><p>The Cookie storage backend is the default backend implementation and has
been used in the OAuth2 Proxy historically.</p><p>With the Cookie storage backend, all session information is stored in client
side cookies and transferred with each and every request.</p><p>The following should be known when using this implementation:</p><ul><li>Since all state is stored client side, this storage backend means that the OAuth2 Proxy is completely stateless</li><li>Cookies are signed server side to prevent modification client-side</li><li>It is mandatory to set a <code>cookie-secret</code> which will ensure data is encrypted within the cookie data.</li><li>Since multiple requests can be made concurrently to the OAuth2 Proxy, this session implementation
cannot lock sessions and while updating and refreshing sessions, there can be conflicts which force
users to re-authenticate</li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="redis-storage"></a>Redis Storage<a aria-hidden="true" tabindex="-1" class="hash-link" href="#redis-storage" title="Direct link to heading">#</a></h3><p>The Redis Storage backend stores sessions, encrypted, in redis. Instead sending all the information
back the client for storage, as in the <a href="#cookie-storage">Cookie storage</a>, a ticket is sent back
to the user as the cookie value instead.</p><p>A ticket is composed as the following:</p><p><code>{CookieName}-{ticketID}.{secret}</code></p><p>Where:</p><ul><li>The <code>CookieName</code> is the OAuth2 cookie name (_oauth2_proxy by default)</li><li>The <code>ticketID</code> is a 128 bit random number, hex-encoded</li><li>The <code>secret</code> is a 128 bit random number, base64url encoded (no padding). The secret is unique for every session.</li><li>The pair of <code>{CookieName}-{ticketID}</code> comprises a ticket handle, and thus, the redis key
to which the session is stored. The encoded session is encrypted with the secret and stored
in redis via the <code>SETEX</code> command.</li></ul><p>Encrypting every session uniquely protects the refresh/access/id tokens stored in the session from
disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="usage"></a>Usage<a aria-hidden="true" tabindex="-1" class="hash-link" href="#usage" title="Direct link to heading">#</a></h4><p>When using the redis store, specify <code>--session-store-type=redis</code> as well as the Redis connection URL, via
<code>--redis-connection-url=redis://host[:port][/db-number]</code>.</p><p>You may also configure the store for Redis Sentinel. In this case, you will want to use the
<code>--redis-use-sentinel=true</code> flag, as well as configure the flags <code>--redis-sentinel-master-name</code>
and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
<code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
<script src="/oauth2-proxy/runtime~main.fb9fd5a8.js"></script>
<script src="/oauth2-proxy/main.cbf36231.js"></script>
<script src="/oauth2-proxy/1.f1e55c3c.js"></script>
<script src="/oauth2-proxy/2.aa6394ae.js"></script>
<script src="/oauth2-proxy/48.92c41b73.js"></script>
<script src="/oauth2-proxy/50.68e502a3.js"></script>
<script src="/oauth2-proxy/cecf159a.959c6ebf.js"></script>
<script src="/oauth2-proxy/17896441.687011d6.js"></script>
<script src="/oauth2-proxy/1999cd7b.259ed10e.js"></script>
</body>
</html>