diff --git a/0f425520.0ebb3fbb.js b/0f425520.0ebb3fbb.js
new file mode 100644
index 00000000..99fb7fe1
--- /dev/null
+++ b/0f425520.0ebb3fbb.js
@@ -0,0 +1 @@
+(window.webpackJsonp=window.webpackJsonp||[]).push([[6],{60:function(e,t,a){"use strict";a.r(t),a.d(t,"frontMatter",(function(){return l})),a.d(t,"metadata",(function(){return i})),a.d(t,"rightToc",(function(){return c})),a.d(t,"default",(function(){return d}));var n=a(2),r=a(6),b=(a(0),a(96)),l={id:"overview",title:"Overview"},i={unversionedId:"configuration/overview",id:"configuration/overview",isDocsHomePage:!1,title:"Overview",description:"oauth2-proxy can be configured via config file, command line options or environment variables.",source:"@site/docs/configuration/overview.md",slug:"/configuration/overview",permalink:"/oauth2-proxy/docs/next/configuration/overview",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md",version:"current",sidebar:"docs",previous:{title:"Behaviour",permalink:"/oauth2-proxy/docs/next/behaviour"},next:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/next/configuration/oauth_provider"}},c=[{value:"Generating a Cookie Secret",id:"generating-a-cookie-secret",children:[]},{value:"Config File",id:"config-file",children:[]},{value:"Command Line Options",id:"command-line-options",children:[]},{value:"Upstreams Configuration",id:"upstreams-configuration",children:[]},{value:"Environment variables",id:"environment-variables",children:[]},{value:"Logging Configuration",id:"logging-configuration",children:[{value:"Auth Log Format",id:"auth-log-format",children:[]},{value:"Request Log Format",id:"request-log-format",children:[]},{value:"Standard Log Format",id:"standard-log-format",children:[]}]},{value:"Configuring for use with the Nginx <code>auth_request</code> directive",id:"configuring-for-use-with-the-nginx-auth_request-directive",children:[]},{value:"Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware",id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware",children:[{value:"ForwardAuth with 401 errors middleware",id:"forwardauth-with-401-errors-middleware",children:[]},{value:"ForwardAuth with static upstreams configuration",id:"forwardauth-with-static-upstreams-configuration",children:[]}]}],o={rightToc:c};function d(e){var t=e.components,a=Object(r.a)(e,["components"]);return Object(b.b)("wrapper",Object(n.a)({},o,a,{components:t,mdxType:"MDXLayout"}),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," can be configured via ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),", ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#command-line-options"}),"command line options")," or ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#environment-variables"}),"environment variables"),"."),Object(b.b)("h3",{id:"generating-a-cookie-secret"},"Generating a Cookie Secret"),Object(b.b)("p",null,"To generate a strong cookie secret use ",Object(b.b)("inlineCode",{parentName:"p"},"python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(16)).decode())'")),Object(b.b)("h3",{id:"config-file"},"Config File"),Object(b.b)("p",null,"Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (","_","). If the argument can be specified multiple times, the config option should be plural (trailing s)."),Object(b.b)("p",null,"An example ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example"}),"oauth2-proxy.cfg")," config file is in the contrib directory. It can be used by specifying ",Object(b.b)("inlineCode",{parentName:"p"},"--config=/etc/oauth2-proxy.cfg")),Object(b.b)("h3",{id:"command-line-options"},"Command Line Options"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Option"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Type"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Default"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--acr-values")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"optional, see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues"}),"docs")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--approval-prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth approval_prompt"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"force"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log authentication attempts"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for authentication log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--authenticated-emails-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate against emails via file (one per line)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--azure-tenant")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"go to a tenant-specific or common (tenant-independent) endpoint."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"common"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--basic-auth-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the password to set when passing the HTTP Basic Auth header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-id")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client ID, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"123456.apps.googleusercontent.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the file with OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--config")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to config file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Optional cookie domains to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".yourcompany.com"),"). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-expire")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"expire timeframe for cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"168h0m0s")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-httponly")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HttpOnly cookie flag"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the name of the cookie that the oauth_proxy creates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"_oauth2_proxy"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"an optional cookie path to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"/poc/"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-refresh")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"refresh the cookie after this duration; ",Object(b.b)("inlineCode",{parentName:"td"},"0")," to disable; not supported by all providers","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote1"}),"1"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the seed string for secure cookies (optionally base64 encoded)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secure")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://owasp.org/www-community/controls/SecureFlag"}),"secure (HTTPS only) cookie flag")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-samesite")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set SameSite cookie attribute (",Object(b.b)("inlineCode",{parentName:"td"},'"lax"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"strict"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"none"'),", or ",Object(b.b)("inlineCode",{parentName:"td"},'""'),")."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--custom-templates-dir")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to custom html templates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--display-htpasswd-form")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"display username / password login form if an htpasswd file is provided"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--email-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate emails with the specified domain (may be given multiple times). Use ",Object(b.b)("inlineCode",{parentName:"td"},"*")," to authenticate any email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--errors-to-info-log")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"redirects error-level logging to default log channel instead of stderr"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--extra-jwt-issuers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"if ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")," is set, a list of extra JWT ",Object(b.b)("inlineCode",{parentName:"td"},"issuer=audience")," (see a token's ",Object(b.b)("inlineCode",{parentName:"td"},"iss"),", ",Object(b.b)("inlineCode",{parentName:"td"},"aud")," fields) pairs (where the issuer URL has a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/openid-configuration")," or a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/jwks.json"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--exclude-logging-paths")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"comma separated list of paths to exclude from logging, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"/ping,/path2"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (no paths excluded)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--flush-interval")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"period between flushing response buffers when streaming responses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"1s"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--force-https")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enforce https redirect"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"false"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--banner")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) banner string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default banner."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--footer")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) footer string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default footer."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gcp-healthchecks")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will enable ",Object(b.b)("inlineCode",{parentName:"td"},"/liveness_check"),", ",Object(b.b)("inlineCode",{parentName:"td"},"/readiness_check"),", and ",Object(b.b)("inlineCode",{parentName:"td"},"/")," (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-org")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this organisation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-team")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these teams (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to collaborators of this repository formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the token to use when verifying repository collaborators (must have push access to the repository)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"To allow users to login by username even if they do not belong to the specified org and team or collaborators"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these groups (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-projects")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these projects (may be given multiple times) formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo=accesslevel"),". Access level should be a value matching ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://docs.gitlab.com/ee/api/members.html#valid-access-levels"}),"Gitlab access levels"),", defaulted to 20 if absent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-admin-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the google admin to impersonate for api calls"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this google group (may be given multiple times)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-service-account-json")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the path to the service account json credentials"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--htpasswd-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"additionally authenticate against a htpasswd file. Entries must be created with ",Object(b.b)("inlineCode",{parentName:"td"},"htpasswd -B")," for bcrypt encryption"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--http-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"[http://]<addr>:<port>")," or ",Object(b.b)("inlineCode",{parentName:"td"},"unix://<path>")," to listen on for HTTP clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"127.0.0.1:4180"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--https-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"<addr>:<port>")," to listen on for HTTPS clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'":443"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-compress")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Should rotated log files be compressed using gzip"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-filename")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File to log requests to, empty for ",Object(b.b)("inlineCode",{parentName:"td"},"stdout")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (stdout)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-local-time")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Use local time in log files and backup filenames instead of UTC"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true (local time)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-age")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of days to retain old log files"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"7")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-backups")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of old log files to retain; 0 to disable"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-size")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum size in megabytes of the log file before rotation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"100")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"private key in PEM format used to sign JWT, so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},'--jwt-key="${OAUTH2_PROXY_JWT_KEY}"'),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to the private key file in PEM format used to sign the JWT so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem"),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--login-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authentication endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-allow-unverified-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"don't fail if an email address in an id_token is not verified"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-issuer-verification")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-issuer-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OpenID Connect issuer URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://accounts.google.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OIDC JWKS URI for token verification; required if OIDC discovery is disabled"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-email-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user's email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"email"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-groups-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user groups"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"groups"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")," this adds the X-Auth-Request-Access-Token header to the response"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OIDC IDToken to upstream via Authorization Bearer header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prefer-email-to-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-host-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass the request Host Header to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--profile-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Profile access endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"}),"OIDC prompt"),"; if present, ",Object(b.b)("inlineCode",{parentName:"td"},"approval-prompt")," is ignored"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth provider"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"google")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-ca-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Paths to CA certificates that should be used when connecting to the provider.  If not specified, the default Go trust sources are used instead."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-display-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Override the provider's name with the given string; used for the sign-in page"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(depends on provider)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the ping endpoint that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/ping"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-user-agent")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"a User-Agent that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (don't check user agent)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--metrics-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the address prometheus metrics will be scraped from"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-prefix")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the url root path that this proxy should be nested under (e.g. /",Object(b.b)("inlineCode",{parentName:"td"},"<oauth2>/sign_in"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/oauth2"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-websockets")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enables WebSocket proxying"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pubjwk-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"JWK pubkey access endpoint: required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Header used to determine the real IP of the client, requires ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"X-Real-IP")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Token redemption endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redirect-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Redirect URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://internalapp.yourcompany.com/oauth2/callback"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis cluster connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"URL of redis server for redis session storage (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis password. Applicable for all Redis configurations. Will override any password set in ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel master name. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis sentinel connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis cluster. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis via sentinels. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for request log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--resource")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The resource that is protected (Azure AD only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--scope")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth scope specification"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-cookie-minimal")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-store-type")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"/oauth2-proxy/docs/next/configuration/session_storage"}),"Session data storage backend"),"; redis or cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"cookie")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token"),", X-Auth-Request-Access-Token is added to response headers."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set Authorization Bearer response header (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--show-debug-on-error")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--signature-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GAP-Signature request signature key (algorithm:secretkey)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--silence-ping-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"disable logging of requests to ping endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-preflight")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip authentication for OPTIONS requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-regex")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(DEPRECATED for ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route"),") bypass authentication for requests paths that match (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-strip-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strips ",Object(b.b)("inlineCode",{parentName:"td"},"X-Forwarded-*")," style authentication headers & ",Object(b.b)("inlineCode",{parentName:"td"},"Authorization")," header if they would be set by oauth2-proxy"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip requests that have verified JWT bearer tokens (the token must have ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields"}),Object(b.b)("inlineCode",{parentName:"a"},"aud"))," that matches this client id or one of the extras from ",Object(b.b)("inlineCode",{parentName:"td"},"extra-jwt-issuers"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-oidc-discovery")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass OIDC endpoint discovery. ",Object(b.b)("inlineCode",{parentName:"td"},"--login-url"),", ",Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")," must be configured in this case"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-provider-button")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip sign-in-page to directly reach the next step: oauth/start"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS providers"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-upstream-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS upstreams"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log standard runtime information"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for standard log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-cert-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to certificate file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to private key file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--upstream")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the http url(s) of the upstream endpoint, file:// paths for static files or ",Object(b.b)("inlineCode",{parentName:"td"},"static://<status_code>")," for static response. Routing is based on the path"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--allowed-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this group (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--validate-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Access token validation endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--version")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"n/a"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"print version string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--whitelist-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allowed domains for redirection after authentication. Prefix domain with a ",Object(b.b)("inlineCode",{parentName:"td"},".")," to allow subdomains (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".example.com"),")","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote2"}),"2"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--trusted-ip")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," and optionally ",Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")," this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))))),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote1"},"1"),"]",": Only these providers support ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-refresh"),": GitLab, Google and OIDC"),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote2"},"2"),"]",": When using the ",Object(b.b)("inlineCode",{parentName:"p"},"whitelist-domain")," option, any domain prefixed with a ",Object(b.b)("inlineCode",{parentName:"p"},".")," will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:8080"),". To allow any port, use ",Object(b.b)("inlineCode",{parentName:"p"},"*"),": ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:*"),"."),Object(b.b)("p",null,"See below for provider specific options"),Object(b.b)("h3",{id:"upstreams-configuration"},"Upstreams Configuration"),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/")," for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/some/path/")," then it will only be requests that start with ",Object(b.b)("inlineCode",{parentName:"p"},"/some/path/")," which are forwarded to the upstream."),Object(b.b)("p",null,"Static file paths are configured as a file:// URL. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/")," will serve the files from that directory at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/var/www/static/"),", which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/#/static/")," will make ",Object(b.b)("inlineCode",{parentName:"p"},"/var/www/static/")," available at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/static/"),"."),Object(b.b)("p",null,"Multiple upstreams can either be configured by supplying a comma separated list to the ",Object(b.b)("inlineCode",{parentName:"p"},"--upstream")," parameter, supplying the parameter multiple times or providing a list in the ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),". When multiple upstreams are used routing to them will be based on the path they are set up with."),Object(b.b)("h3",{id:"environment-variables"},"Environment variables"),Object(b.b)("p",null,"Every command line argument can be specified as an environment variable by\nprefixing it with ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_"),", capitalising it, and replacing hyphens (",Object(b.b)("inlineCode",{parentName:"p"},"-"),")\nwith underscores (",Object(b.b)("inlineCode",{parentName:"p"},"_"),"). If the argument can be specified multiple times, the\nenvironment variable should be plural (trailing ",Object(b.b)("inlineCode",{parentName:"p"},"S"),")."),Object(b.b)("p",null,"This is particularly useful for storing secrets outside of a configuration file\nor the command line."),Object(b.b)("p",null,"For example, the ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-secret")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_COOKIE_SECRET"),",\nand the ",Object(b.b)("inlineCode",{parentName:"p"},"--email-domain")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_EMAIL_DOMAINS"),"."),Object(b.b)("h2",{id:"logging-configuration"},"Logging Configuration"),Object(b.b)("p",null,"By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the ",Object(b.b)("inlineCode",{parentName:"p"},"--logging-filename")," command."),Object(b.b)("p",null,"If logging to a file you can also configure the maximum file size (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-size"),"), age (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-age"),"), max backup logs (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-backups"),"), and if backup logs should be compressed (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-compress"),")."),Object(b.b)("p",null,"There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging"),", ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging"),", and ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging"),"."),Object(b.b)("p",null,"Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log."),Object(b.b)("p",null,"Logging of requests to the ",Object(b.b)("inlineCode",{parentName:"p"},"/ping")," endpoint (or using ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-user-agent"),") can be disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--silence-ping-logging")," reducing log volume. This flag appends the ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-path")," to ",Object(b.b)("inlineCode",{parentName:"p"},"--exclude-logging-paths"),"."),Object(b.b)("h3",{id:"auth-log-format"},"Auth Log Format"),Object(b.b)("p",null,"Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] [<STATUS>] <MESSAGE>\n")),Object(b.b)("p",null,"The status block will contain one of the below strings:"),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthSuccess")," If a user has authenticated successfully by any method"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthFailure")," If the user failed to authenticate explicitly"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthError")," If there was an unexpected error during authentication")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for auth logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Status"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"AuthSuccess"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The status of the auth request. See above for details.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authenticated via OAuth2"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the auth attempt.")))),Object(b.b)("h3",{id:"request-log-format"},"Request Log Format"),Object(b.b)("p",null,"HTTP request logs will output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),'<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>\n')),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\n")),Object(b.b)("p",null,"Available variables for request logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestDuration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0.001"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The time in seconds that a request took to process.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestURI"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),'"/oauth2/auth"'),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The URI path of the request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"ResponseSize"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"12"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The size in bytes of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"StatusCode"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"200"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The HTTP status code of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The upstream data of the HTTP request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")))),Object(b.b)("h3",{id:"standard-log-format"},"Standard Log Format"),Object(b.b)("p",null,"All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>\n")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging-format")," flag. The default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[{{.Timestamp}}] [{{.File}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for standard logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"main.go:40"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The file and line number of the logging statement.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP: listening on 127.0.0.1:4180"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the log statement.")))),Object(b.b)("h2",{id:"configuring-for-use-with-the-nginx-auth_request-directive"},"Configuring for use with the Nginx ",Object(b.b)("inlineCode",{parentName:"h2"},"auth_request")," directive"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"}),"Nginx ",Object(b.b)("inlineCode",{parentName:"a"},"auth_request")," directive")," allows Nginx to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/auth")," endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-nginx"}),'server {\n  listen 443 ssl;\n  server_name ...;\n  include ssl/ssl.conf;\n\n  location /oauth2/ {\n    proxy_pass       http://127.0.0.1:4180;\n    proxy_set_header Host                    $host;\n    proxy_set_header X-Real-IP               $remote_addr;\n    proxy_set_header X-Scheme                $scheme;\n    proxy_set_header X-Auth-Request-Redirect $request_uri;\n    # or, if you are handling multiple domains:\n    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;\n  }\n  location = /oauth2/auth {\n    proxy_pass       http://127.0.0.1:4180;\n    proxy_set_header Host             $host;\n    proxy_set_header X-Real-IP        $remote_addr;\n    proxy_set_header X-Scheme         $scheme;\n    # nginx auth_request includes headers but not body\n    proxy_set_header Content-Length   "";\n    proxy_pass_request_body           off;\n  }\n\n  location / {\n    auth_request /oauth2/auth;\n    error_page 401 = /oauth2/sign_in;\n\n    # pass information via X-User and X-Email headers to backend,\n    # requires running with --set-xauthrequest flag\n    auth_request_set $user   $upstream_http_x_auth_request_user;\n    auth_request_set $email  $upstream_http_x_auth_request_email;\n    proxy_set_header X-User  $user;\n    proxy_set_header X-Email $email;\n\n    # if you enabled --pass-access-token, this will pass the token to the backend\n    auth_request_set $token  $upstream_http_x_auth_request_access_token;\n    proxy_set_header X-Access-Token $token;\n\n    # if you enabled --cookie-refresh, this is needed for it to work with auth_request\n    auth_request_set $auth_cookie $upstream_http_set_cookie;\n    add_header Set-Cookie $auth_cookie;\n\n    # When using the --set-authorization-header flag, some provider\'s cookies can exceed the 4kb\n    # limit and so the OAuth2 Proxy splits these into multiple parts.\n    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,\n    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.\n    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;\n\n    # Extract the Cookie attributes from the first Set-Cookie header and append them\n    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)\n    if ($auth_cookie ~* "(; .*)") {\n        set $auth_cookie_name_0 $auth_cookie;\n        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";\n    }\n\n    # Send both Set-Cookie headers now if there was a second part\n    if ($auth_cookie_name_upstream_1) {\n        add_header Set-Cookie $auth_cookie_name_0;\n        add_header Set-Cookie $auth_cookie_name_1;\n    }\n\n    proxy_pass http://backend/;\n    # or "root /path/to/site;" or "fastcgi_pass ..." etc\n  }\n}\n')),Object(b.b)("p",null,"When you use ingress-nginx in Kubernetes, you MUST use ",Object(b.b)("inlineCode",{parentName:"p"},"kubernetes/ingress-nginx")," (which includes the Lua module) and the following configuration snippet for your ",Object(b.b)("inlineCode",{parentName:"p"},"Ingress"),".\nVariables set with ",Object(b.b)("inlineCode",{parentName:"p"},"auth_request_set")," are not ",Object(b.b)("inlineCode",{parentName:"p"},"set"),"-able in plain nginx config when the location is processed via ",Object(b.b)("inlineCode",{parentName:"p"},"proxy_pass")," and then may only be processed by Lua.\nNote that ",Object(b.b)("inlineCode",{parentName:"p"},"nginxinc/kubernetes-ingress")," does not include the Lua module."),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'nginx.ingress.kubernetes.io/auth-response-headers: Authorization\nnginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri\nnginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth\nnginx.ingress.kubernetes.io/configuration-snippet: |\n  auth_request_set $name_upstream_1 $upstream_cookie_name_1;\n\n  access_by_lua_block {\n    if ngx.var.name_upstream_1 ~= "" then\n      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")\n    end\n  }\n')),Object(b.b)("p",null,"It is recommended to use ",Object(b.b)("inlineCode",{parentName:"p"},"--session-store-type=redis")," when expecting large sessions/OIDC tokens (",Object(b.b)("em",{parentName:"p"},"e.g.")," with MS Azure)."),Object(b.b)("p",null,"You have to substitute ",Object(b.b)("em",{parentName:"p"},"name"),' with the actual cookie name you configured via --cookie-name parameter. If you don\'t set a custom cookie name the variable  should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".'),Object(b.b)("h2",{id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware"},"Configuring for use with the Traefik (v2) ",Object(b.b)("inlineCode",{parentName:"h2"},"ForwardAuth")," middleware"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"This option requires ",Object(b.b)("inlineCode",{parentName:"strong"},"--reverse-proxy")," option to be set.")),Object(b.b)("h3",{id:"forwardauth-with-401-errors-middleware"},"ForwardAuth with 401 errors middleware"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," allows Traefik to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/oauth2/auth")," endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n  routers:\n    a-service:\n      rule: "Host(`a-service.example.com`)"\n      service: a-service-backend\n      middlewares:\n        - oauth-errors\n        - oauth-auth\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    oauth:\n      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"\n      middlewares:\n        - auth-headers\n      service: oauth-backend\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n\n  services:\n    a-service-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.2:7555\n    oauth-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.1:4180\n\n  middlewares:\n    auth-headers:\n      headers:\n        sslRedirect: true\n        stsSeconds: 315360000\n        browserXssFilter: true\n        contentTypeNosniff: true\n        forceSTSHeader: true\n        sslHost: example.com\n        stsIncludeSubdomains: true\n        stsPreload: true\n        frameDeny: true\n    oauth-auth:\n      forwardAuth:\n        address: https://oauth.example.com/oauth2/auth\n        trustForwardHeader: true\n    oauth-errors:\n      errors:\n        status:\n          - "401-403"\n        service: oauth-backend\n        query: "/oauth2/sign_in"\n')),Object(b.b)("h3",{id:"forwardauth-with-static-upstreams-configuration"},"ForwardAuth with static upstreams configuration"),Object(b.b)("p",null,"Redirect to sign_in functionality provided without the use of ",Object(b.b)("inlineCode",{parentName:"p"},"errors")," middleware with ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," pointing to oauth2-proxy service's ",Object(b.b)("inlineCode",{parentName:"p"},"/")," endpoint"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"Following options need to be set on ",Object(b.b)("inlineCode",{parentName:"strong"},"oauth2-proxy"),":")),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"--upstream=static://202"),": Configures a static response for authenticated sessions"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"--reverseproxy=true"),": Enables the use of ",Object(b.b)("inlineCode",{parentName:"li"},"X-Forwarded-*")," headers to determine redirects correctly")),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n  routers:\n    a-service-route-1:\n      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"\n      service: a-service-backend\n      middlewares:\n        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    a-service-route-2:\n      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"\n      service: a-service-backend\n      middlewares:\n        - oauth-auth-wo-redirect # unauthenticated session will return a 401\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    services-oauth2-route:\n      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"\n      middlewares:\n        - auth-headers\n      service: oauth-backend\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    oauth2-proxy-route:\n      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"\n      middlewares:\n        - auth-headers\n      service: oauth-backend\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n\n  services:\n    a-service-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.2:7555\n    b-service-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.3:7555\n    oauth-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.1:4180\n\n  middlewares:\n    auth-headers:\n      headers:\n        sslRedirect: true\n        stsSeconds: 315360000\n        browserXssFilter: true\n        contentTypeNosniff: true\n        forceSTSHeader: true\n        sslHost: example.com\n        stsIncludeSubdomains: true\n        stsPreload: true\n        frameDeny: true\n    oauth-auth-redirect:\n      forwardAuth:\n        address: https://oauth.example.com/\n        trustForwardHeader: true\n        authResponseHeaders:\n          - X-Auth-Request-Access-Token\n          - Authorization\n    oauth-auth-wo-redirect:\n      forwardAuth:\n        address: https://oauth.example.com/oauth2/auth\n        trustForwardHeader: true\n        authResponseHeaders:\n          - X-Auth-Request-Access-Token\n          - Authorization\n')),Object(b.b)("div",{className:"admonition admonition-note alert alert--secondary"},Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-heading"}),Object(b.b)("h5",{parentName:"div"},Object(b.b)("span",Object(n.a)({parentName:"h5"},{className:"admonition-icon"}),Object(b.b)("svg",Object(n.a)({parentName:"span"},{xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"}),Object(b.b)("path",Object(n.a)({parentName:"svg"},{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})))),"note")),Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-content"}),Object(b.b)("p",{parentName:"div"},"If you set up your OAuth2 provider to rotate your client secret, you can use the ",Object(b.b)("inlineCode",{parentName:"p"},"client-secret-file")," option to reload the secret when it is updated."))))}d.isMDXComponent=!0},96:function(e,t,a){"use strict";a.d(t,"a",(function(){return p})),a.d(t,"b",(function(){return j}));var n=a(0),r=a.n(n);function b(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function l(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,n)}return a}function i(e){for(var t=1;t<arguments.length;t++){var a=null!=arguments[t]?arguments[t]:{};t%2?l(Object(a),!0).forEach((function(t){b(e,t,a[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):l(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))}))}return e}function c(e,t){if(null==e)return{};var a,n,r=function(e,t){if(null==e)return{};var a,n,r={},b=Object.keys(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||(r[a]=e[a]);return r}(e,t);if(Object.getOwnPropertySymbols){var b=Object.getOwnPropertySymbols(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(r[a]=e[a])}return r}var o=r.a.createContext({}),d=function(e){var t=r.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},p=function(e){var t=d(e.components);return r.a.createElement(o.Provider,{value:t},e.children)},O={inlineCode:"code",wrapper:function(e){var t=e.children;return r.a.createElement(r.a.Fragment,{},t)}},s=r.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,b=e.originalType,l=e.parentName,o=c(e,["components","mdxType","originalType","parentName"]),p=d(a),s=n,j=p["".concat(l,".").concat(s)]||p[s]||O[s]||b;return a?r.a.createElement(j,i(i({ref:t},o),{},{components:a})):r.a.createElement(j,i({ref:t},o))}));function j(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var b=a.length,l=new Array(b);l[0]=s;var i={};for(var c in t)hasOwnProperty.call(t,c)&&(i[c]=t[c]);i.originalType=e,i.mdxType="string"==typeof e?e:n,l[1]=i;for(var o=2;o<b;o++)l[o]=a[o];return r.a.createElement.apply(null,l)}return r.a.createElement.apply(null,a)}s.displayName="MDXCreateElement"}}]);
\ No newline at end of file
diff --git a/0f425520.c51701a7.js b/0f425520.c51701a7.js
deleted file mode 100644
index 00b9dcf0..00000000
--- a/0f425520.c51701a7.js
+++ /dev/null
@@ -1 +0,0 @@
-(window.webpackJsonp=window.webpackJsonp||[]).push([[6],{60:function(e,t,a){"use strict";a.r(t),a.d(t,"frontMatter",(function(){return l})),a.d(t,"metadata",(function(){return i})),a.d(t,"rightToc",(function(){return c})),a.d(t,"default",(function(){return d}));var n=a(2),r=a(6),b=(a(0),a(96)),l={id:"overview",title:"Overview"},i={unversionedId:"configuration/overview",id:"configuration/overview",isDocsHomePage:!1,title:"Overview",description:"oauth2-proxy can be configured via config file, command line options or environment variables.",source:"@site/docs/configuration/overview.md",slug:"/configuration/overview",permalink:"/oauth2-proxy/docs/next/configuration/overview",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md",version:"current",sidebar:"docs",previous:{title:"Behaviour",permalink:"/oauth2-proxy/docs/next/behaviour"},next:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/next/configuration/oauth_provider"}},c=[{value:"Generating a Cookie Secret",id:"generating-a-cookie-secret",children:[]},{value:"Config File",id:"config-file",children:[]},{value:"Command Line Options",id:"command-line-options",children:[]},{value:"Upstreams Configuration",id:"upstreams-configuration",children:[]},{value:"Environment variables",id:"environment-variables",children:[]},{value:"Logging Configuration",id:"logging-configuration",children:[{value:"Auth Log Format",id:"auth-log-format",children:[]},{value:"Request Log Format",id:"request-log-format",children:[]},{value:"Standard Log Format",id:"standard-log-format",children:[]}]},{value:"Configuring for use with the Nginx <code>auth_request</code> directive",id:"configuring-for-use-with-the-nginx-auth_request-directive",children:[]},{value:"Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware",id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware",children:[]}],o={rightToc:c};function d(e){var t=e.components,a=Object(r.a)(e,["components"]);return Object(b.b)("wrapper",Object(n.a)({},o,a,{components:t,mdxType:"MDXLayout"}),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," can be configured via ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),", ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#command-line-options"}),"command line options")," or ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#environment-variables"}),"environment variables"),"."),Object(b.b)("h3",{id:"generating-a-cookie-secret"},"Generating a Cookie Secret"),Object(b.b)("p",null,"To generate a strong cookie secret use ",Object(b.b)("inlineCode",{parentName:"p"},"python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(16)).decode())'")),Object(b.b)("h3",{id:"config-file"},"Config File"),Object(b.b)("p",null,"Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (","_","). If the argument can be specified multiple times, the config option should be plural (trailing s)."),Object(b.b)("p",null,"An example ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example"}),"oauth2-proxy.cfg")," config file is in the contrib directory. It can be used by specifying ",Object(b.b)("inlineCode",{parentName:"p"},"--config=/etc/oauth2-proxy.cfg")),Object(b.b)("h3",{id:"command-line-options"},"Command Line Options"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Option"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Type"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Default"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--acr-values")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"optional, see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues"}),"docs")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--approval-prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth approval_prompt"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"force"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log authentication attempts"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for authentication log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--authenticated-emails-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate against emails via file (one per line)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--azure-tenant")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"go to a tenant-specific or common (tenant-independent) endpoint."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"common"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--basic-auth-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the password to set when passing the HTTP Basic Auth header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-id")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client ID, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"123456.apps.googleusercontent.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the file with OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--config")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to config file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Optional cookie domains to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".yourcompany.com"),"). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-expire")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"expire timeframe for cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"168h0m0s")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-httponly")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HttpOnly cookie flag"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the name of the cookie that the oauth_proxy creates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"_oauth2_proxy"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"an optional cookie path to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"/poc/"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-refresh")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"refresh the cookie after this duration; ",Object(b.b)("inlineCode",{parentName:"td"},"0")," to disable; not supported by all providers","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote1"}),"1"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the seed string for secure cookies (optionally base64 encoded)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secure")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://owasp.org/www-community/controls/SecureFlag"}),"secure (HTTPS only) cookie flag")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-samesite")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set SameSite cookie attribute (",Object(b.b)("inlineCode",{parentName:"td"},'"lax"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"strict"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"none"'),", or ",Object(b.b)("inlineCode",{parentName:"td"},'""'),")."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--custom-templates-dir")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to custom html templates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--display-htpasswd-form")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"display username / password login form if an htpasswd file is provided"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--email-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate emails with the specified domain (may be given multiple times). Use ",Object(b.b)("inlineCode",{parentName:"td"},"*")," to authenticate any email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--errors-to-info-log")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"redirects error-level logging to default log channel instead of stderr"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--extra-jwt-issuers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"if ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")," is set, a list of extra JWT ",Object(b.b)("inlineCode",{parentName:"td"},"issuer=audience")," (see a token's ",Object(b.b)("inlineCode",{parentName:"td"},"iss"),", ",Object(b.b)("inlineCode",{parentName:"td"},"aud")," fields) pairs (where the issuer URL has a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/openid-configuration")," or a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/jwks.json"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--exclude-logging-paths")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"comma separated list of paths to exclude from logging, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"/ping,/path2"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (no paths excluded)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--flush-interval")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"period between flushing response buffers when streaming responses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"1s"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--force-https")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enforce https redirect"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"false"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--banner")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) banner string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default banner."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--footer")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) footer string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default footer."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gcp-healthchecks")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will enable ",Object(b.b)("inlineCode",{parentName:"td"},"/liveness_check"),", ",Object(b.b)("inlineCode",{parentName:"td"},"/readiness_check"),", and ",Object(b.b)("inlineCode",{parentName:"td"},"/")," (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-org")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this organisation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-team")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these teams (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to collaborators of this repository formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the token to use when verifying repository collaborators (must have push access to the repository)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"To allow users to login by username even if they do not belong to the specified org and team or collaborators"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these groups (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-projects")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these projects (may be given multiple times) formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo=accesslevel"),". Access level should be a value matching ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://docs.gitlab.com/ee/api/members.html#valid-access-levels"}),"Gitlab access levels"),", defaulted to 20 if absent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-admin-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the google admin to impersonate for api calls"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this google group (may be given multiple times)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-service-account-json")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the path to the service account json credentials"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--htpasswd-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"additionally authenticate against a htpasswd file. Entries must be created with ",Object(b.b)("inlineCode",{parentName:"td"},"htpasswd -B")," for bcrypt encryption"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--http-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"[http://]<addr>:<port>")," or ",Object(b.b)("inlineCode",{parentName:"td"},"unix://<path>")," to listen on for HTTP clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"127.0.0.1:4180"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--https-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"<addr>:<port>")," to listen on for HTTPS clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'":443"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-compress")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Should rotated log files be compressed using gzip"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-filename")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File to log requests to, empty for ",Object(b.b)("inlineCode",{parentName:"td"},"stdout")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (stdout)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-local-time")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Use local time in log files and backup filenames instead of UTC"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true (local time)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-age")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of days to retain old log files"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"7")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-backups")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of old log files to retain; 0 to disable"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-size")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum size in megabytes of the log file before rotation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"100")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"private key in PEM format used to sign JWT, so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},'--jwt-key="${OAUTH2_PROXY_JWT_KEY}"'),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to the private key file in PEM format used to sign the JWT so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem"),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--login-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authentication endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-allow-unverified-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"don't fail if an email address in an id_token is not verified"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-issuer-verification")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-issuer-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OpenID Connect issuer URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://accounts.google.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OIDC JWKS URI for token verification; required if OIDC discovery is disabled"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-email-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user's email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"email"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-groups-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user groups"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"groups"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")," this adds the X-Auth-Request-Access-Token header to the response"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OIDC IDToken to upstream via Authorization Bearer header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prefer-email-to-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-host-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass the request Host Header to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--profile-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Profile access endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"}),"OIDC prompt"),"; if present, ",Object(b.b)("inlineCode",{parentName:"td"},"approval-prompt")," is ignored"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth provider"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"google")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-ca-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Paths to CA certificates that should be used when connecting to the provider.  If not specified, the default Go trust sources are used instead."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-display-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Override the provider's name with the given string; used for the sign-in page"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(depends on provider)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the ping endpoint that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/ping"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-user-agent")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"a User-Agent that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (don't check user agent)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--metrics-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the address prometheus metrics will be scraped from"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-prefix")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the url root path that this proxy should be nested under (e.g. /",Object(b.b)("inlineCode",{parentName:"td"},"<oauth2>/sign_in"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/oauth2"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-websockets")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enables WebSocket proxying"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pubjwk-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"JWK pubkey access endpoint: required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Header used to determine the real IP of the client, requires ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"X-Real-IP")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Token redemption endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redirect-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Redirect URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://internalapp.yourcompany.com/oauth2/callback"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis cluster connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"URL of redis server for redis session storage (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis password. Applicable for all Redis configurations. Will override any password set in ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel master name. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis sentinel connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis cluster. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis via sentinels. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for request log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--resource")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The resource that is protected (Azure AD only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--scope")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth scope specification"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-cookie-minimal")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-store-type")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"/oauth2-proxy/docs/next/configuration/session_storage"}),"Session data storage backend"),"; redis or cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"cookie")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token"),", X-Auth-Request-Access-Token is added to response headers."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set Authorization Bearer response header (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--show-debug-on-error")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--signature-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GAP-Signature request signature key (algorithm:secretkey)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--silence-ping-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"disable logging of requests to ping endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-preflight")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip authentication for OPTIONS requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-regex")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(DEPRECATED for ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route"),") bypass authentication for requests paths that match (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-strip-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strips ",Object(b.b)("inlineCode",{parentName:"td"},"X-Forwarded-*")," style authentication headers & ",Object(b.b)("inlineCode",{parentName:"td"},"Authorization")," header if they would be set by oauth2-proxy"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip requests that have verified JWT bearer tokens (the token must have ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields"}),Object(b.b)("inlineCode",{parentName:"a"},"aud"))," that matches this client id or one of the extras from ",Object(b.b)("inlineCode",{parentName:"td"},"extra-jwt-issuers"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-oidc-discovery")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass OIDC endpoint discovery. ",Object(b.b)("inlineCode",{parentName:"td"},"--login-url"),", ",Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")," must be configured in this case"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-provider-button")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip sign-in-page to directly reach the next step: oauth/start"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS providers"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-upstream-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS upstreams"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log standard runtime information"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for standard log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-cert-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to certificate file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to private key file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--upstream")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the http url(s) of the upstream endpoint, file:// paths for static files or ",Object(b.b)("inlineCode",{parentName:"td"},"static://<status_code>")," for static response. Routing is based on the path"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--allowed-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this group (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--validate-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Access token validation endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--version")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"n/a"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"print version string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--whitelist-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allowed domains for redirection after authentication. Prefix domain with a ",Object(b.b)("inlineCode",{parentName:"td"},".")," to allow subdomains (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".example.com"),")","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote2"}),"2"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--trusted-ip")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," and optionally ",Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")," this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))))),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote1"},"1"),"]",": Only these providers support ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-refresh"),": GitLab, Google and OIDC"),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote2"},"2"),"]",": When using the ",Object(b.b)("inlineCode",{parentName:"p"},"whitelist-domain")," option, any domain prefixed with a ",Object(b.b)("inlineCode",{parentName:"p"},".")," will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:8080"),". To allow any port, use ",Object(b.b)("inlineCode",{parentName:"p"},"*"),": ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:*"),"."),Object(b.b)("p",null,"See below for provider specific options"),Object(b.b)("h3",{id:"upstreams-configuration"},"Upstreams Configuration"),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/")," for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/some/path/")," then it will only be requests that start with ",Object(b.b)("inlineCode",{parentName:"p"},"/some/path/")," which are forwarded to the upstream."),Object(b.b)("p",null,"Static file paths are configured as a file:// URL. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/")," will serve the files from that directory at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/var/www/static/"),", which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/#/static/")," will make ",Object(b.b)("inlineCode",{parentName:"p"},"/var/www/static/")," available at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/static/"),"."),Object(b.b)("p",null,"Multiple upstreams can either be configured by supplying a comma separated list to the ",Object(b.b)("inlineCode",{parentName:"p"},"--upstream")," parameter, supplying the parameter multiple times or providing a list in the ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),". When multiple upstreams are used routing to them will be based on the path they are set up with."),Object(b.b)("h3",{id:"environment-variables"},"Environment variables"),Object(b.b)("p",null,"Every command line argument can be specified as an environment variable by\nprefixing it with ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_"),", capitalising it, and replacing hyphens (",Object(b.b)("inlineCode",{parentName:"p"},"-"),")\nwith underscores (",Object(b.b)("inlineCode",{parentName:"p"},"_"),"). If the argument can be specified multiple times, the\nenvironment variable should be plural (trailing ",Object(b.b)("inlineCode",{parentName:"p"},"S"),")."),Object(b.b)("p",null,"This is particularly useful for storing secrets outside of a configuration file\nor the command line."),Object(b.b)("p",null,"For example, the ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-secret")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_COOKIE_SECRET"),",\nand the ",Object(b.b)("inlineCode",{parentName:"p"},"--email-domain")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_EMAIL_DOMAINS"),"."),Object(b.b)("h2",{id:"logging-configuration"},"Logging Configuration"),Object(b.b)("p",null,"By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the ",Object(b.b)("inlineCode",{parentName:"p"},"--logging-filename")," command."),Object(b.b)("p",null,"If logging to a file you can also configure the maximum file size (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-size"),"), age (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-age"),"), max backup logs (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-backups"),"), and if backup logs should be compressed (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-compress"),")."),Object(b.b)("p",null,"There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging"),", ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging"),", and ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging"),"."),Object(b.b)("p",null,"Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log."),Object(b.b)("p",null,"Logging of requests to the ",Object(b.b)("inlineCode",{parentName:"p"},"/ping")," endpoint (or using ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-user-agent"),") can be disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--silence-ping-logging")," reducing log volume. This flag appends the ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-path")," to ",Object(b.b)("inlineCode",{parentName:"p"},"--exclude-logging-paths"),"."),Object(b.b)("h3",{id:"auth-log-format"},"Auth Log Format"),Object(b.b)("p",null,"Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] [<STATUS>] <MESSAGE>\n")),Object(b.b)("p",null,"The status block will contain one of the below strings:"),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthSuccess")," If a user has authenticated successfully by any method"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthFailure")," If the user failed to authenticate explicitly"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthError")," If there was an unexpected error during authentication")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for auth logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Status"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"AuthSuccess"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The status of the auth request. See above for details.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authenticated via OAuth2"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the auth attempt.")))),Object(b.b)("h3",{id:"request-log-format"},"Request Log Format"),Object(b.b)("p",null,"HTTP request logs will output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),'<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>\n')),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\n")),Object(b.b)("p",null,"Available variables for request logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestDuration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0.001"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The time in seconds that a request took to process.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestURI"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),'"/oauth2/auth"'),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The URI path of the request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"ResponseSize"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"12"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The size in bytes of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"StatusCode"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"200"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The HTTP status code of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The upstream data of the HTTP request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")))),Object(b.b)("h3",{id:"standard-log-format"},"Standard Log Format"),Object(b.b)("p",null,"All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>\n")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging-format")," flag. The default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[{{.Timestamp}}] [{{.File}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for standard logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"main.go:40"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The file and line number of the logging statement.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP: listening on 127.0.0.1:4180"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the log statement.")))),Object(b.b)("h2",{id:"configuring-for-use-with-the-nginx-auth_request-directive"},"Configuring for use with the Nginx ",Object(b.b)("inlineCode",{parentName:"h2"},"auth_request")," directive"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"}),"Nginx ",Object(b.b)("inlineCode",{parentName:"a"},"auth_request")," directive")," allows Nginx to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/auth")," endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-nginx"}),'server {\n  listen 443 ssl;\n  server_name ...;\n  include ssl/ssl.conf;\n\n  location /oauth2/ {\n    proxy_pass       http://127.0.0.1:4180;\n    proxy_set_header Host                    $host;\n    proxy_set_header X-Real-IP               $remote_addr;\n    proxy_set_header X-Scheme                $scheme;\n    proxy_set_header X-Auth-Request-Redirect $request_uri;\n    # or, if you are handling multiple domains:\n    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;\n  }\n  location = /oauth2/auth {\n    proxy_pass       http://127.0.0.1:4180;\n    proxy_set_header Host             $host;\n    proxy_set_header X-Real-IP        $remote_addr;\n    proxy_set_header X-Scheme         $scheme;\n    # nginx auth_request includes headers but not body\n    proxy_set_header Content-Length   "";\n    proxy_pass_request_body           off;\n  }\n\n  location / {\n    auth_request /oauth2/auth;\n    error_page 401 = /oauth2/sign_in;\n\n    # pass information via X-User and X-Email headers to backend,\n    # requires running with --set-xauthrequest flag\n    auth_request_set $user   $upstream_http_x_auth_request_user;\n    auth_request_set $email  $upstream_http_x_auth_request_email;\n    proxy_set_header X-User  $user;\n    proxy_set_header X-Email $email;\n\n    # if you enabled --pass-access-token, this will pass the token to the backend\n    auth_request_set $token  $upstream_http_x_auth_request_access_token;\n    proxy_set_header X-Access-Token $token;\n\n    # if you enabled --cookie-refresh, this is needed for it to work with auth_request\n    auth_request_set $auth_cookie $upstream_http_set_cookie;\n    add_header Set-Cookie $auth_cookie;\n\n    # When using the --set-authorization-header flag, some provider\'s cookies can exceed the 4kb\n    # limit and so the OAuth2 Proxy splits these into multiple parts.\n    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,\n    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.\n    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;\n\n    # Extract the Cookie attributes from the first Set-Cookie header and append them\n    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)\n    if ($auth_cookie ~* "(; .*)") {\n        set $auth_cookie_name_0 $auth_cookie;\n        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";\n    }\n\n    # Send both Set-Cookie headers now if there was a second part\n    if ($auth_cookie_name_upstream_1) {\n        add_header Set-Cookie $auth_cookie_name_0;\n        add_header Set-Cookie $auth_cookie_name_1;\n    }\n\n    proxy_pass http://backend/;\n    # or "root /path/to/site;" or "fastcgi_pass ..." etc\n  }\n}\n')),Object(b.b)("p",null,"When you use ingress-nginx in Kubernetes, you MUST use ",Object(b.b)("inlineCode",{parentName:"p"},"kubernetes/ingress-nginx")," (which includes the Lua module) and the following configuration snippet for your ",Object(b.b)("inlineCode",{parentName:"p"},"Ingress"),".\nVariables set with ",Object(b.b)("inlineCode",{parentName:"p"},"auth_request_set")," are not ",Object(b.b)("inlineCode",{parentName:"p"},"set"),"-able in plain nginx config when the location is processed via ",Object(b.b)("inlineCode",{parentName:"p"},"proxy_pass")," and then may only be processed by Lua.\nNote that ",Object(b.b)("inlineCode",{parentName:"p"},"nginxinc/kubernetes-ingress")," does not include the Lua module."),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'nginx.ingress.kubernetes.io/auth-response-headers: Authorization\nnginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri\nnginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth\nnginx.ingress.kubernetes.io/configuration-snippet: |\n  auth_request_set $name_upstream_1 $upstream_cookie_name_1;\n\n  access_by_lua_block {\n    if ngx.var.name_upstream_1 ~= "" then\n      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")\n    end\n  }\n')),Object(b.b)("p",null,"It is recommended to use ",Object(b.b)("inlineCode",{parentName:"p"},"--session-store-type=redis")," when expecting large sessions/OIDC tokens (",Object(b.b)("em",{parentName:"p"},"e.g.")," with MS Azure)."),Object(b.b)("p",null,"You have to substitute ",Object(b.b)("em",{parentName:"p"},"name"),' with the actual cookie name you configured via --cookie-name parameter. If you don\'t set a custom cookie name the variable  should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".'),Object(b.b)("h2",{id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware"},"Configuring for use with the Traefik (v2) ",Object(b.b)("inlineCode",{parentName:"h2"},"ForwardAuth")," middleware"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"This option requires ",Object(b.b)("inlineCode",{parentName:"strong"},"--reverse-proxy")," option to be set.")),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," allows Traefik to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/oauth2/auth")," endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n  routers:\n    a-service:\n      rule: "Host(`a-service.example.com`)"\n      service: a-service-backend\n      middlewares:\n        - oauth-errors\n        - oauth-auth\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    oauth:\n      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"\n      middlewares:\n        - auth-headers\n      service: oauth-backend\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n\n  services:\n    a-service-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.2:7555\n    oauth-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.1:4180\n\n  middlewares:\n    auth-headers:\n      headers:\n        sslRedirect: true\n        stsSeconds: 315360000\n        browserXssFilter: true\n        contentTypeNosniff: true\n        forceSTSHeader: true\n        sslHost: example.com\n        stsIncludeSubdomains: true\n        stsPreload: true\n        frameDeny: true\n    oauth-auth:\n      forwardAuth:\n        address: https://oauth.example.com/oauth2/auth\n        trustForwardHeader: true\n    oauth-errors:\n      errors:\n        status:\n          - "401-403"\n        service: oauth-backend\n        query: "/oauth2/sign_in"\n')),Object(b.b)("div",{className:"admonition admonition-note alert alert--secondary"},Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-heading"}),Object(b.b)("h5",{parentName:"div"},Object(b.b)("span",Object(n.a)({parentName:"h5"},{className:"admonition-icon"}),Object(b.b)("svg",Object(n.a)({parentName:"span"},{xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"}),Object(b.b)("path",Object(n.a)({parentName:"svg"},{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})))),"note")),Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-content"}),Object(b.b)("p",{parentName:"div"},"If you set up your OAuth2 provider to rotate your client secret, you can use the ",Object(b.b)("inlineCode",{parentName:"p"},"client-secret-file")," option to reload the secret when it is updated."))))}d.isMDXComponent=!0},96:function(e,t,a){"use strict";a.d(t,"a",(function(){return p})),a.d(t,"b",(function(){return s}));var n=a(0),r=a.n(n);function b(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function l(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,n)}return a}function i(e){for(var t=1;t<arguments.length;t++){var a=null!=arguments[t]?arguments[t]:{};t%2?l(Object(a),!0).forEach((function(t){b(e,t,a[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):l(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))}))}return e}function c(e,t){if(null==e)return{};var a,n,r=function(e,t){if(null==e)return{};var a,n,r={},b=Object.keys(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||(r[a]=e[a]);return r}(e,t);if(Object.getOwnPropertySymbols){var b=Object.getOwnPropertySymbols(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(r[a]=e[a])}return r}var o=r.a.createContext({}),d=function(e){var t=r.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},p=function(e){var t=d(e.components);return r.a.createElement(o.Provider,{value:t},e.children)},O={inlineCode:"code",wrapper:function(e){var t=e.children;return r.a.createElement(r.a.Fragment,{},t)}},j=r.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,b=e.originalType,l=e.parentName,o=c(e,["components","mdxType","originalType","parentName"]),p=d(a),j=n,s=p["".concat(l,".").concat(j)]||p[j]||O[j]||b;return a?r.a.createElement(s,i(i({ref:t},o),{},{components:a})):r.a.createElement(s,i({ref:t},o))}));function s(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var b=a.length,l=new Array(b);l[0]=j;var i={};for(var c in t)hasOwnProperty.call(t,c)&&(i[c]=t[c]);i.originalType=e,i.mdxType="string"==typeof e?e:n,l[1]=i;for(var o=2;o<b;o++)l[o]=a[o];return r.a.createElement.apply(null,l)}return r.a.createElement.apply(null,a)}j.displayName="MDXCreateElement"}}]);
\ No newline at end of file
diff --git a/404.html b/404.html
index de9e5d95..da2d61f8 100644
--- a/404.html
+++ b/404.html
@@ -6,14 +6,14 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Page Not Found | OAuth2 Proxy</title><meta data-react-helmet="true" property="og:title" content="Page Not Found | OAuth2 Proxy"><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_tag" content="default"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 </head>
 <body>
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.0.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item menu__list-item--collapsed"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="container margin-vert--xl"><div class="row"><div class="col col--6 col--offset-3"><h1 class="hero__title">Page Not Found</h1><p>We could not find what you were looking for.</p><p>Please contact the owner of the site that linked you to the original URL and let them know their link is broken.</p></div></div></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 </body>
 </html>
\ No newline at end of file
diff --git a/8c826f25.19b6a6ee.js b/8c826f25.19b6a6ee.js
new file mode 100644
index 00000000..3f0196e0
--- /dev/null
+++ b/8c826f25.19b6a6ee.js
@@ -0,0 +1 @@
+(window.webpackJsonp=window.webpackJsonp||[]).push([[20],{77:function(e,t,a){"use strict";a.r(t),a.d(t,"frontMatter",(function(){return l})),a.d(t,"metadata",(function(){return i})),a.d(t,"rightToc",(function(){return c})),a.d(t,"default",(function(){return d}));var n=a(2),r=a(6),b=(a(0),a(96)),l={id:"overview",title:"Overview"},i={unversionedId:"configuration/overview",id:"version-7.0.x/configuration/overview",isDocsHomePage:!1,title:"Overview",description:"oauth2-proxy can be configured via config file, command line options or environment variables.",source:"@site/versioned_docs/version-7.0.x/configuration/overview.md",slug:"/configuration/overview",permalink:"/oauth2-proxy/docs/configuration/overview",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/overview.md",version:"7.0.x",sidebar:"version-7.0.x/docs",previous:{title:"Behaviour",permalink:"/oauth2-proxy/docs/behaviour"},next:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/configuration/oauth_provider"}},c=[{value:"Generating a Cookie Secret",id:"generating-a-cookie-secret",children:[]},{value:"Config File",id:"config-file",children:[]},{value:"Command Line Options",id:"command-line-options",children:[]},{value:"Upstreams Configuration",id:"upstreams-configuration",children:[]},{value:"Environment variables",id:"environment-variables",children:[]},{value:"Logging Configuration",id:"logging-configuration",children:[{value:"Auth Log Format",id:"auth-log-format",children:[]},{value:"Request Log Format",id:"request-log-format",children:[]},{value:"Standard Log Format",id:"standard-log-format",children:[]}]},{value:"Configuring for use with the Nginx <code>auth_request</code> directive",id:"configuring-for-use-with-the-nginx-auth_request-directive",children:[]},{value:"Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware",id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware",children:[{value:"ForwardAuth with 401 errors middleware",id:"forwardauth-with-401-errors-middleware",children:[]},{value:"ForwardAuth with static upstreams configuration",id:"forwardauth-with-static-upstreams-configuration",children:[]}]}],o={rightToc:c};function d(e){var t=e.components,a=Object(r.a)(e,["components"]);return Object(b.b)("wrapper",Object(n.a)({},o,a,{components:t,mdxType:"MDXLayout"}),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," can be configured via ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),", ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#command-line-options"}),"command line options")," or ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#environment-variables"}),"environment variables"),"."),Object(b.b)("h3",{id:"generating-a-cookie-secret"},"Generating a Cookie Secret"),Object(b.b)("p",null,"To generate a strong cookie secret use ",Object(b.b)("inlineCode",{parentName:"p"},"python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(16)).decode())'")),Object(b.b)("h3",{id:"config-file"},"Config File"),Object(b.b)("p",null,"Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (","_","). If the argument can be specified multiple times, the config option should be plural (trailing s)."),Object(b.b)("p",null,"An example ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example"}),"oauth2-proxy.cfg")," config file is in the contrib directory. It can be used by specifying ",Object(b.b)("inlineCode",{parentName:"p"},"--config=/etc/oauth2-proxy.cfg")),Object(b.b)("h3",{id:"command-line-options"},"Command Line Options"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Option"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Type"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Default"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--acr-values")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"optional, see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues"}),"docs")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--approval-prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth approval_prompt"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"force"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log authentication attempts"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for authentication log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--authenticated-emails-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate against emails via file (one per line)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--azure-tenant")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"go to a tenant-specific or common (tenant-independent) endpoint."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"common"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--basic-auth-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the password to set when passing the HTTP Basic Auth header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-id")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client ID, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"123456.apps.googleusercontent.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the file with OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--config")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to config file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Optional cookie domains to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".yourcompany.com"),"). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-expire")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"expire timeframe for cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"168h0m0s")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-httponly")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HttpOnly cookie flag"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the name of the cookie that the oauth_proxy creates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"_oauth2_proxy"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"an optional cookie path to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"/poc/"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-refresh")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"refresh the cookie after this duration; ",Object(b.b)("inlineCode",{parentName:"td"},"0")," to disable; not supported by all providers","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote1"}),"1"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the seed string for secure cookies (optionally base64 encoded)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secure")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://owasp.org/www-community/controls/SecureFlag"}),"secure (HTTPS only) cookie flag")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-samesite")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set SameSite cookie attribute (",Object(b.b)("inlineCode",{parentName:"td"},'"lax"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"strict"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"none"'),", or ",Object(b.b)("inlineCode",{parentName:"td"},'""'),")."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--custom-templates-dir")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to custom html templates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--display-htpasswd-form")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"display username / password login form if an htpasswd file is provided"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--email-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate emails with the specified domain (may be given multiple times). Use ",Object(b.b)("inlineCode",{parentName:"td"},"*")," to authenticate any email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--errors-to-info-log")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"redirects error-level logging to default log channel instead of stderr"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--extra-jwt-issuers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"if ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")," is set, a list of extra JWT ",Object(b.b)("inlineCode",{parentName:"td"},"issuer=audience")," (see a token's ",Object(b.b)("inlineCode",{parentName:"td"},"iss"),", ",Object(b.b)("inlineCode",{parentName:"td"},"aud")," fields) pairs (where the issuer URL has a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/openid-configuration")," or a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/jwks.json"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--exclude-logging-paths")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"comma separated list of paths to exclude from logging, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"/ping,/path2"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (no paths excluded)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--flush-interval")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"period between flushing response buffers when streaming responses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"1s"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--force-https")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enforce https redirect"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"false"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--banner")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) banner string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default banner."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--footer")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) footer string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default footer."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gcp-healthchecks")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will enable ",Object(b.b)("inlineCode",{parentName:"td"},"/liveness_check"),", ",Object(b.b)("inlineCode",{parentName:"td"},"/readiness_check"),", and ",Object(b.b)("inlineCode",{parentName:"td"},"/")," (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-org")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this organisation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-team")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these teams (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to collaborators of this repository formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the token to use when verifying repository collaborators (must have push access to the repository)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"To allow users to login by username even if they do not belong to the specified org and team or collaborators"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these groups (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-projects")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these projects (may be given multiple times) formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo=accesslevel"),". Access level should be a value matching ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://docs.gitlab.com/ee/api/members.html#valid-access-levels"}),"Gitlab access levels"),", defaulted to 20 if absent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-admin-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the google admin to impersonate for api calls"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this google group (may be given multiple times)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-service-account-json")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the path to the service account json credentials"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--htpasswd-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"additionally authenticate against a htpasswd file. Entries must be created with ",Object(b.b)("inlineCode",{parentName:"td"},"htpasswd -B")," for bcrypt encryption"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--http-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"[http://]<addr>:<port>")," or ",Object(b.b)("inlineCode",{parentName:"td"},"unix://<path>")," to listen on for HTTP clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"127.0.0.1:4180"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--https-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"<addr>:<port>")," to listen on for HTTPS clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'":443"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-compress")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Should rotated log files be compressed using gzip"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-filename")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File to log requests to, empty for ",Object(b.b)("inlineCode",{parentName:"td"},"stdout")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (stdout)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-local-time")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Use local time in log files and backup filenames instead of UTC"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true (local time)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-age")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of days to retain old log files"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"7")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-backups")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of old log files to retain; 0 to disable"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-size")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum size in megabytes of the log file before rotation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"100")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"private key in PEM format used to sign JWT, so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},'--jwt-key="${OAUTH2_PROXY_JWT_KEY}"'),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to the private key file in PEM format used to sign the JWT so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem"),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--login-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authentication endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-allow-unverified-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"don't fail if an email address in an id_token is not verified"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-issuer-verification")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-issuer-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OpenID Connect issuer URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://accounts.google.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OIDC JWKS URI for token verification; required if OIDC discovery is disabled"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-email-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user's email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"email"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-groups-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user groups"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"groups"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")," this adds the X-Auth-Request-Access-Token header to the response"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OIDC IDToken to upstream via Authorization Bearer header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prefer-email-to-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-host-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass the request Host Header to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--profile-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Profile access endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"}),"OIDC prompt"),"; if present, ",Object(b.b)("inlineCode",{parentName:"td"},"approval-prompt")," is ignored"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth provider"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"google")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-ca-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Paths to CA certificates that should be used when connecting to the provider.  If not specified, the default Go trust sources are used instead."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-display-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Override the provider's name with the given string; used for the sign-in page"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(depends on provider)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the ping endpoint that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/ping"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-user-agent")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"a User-Agent that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (don't check user agent)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-prefix")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the url root path that this proxy should be nested under (e.g. /",Object(b.b)("inlineCode",{parentName:"td"},"<oauth2>/sign_in"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/oauth2"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-websockets")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enables WebSocket proxying"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pubjwk-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"JWK pubkey access endpoint: required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Header used to determine the real IP of the client, requires ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"X-Real-IP")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Token redemption endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redirect-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Redirect URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://internalapp.yourcompany.com/oauth2/callback"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis cluster connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"URL of redis server for redis session storage (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis password. Applicable for all Redis configurations. Will override any password set in ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel master name. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis sentinel connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis cluster. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis via sentinels. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for request log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--resource")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The resource that is protected (Azure AD only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--scope")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth scope specification"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-cookie-minimal")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-store-type")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"/oauth2-proxy/docs/configuration/session_storage"}),"Session data storage backend"),"; redis or cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"cookie")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token"),", X-Auth-Request-Access-Token is added to response headers."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set Authorization Bearer response header (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--signature-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GAP-Signature request signature key (algorithm:secretkey)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--silence-ping-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"disable logging of requests to ping endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-preflight")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip authentication for OPTIONS requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-regex")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(DEPRECATED for ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route"),") bypass authentication for requests paths that match (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-strip-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strips ",Object(b.b)("inlineCode",{parentName:"td"},"X-Forwarded-*")," style authentication headers & ",Object(b.b)("inlineCode",{parentName:"td"},"Authorization")," header if they would be set by oauth2-proxy"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip requests that have verified JWT bearer tokens (the token must have ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields"}),Object(b.b)("inlineCode",{parentName:"a"},"aud"))," that matches this client id or one of the extras from ",Object(b.b)("inlineCode",{parentName:"td"},"extra-jwt-issuers"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-oidc-discovery")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass OIDC endpoint discovery. ",Object(b.b)("inlineCode",{parentName:"td"},"--login-url"),", ",Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")," must be configured in this case"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-provider-button")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip sign-in-page to directly reach the next step: oauth/start"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS providers"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-upstream-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS upstreams"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log standard runtime information"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for standard log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-cert-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to certificate file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to private key file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--upstream")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the http url(s) of the upstream endpoint, file:// paths for static files or ",Object(b.b)("inlineCode",{parentName:"td"},"static://<status_code>")," for static response. Routing is based on the path"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--allowed-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this group (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--validate-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Access token validation endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--version")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"n/a"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"print version string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--whitelist-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allowed domains for redirection after authentication. Prefix domain with a ",Object(b.b)("inlineCode",{parentName:"td"},".")," to allow subdomains (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".example.com"),")","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote2"}),"2"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--trusted-ip")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," and optionally ",Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")," this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))))),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote1"},"1"),"]",": Only these providers support ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-refresh"),": GitLab, Google and OIDC"),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote2"},"2"),"]",": When using the ",Object(b.b)("inlineCode",{parentName:"p"},"whitelist-domain")," option, any domain prefixed with a ",Object(b.b)("inlineCode",{parentName:"p"},".")," will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:8080"),". To allow any port, use ",Object(b.b)("inlineCode",{parentName:"p"},"*"),": ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:*"),"."),Object(b.b)("p",null,"See below for provider specific options"),Object(b.b)("h3",{id:"upstreams-configuration"},"Upstreams Configuration"),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/")," for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/some/path/")," then it will only be requests that start with ",Object(b.b)("inlineCode",{parentName:"p"},"/some/path/")," which are forwarded to the upstream."),Object(b.b)("p",null,"Static file paths are configured as a file:// URL. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/")," will serve the files from that directory at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/var/www/static/"),", which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/#/static/")," will make ",Object(b.b)("inlineCode",{parentName:"p"},"/var/www/static/")," available at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/static/"),"."),Object(b.b)("p",null,"Multiple upstreams can either be configured by supplying a comma separated list to the ",Object(b.b)("inlineCode",{parentName:"p"},"--upstream")," parameter, supplying the parameter multiple times or providing a list in the ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),". When multiple upstreams are used routing to them will be based on the path they are set up with."),Object(b.b)("h3",{id:"environment-variables"},"Environment variables"),Object(b.b)("p",null,"Every command line argument can be specified as an environment variable by\nprefixing it with ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_"),", capitalising it, and replacing hyphens (",Object(b.b)("inlineCode",{parentName:"p"},"-"),")\nwith underscores (",Object(b.b)("inlineCode",{parentName:"p"},"_"),"). If the argument can be specified multiple times, the\nenvironment variable should be plural (trailing ",Object(b.b)("inlineCode",{parentName:"p"},"S"),")."),Object(b.b)("p",null,"This is particularly useful for storing secrets outside of a configuration file\nor the command line."),Object(b.b)("p",null,"For example, the ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-secret")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_COOKIE_SECRET"),",\nand the ",Object(b.b)("inlineCode",{parentName:"p"},"--email-domain")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_EMAIL_DOMAINS"),"."),Object(b.b)("h2",{id:"logging-configuration"},"Logging Configuration"),Object(b.b)("p",null,"By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the ",Object(b.b)("inlineCode",{parentName:"p"},"--logging-filename")," command."),Object(b.b)("p",null,"If logging to a file you can also configure the maximum file size (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-size"),"), age (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-age"),"), max backup logs (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-backups"),"), and if backup logs should be compressed (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-compress"),")."),Object(b.b)("p",null,"There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging"),", ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging"),", and ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging"),"."),Object(b.b)("p",null,"Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log."),Object(b.b)("p",null,"Logging of requests to the ",Object(b.b)("inlineCode",{parentName:"p"},"/ping")," endpoint (or using ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-user-agent"),") can be disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--silence-ping-logging")," reducing log volume. This flag appends the ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-path")," to ",Object(b.b)("inlineCode",{parentName:"p"},"--exclude-logging-paths"),"."),Object(b.b)("h3",{id:"auth-log-format"},"Auth Log Format"),Object(b.b)("p",null,"Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] [<STATUS>] <MESSAGE>\n")),Object(b.b)("p",null,"The status block will contain one of the below strings:"),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthSuccess")," If a user has authenticated successfully by any method"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthFailure")," If the user failed to authenticate explicitly"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthError")," If there was an unexpected error during authentication")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for auth logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Status"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"AuthSuccess"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The status of the auth request. See above for details.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authenticated via OAuth2"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the auth attempt.")))),Object(b.b)("h3",{id:"request-log-format"},"Request Log Format"),Object(b.b)("p",null,"HTTP request logs will output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),'<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>\n')),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\n")),Object(b.b)("p",null,"Available variables for request logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestDuration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0.001"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The time in seconds that a request took to process.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestURI"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),'"/oauth2/auth"'),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The URI path of the request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"ResponseSize"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"12"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The size in bytes of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"StatusCode"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"200"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The HTTP status code of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The upstream data of the HTTP request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")))),Object(b.b)("h3",{id:"standard-log-format"},"Standard Log Format"),Object(b.b)("p",null,"All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>\n")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging-format")," flag. The default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[{{.Timestamp}}] [{{.File}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for standard logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"main.go:40"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The file and line number of the logging statement.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP: listening on 127.0.0.1:4180"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the log statement.")))),Object(b.b)("h2",{id:"configuring-for-use-with-the-nginx-auth_request-directive"},"Configuring for use with the Nginx ",Object(b.b)("inlineCode",{parentName:"h2"},"auth_request")," directive"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"}),"Nginx ",Object(b.b)("inlineCode",{parentName:"a"},"auth_request")," directive")," allows Nginx to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/auth")," endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-nginx"}),'server {\n  listen 443 ssl;\n  server_name ...;\n  include ssl/ssl.conf;\n\n  location /oauth2/ {\n    proxy_pass       http://127.0.0.1:4180;\n    proxy_set_header Host                    $host;\n    proxy_set_header X-Real-IP               $remote_addr;\n    proxy_set_header X-Scheme                $scheme;\n    proxy_set_header X-Auth-Request-Redirect $request_uri;\n    # or, if you are handling multiple domains:\n    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;\n  }\n  location = /oauth2/auth {\n    proxy_pass       http://127.0.0.1:4180;\n    proxy_set_header Host             $host;\n    proxy_set_header X-Real-IP        $remote_addr;\n    proxy_set_header X-Scheme         $scheme;\n    # nginx auth_request includes headers but not body\n    proxy_set_header Content-Length   "";\n    proxy_pass_request_body           off;\n  }\n\n  location / {\n    auth_request /oauth2/auth;\n    error_page 401 = /oauth2/sign_in;\n\n    # pass information via X-User and X-Email headers to backend,\n    # requires running with --set-xauthrequest flag\n    auth_request_set $user   $upstream_http_x_auth_request_user;\n    auth_request_set $email  $upstream_http_x_auth_request_email;\n    proxy_set_header X-User  $user;\n    proxy_set_header X-Email $email;\n\n    # if you enabled --pass-access-token, this will pass the token to the backend\n    auth_request_set $token  $upstream_http_x_auth_request_access_token;\n    proxy_set_header X-Access-Token $token;\n\n    # if you enabled --cookie-refresh, this is needed for it to work with auth_request\n    auth_request_set $auth_cookie $upstream_http_set_cookie;\n    add_header Set-Cookie $auth_cookie;\n\n    # When using the --set-authorization-header flag, some provider\'s cookies can exceed the 4kb\n    # limit and so the OAuth2 Proxy splits these into multiple parts.\n    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,\n    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.\n    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;\n\n    # Extract the Cookie attributes from the first Set-Cookie header and append them\n    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)\n    if ($auth_cookie ~* "(; .*)") {\n        set $auth_cookie_name_0 $auth_cookie;\n        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";\n    }\n\n    # Send both Set-Cookie headers now if there was a second part\n    if ($auth_cookie_name_upstream_1) {\n        add_header Set-Cookie $auth_cookie_name_0;\n        add_header Set-Cookie $auth_cookie_name_1;\n    }\n\n    proxy_pass http://backend/;\n    # or "root /path/to/site;" or "fastcgi_pass ..." etc\n  }\n}\n')),Object(b.b)("p",null,"When you use ingress-nginx in Kubernetes, you MUST use ",Object(b.b)("inlineCode",{parentName:"p"},"kubernetes/ingress-nginx")," (which includes the Lua module) and the following configuration snippet for your ",Object(b.b)("inlineCode",{parentName:"p"},"Ingress"),".\nVariables set with ",Object(b.b)("inlineCode",{parentName:"p"},"auth_request_set")," are not ",Object(b.b)("inlineCode",{parentName:"p"},"set"),"-able in plain nginx config when the location is processed via ",Object(b.b)("inlineCode",{parentName:"p"},"proxy_pass")," and then may only be processed by Lua.\nNote that ",Object(b.b)("inlineCode",{parentName:"p"},"nginxinc/kubernetes-ingress")," does not include the Lua module."),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'nginx.ingress.kubernetes.io/auth-response-headers: Authorization\nnginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri\nnginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth\nnginx.ingress.kubernetes.io/configuration-snippet: |\n  auth_request_set $name_upstream_1 $upstream_cookie_name_1;\n\n  access_by_lua_block {\n    if ngx.var.name_upstream_1 ~= "" then\n      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")\n    end\n  }\n')),Object(b.b)("p",null,"It is recommended to use ",Object(b.b)("inlineCode",{parentName:"p"},"--session-store-type=redis")," when expecting large sessions/OIDC tokens (",Object(b.b)("em",{parentName:"p"},"e.g.")," with MS Azure)."),Object(b.b)("p",null,"You have to substitute ",Object(b.b)("em",{parentName:"p"},"name"),' with the actual cookie name you configured via --cookie-name parameter. If you don\'t set a custom cookie name the variable  should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".'),Object(b.b)("h2",{id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware"},"Configuring for use with the Traefik (v2) ",Object(b.b)("inlineCode",{parentName:"h2"},"ForwardAuth")," middleware"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"This option requires ",Object(b.b)("inlineCode",{parentName:"strong"},"--reverse-proxy")," option to be set.")),Object(b.b)("h3",{id:"forwardauth-with-401-errors-middleware"},"ForwardAuth with 401 errors middleware"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," allows Traefik to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/oauth2/auth")," endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n  routers:\n    a-service:\n      rule: "Host(`a-service.example.com`)"\n      service: a-service-backend\n      middlewares:\n        - oauth-errors\n        - oauth-auth\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    oauth:\n      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"\n      middlewares:\n        - auth-headers\n      service: oauth-backend\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n\n  services:\n    a-service-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.2:7555\n    oauth-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.1:4180\n\n  middlewares:\n    auth-headers:\n      headers:\n        sslRedirect: true\n        stsSeconds: 315360000\n        browserXssFilter: true\n        contentTypeNosniff: true\n        forceSTSHeader: true\n        sslHost: example.com\n        stsIncludeSubdomains: true\n        stsPreload: true\n        frameDeny: true\n    oauth-auth:\n      forwardAuth:\n        address: https://oauth.example.com/oauth2/auth\n        trustForwardHeader: true\n    oauth-errors:\n      errors:\n        status:\n          - "401-403"\n        service: oauth-backend\n        query: "/oauth2/sign_in"\n')),Object(b.b)("h3",{id:"forwardauth-with-static-upstreams-configuration"},"ForwardAuth with static upstreams configuration"),Object(b.b)("p",null,"Redirect to sign_in functionality provided without the use of ",Object(b.b)("inlineCode",{parentName:"p"},"errors")," middleware with ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," pointing to oauth2-proxy service's ",Object(b.b)("inlineCode",{parentName:"p"},"/")," endpoint"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"Following options need to be set on ",Object(b.b)("inlineCode",{parentName:"strong"},"oauth2-proxy"),":")),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"--upstream=static://202"),": Configures a static response for authenticated sessions"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"--reverseproxy=true"),": Enables the use of ",Object(b.b)("inlineCode",{parentName:"li"},"X-Forwarded-*")," headers to determine redirects correctly")),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n  routers:\n    a-service-route-1:\n      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"\n      service: a-service-backend\n      middlewares:\n        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    a-service-route-2:\n      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"\n      service: a-service-backend\n      middlewares:\n        - oauth-auth-wo-redirect # unauthenticated session will return a 401\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    services-oauth2-route:\n      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"\n      middlewares:\n        - auth-headers\n      service: oauth-backend\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    oauth2-proxy-route:\n      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"\n      middlewares:\n        - auth-headers\n      service: oauth-backend\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n\n  services:\n    a-service-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.2:7555\n    b-service-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.3:7555\n    oauth-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.1:4180\n\n  middlewares:\n    auth-headers:\n      headers:\n        sslRedirect: true\n        stsSeconds: 315360000\n        browserXssFilter: true\n        contentTypeNosniff: true\n        forceSTSHeader: true\n        sslHost: example.com\n        stsIncludeSubdomains: true\n        stsPreload: true\n        frameDeny: true\n    oauth-auth-redirect:\n      forwardAuth:\n        address: https://oauth.example.com/\n        trustForwardHeader: true\n        authResponseHeaders:\n          - X-Auth-Request-Access-Token\n          - Authorization\n    oauth-auth-wo-redirect:\n      forwardAuth:\n        address: https://oauth.example.com/oauth2/auth\n        trustForwardHeader: true\n        authResponseHeaders:\n          - X-Auth-Request-Access-Token\n          - Authorization\n')),Object(b.b)("div",{className:"admonition admonition-note alert alert--secondary"},Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-heading"}),Object(b.b)("h5",{parentName:"div"},Object(b.b)("span",Object(n.a)({parentName:"h5"},{className:"admonition-icon"}),Object(b.b)("svg",Object(n.a)({parentName:"span"},{xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"}),Object(b.b)("path",Object(n.a)({parentName:"svg"},{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})))),"note")),Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-content"}),Object(b.b)("p",{parentName:"div"},"If you set up your OAuth2 provider to rotate your client secret, you can use the ",Object(b.b)("inlineCode",{parentName:"p"},"client-secret-file")," option to reload the secret when it is updated."))))}d.isMDXComponent=!0},96:function(e,t,a){"use strict";a.d(t,"a",(function(){return p})),a.d(t,"b",(function(){return j}));var n=a(0),r=a.n(n);function b(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function l(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,n)}return a}function i(e){for(var t=1;t<arguments.length;t++){var a=null!=arguments[t]?arguments[t]:{};t%2?l(Object(a),!0).forEach((function(t){b(e,t,a[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):l(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))}))}return e}function c(e,t){if(null==e)return{};var a,n,r=function(e,t){if(null==e)return{};var a,n,r={},b=Object.keys(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||(r[a]=e[a]);return r}(e,t);if(Object.getOwnPropertySymbols){var b=Object.getOwnPropertySymbols(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(r[a]=e[a])}return r}var o=r.a.createContext({}),d=function(e){var t=r.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},p=function(e){var t=d(e.components);return r.a.createElement(o.Provider,{value:t},e.children)},s={inlineCode:"code",wrapper:function(e){var t=e.children;return r.a.createElement(r.a.Fragment,{},t)}},O=r.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,b=e.originalType,l=e.parentName,o=c(e,["components","mdxType","originalType","parentName"]),p=d(a),O=n,j=p["".concat(l,".").concat(O)]||p[O]||s[O]||b;return a?r.a.createElement(j,i(i({ref:t},o),{},{components:a})):r.a.createElement(j,i({ref:t},o))}));function j(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var b=a.length,l=new Array(b);l[0]=O;var i={};for(var c in t)hasOwnProperty.call(t,c)&&(i[c]=t[c]);i.originalType=e,i.mdxType="string"==typeof e?e:n,l[1]=i;for(var o=2;o<b;o++)l[o]=a[o];return r.a.createElement.apply(null,l)}return r.a.createElement.apply(null,a)}O.displayName="MDXCreateElement"}}]);
\ No newline at end of file
diff --git a/8c826f25.c93cdc82.js b/8c826f25.c93cdc82.js
deleted file mode 100644
index 9b559ff8..00000000
--- a/8c826f25.c93cdc82.js
+++ /dev/null
@@ -1 +0,0 @@
-(window.webpackJsonp=window.webpackJsonp||[]).push([[20],{77:function(e,t,a){"use strict";a.r(t),a.d(t,"frontMatter",(function(){return l})),a.d(t,"metadata",(function(){return i})),a.d(t,"rightToc",(function(){return c})),a.d(t,"default",(function(){return d}));var n=a(2),r=a(6),b=(a(0),a(96)),l={id:"overview",title:"Overview"},i={unversionedId:"configuration/overview",id:"version-7.0.x/configuration/overview",isDocsHomePage:!1,title:"Overview",description:"oauth2-proxy can be configured via config file, command line options or environment variables.",source:"@site/versioned_docs/version-7.0.x/configuration/overview.md",slug:"/configuration/overview",permalink:"/oauth2-proxy/docs/configuration/overview",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/overview.md",version:"7.0.x",sidebar:"version-7.0.x/docs",previous:{title:"Behaviour",permalink:"/oauth2-proxy/docs/behaviour"},next:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/configuration/oauth_provider"}},c=[{value:"Generating a Cookie Secret",id:"generating-a-cookie-secret",children:[]},{value:"Config File",id:"config-file",children:[]},{value:"Command Line Options",id:"command-line-options",children:[]},{value:"Upstreams Configuration",id:"upstreams-configuration",children:[]},{value:"Environment variables",id:"environment-variables",children:[]},{value:"Logging Configuration",id:"logging-configuration",children:[{value:"Auth Log Format",id:"auth-log-format",children:[]},{value:"Request Log Format",id:"request-log-format",children:[]},{value:"Standard Log Format",id:"standard-log-format",children:[]}]},{value:"Configuring for use with the Nginx <code>auth_request</code> directive",id:"configuring-for-use-with-the-nginx-auth_request-directive",children:[]},{value:"Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware",id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware",children:[]}],o={rightToc:c};function d(e){var t=e.components,a=Object(r.a)(e,["components"]);return Object(b.b)("wrapper",Object(n.a)({},o,a,{components:t,mdxType:"MDXLayout"}),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," can be configured via ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),", ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#command-line-options"}),"command line options")," or ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#environment-variables"}),"environment variables"),"."),Object(b.b)("h3",{id:"generating-a-cookie-secret"},"Generating a Cookie Secret"),Object(b.b)("p",null,"To generate a strong cookie secret use ",Object(b.b)("inlineCode",{parentName:"p"},"python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(16)).decode())'")),Object(b.b)("h3",{id:"config-file"},"Config File"),Object(b.b)("p",null,"Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (","_","). If the argument can be specified multiple times, the config option should be plural (trailing s)."),Object(b.b)("p",null,"An example ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example"}),"oauth2-proxy.cfg")," config file is in the contrib directory. It can be used by specifying ",Object(b.b)("inlineCode",{parentName:"p"},"--config=/etc/oauth2-proxy.cfg")),Object(b.b)("h3",{id:"command-line-options"},"Command Line Options"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Option"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Type"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Default"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--acr-values")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"optional, see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues"}),"docs")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--approval-prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth approval_prompt"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"force"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log authentication attempts"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for authentication log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--authenticated-emails-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate against emails via file (one per line)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--azure-tenant")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"go to a tenant-specific or common (tenant-independent) endpoint."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"common"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--basic-auth-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the password to set when passing the HTTP Basic Auth header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-id")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client ID, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"123456.apps.googleusercontent.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the file with OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--config")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to config file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Optional cookie domains to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".yourcompany.com"),"). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-expire")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"expire timeframe for cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"168h0m0s")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-httponly")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HttpOnly cookie flag"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the name of the cookie that the oauth_proxy creates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"_oauth2_proxy"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"an optional cookie path to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"/poc/"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-refresh")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"refresh the cookie after this duration; ",Object(b.b)("inlineCode",{parentName:"td"},"0")," to disable; not supported by all providers","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote1"}),"1"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the seed string for secure cookies (optionally base64 encoded)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secure")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://owasp.org/www-community/controls/SecureFlag"}),"secure (HTTPS only) cookie flag")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-samesite")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set SameSite cookie attribute (",Object(b.b)("inlineCode",{parentName:"td"},'"lax"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"strict"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"none"'),", or ",Object(b.b)("inlineCode",{parentName:"td"},'""'),")."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--custom-templates-dir")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to custom html templates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--display-htpasswd-form")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"display username / password login form if an htpasswd file is provided"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--email-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate emails with the specified domain (may be given multiple times). Use ",Object(b.b)("inlineCode",{parentName:"td"},"*")," to authenticate any email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--errors-to-info-log")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"redirects error-level logging to default log channel instead of stderr"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--extra-jwt-issuers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"if ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")," is set, a list of extra JWT ",Object(b.b)("inlineCode",{parentName:"td"},"issuer=audience")," (see a token's ",Object(b.b)("inlineCode",{parentName:"td"},"iss"),", ",Object(b.b)("inlineCode",{parentName:"td"},"aud")," fields) pairs (where the issuer URL has a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/openid-configuration")," or a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/jwks.json"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--exclude-logging-paths")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"comma separated list of paths to exclude from logging, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"/ping,/path2"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (no paths excluded)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--flush-interval")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"period between flushing response buffers when streaming responses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"1s"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--force-https")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enforce https redirect"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"false"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--banner")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) banner string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default banner."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--footer")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) footer string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default footer."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gcp-healthchecks")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will enable ",Object(b.b)("inlineCode",{parentName:"td"},"/liveness_check"),", ",Object(b.b)("inlineCode",{parentName:"td"},"/readiness_check"),", and ",Object(b.b)("inlineCode",{parentName:"td"},"/")," (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-org")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this organisation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-team")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these teams (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to collaborators of this repository formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the token to use when verifying repository collaborators (must have push access to the repository)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"To allow users to login by username even if they do not belong to the specified org and team or collaborators"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these groups (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-projects")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these projects (may be given multiple times) formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo=accesslevel"),". Access level should be a value matching ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://docs.gitlab.com/ee/api/members.html#valid-access-levels"}),"Gitlab access levels"),", defaulted to 20 if absent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-admin-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the google admin to impersonate for api calls"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this google group (may be given multiple times)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-service-account-json")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the path to the service account json credentials"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--htpasswd-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"additionally authenticate against a htpasswd file. Entries must be created with ",Object(b.b)("inlineCode",{parentName:"td"},"htpasswd -B")," for bcrypt encryption"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--http-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"[http://]<addr>:<port>")," or ",Object(b.b)("inlineCode",{parentName:"td"},"unix://<path>")," to listen on for HTTP clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"127.0.0.1:4180"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--https-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"<addr>:<port>")," to listen on for HTTPS clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'":443"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-compress")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Should rotated log files be compressed using gzip"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-filename")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File to log requests to, empty for ",Object(b.b)("inlineCode",{parentName:"td"},"stdout")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (stdout)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-local-time")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Use local time in log files and backup filenames instead of UTC"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true (local time)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-age")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of days to retain old log files"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"7")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-backups")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of old log files to retain; 0 to disable"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-size")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum size in megabytes of the log file before rotation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"100")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"private key in PEM format used to sign JWT, so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},'--jwt-key="${OAUTH2_PROXY_JWT_KEY}"'),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to the private key file in PEM format used to sign the JWT so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem"),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--login-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authentication endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-allow-unverified-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"don't fail if an email address in an id_token is not verified"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-issuer-verification")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-issuer-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OpenID Connect issuer URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://accounts.google.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OIDC JWKS URI for token verification; required if OIDC discovery is disabled"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-email-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user's email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"email"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-groups-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user groups"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"groups"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")," this adds the X-Auth-Request-Access-Token header to the response"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OIDC IDToken to upstream via Authorization Bearer header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prefer-email-to-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-host-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass the request Host Header to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--profile-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Profile access endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"}),"OIDC prompt"),"; if present, ",Object(b.b)("inlineCode",{parentName:"td"},"approval-prompt")," is ignored"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth provider"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"google")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-ca-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Paths to CA certificates that should be used when connecting to the provider.  If not specified, the default Go trust sources are used instead."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-display-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Override the provider's name with the given string; used for the sign-in page"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(depends on provider)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the ping endpoint that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/ping"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-user-agent")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"a User-Agent that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (don't check user agent)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-prefix")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the url root path that this proxy should be nested under (e.g. /",Object(b.b)("inlineCode",{parentName:"td"},"<oauth2>/sign_in"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/oauth2"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-websockets")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enables WebSocket proxying"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pubjwk-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"JWK pubkey access endpoint: required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Header used to determine the real IP of the client, requires ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"X-Real-IP")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Token redemption endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redirect-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Redirect URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://internalapp.yourcompany.com/oauth2/callback"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis cluster connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"URL of redis server for redis session storage (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis password. Applicable for all Redis configurations. Will override any password set in ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel master name. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis sentinel connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis cluster. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis via sentinels. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for request log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--resource")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The resource that is protected (Azure AD only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--scope")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth scope specification"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-cookie-minimal")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-store-type")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"/oauth2-proxy/docs/configuration/session_storage"}),"Session data storage backend"),"; redis or cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"cookie")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token"),", X-Auth-Request-Access-Token is added to response headers."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set Authorization Bearer response header (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--signature-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GAP-Signature request signature key (algorithm:secretkey)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--silence-ping-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"disable logging of requests to ping endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-preflight")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip authentication for OPTIONS requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-regex")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(DEPRECATED for ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route"),") bypass authentication for requests paths that match (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-strip-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strips ",Object(b.b)("inlineCode",{parentName:"td"},"X-Forwarded-*")," style authentication headers & ",Object(b.b)("inlineCode",{parentName:"td"},"Authorization")," header if they would be set by oauth2-proxy"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip requests that have verified JWT bearer tokens (the token must have ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields"}),Object(b.b)("inlineCode",{parentName:"a"},"aud"))," that matches this client id or one of the extras from ",Object(b.b)("inlineCode",{parentName:"td"},"extra-jwt-issuers"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-oidc-discovery")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass OIDC endpoint discovery. ",Object(b.b)("inlineCode",{parentName:"td"},"--login-url"),", ",Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")," must be configured in this case"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-provider-button")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip sign-in-page to directly reach the next step: oauth/start"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS providers"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-upstream-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS upstreams"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log standard runtime information"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for standard log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-cert-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to certificate file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to private key file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--upstream")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the http url(s) of the upstream endpoint, file:// paths for static files or ",Object(b.b)("inlineCode",{parentName:"td"},"static://<status_code>")," for static response. Routing is based on the path"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--allowed-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this group (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--validate-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Access token validation endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--version")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"n/a"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"print version string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--whitelist-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allowed domains for redirection after authentication. Prefix domain with a ",Object(b.b)("inlineCode",{parentName:"td"},".")," to allow subdomains (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".example.com"),")","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote2"}),"2"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--trusted-ip")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," and optionally ",Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")," this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))))),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote1"},"1"),"]",": Only these providers support ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-refresh"),": GitLab, Google and OIDC"),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote2"},"2"),"]",": When using the ",Object(b.b)("inlineCode",{parentName:"p"},"whitelist-domain")," option, any domain prefixed with a ",Object(b.b)("inlineCode",{parentName:"p"},".")," will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:8080"),". To allow any port, use ",Object(b.b)("inlineCode",{parentName:"p"},"*"),": ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:*"),"."),Object(b.b)("p",null,"See below for provider specific options"),Object(b.b)("h3",{id:"upstreams-configuration"},"Upstreams Configuration"),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/")," for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/some/path/")," then it will only be requests that start with ",Object(b.b)("inlineCode",{parentName:"p"},"/some/path/")," which are forwarded to the upstream."),Object(b.b)("p",null,"Static file paths are configured as a file:// URL. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/")," will serve the files from that directory at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/var/www/static/"),", which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/#/static/")," will make ",Object(b.b)("inlineCode",{parentName:"p"},"/var/www/static/")," available at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/static/"),"."),Object(b.b)("p",null,"Multiple upstreams can either be configured by supplying a comma separated list to the ",Object(b.b)("inlineCode",{parentName:"p"},"--upstream")," parameter, supplying the parameter multiple times or providing a list in the ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),". When multiple upstreams are used routing to them will be based on the path they are set up with."),Object(b.b)("h3",{id:"environment-variables"},"Environment variables"),Object(b.b)("p",null,"Every command line argument can be specified as an environment variable by\nprefixing it with ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_"),", capitalising it, and replacing hyphens (",Object(b.b)("inlineCode",{parentName:"p"},"-"),")\nwith underscores (",Object(b.b)("inlineCode",{parentName:"p"},"_"),"). If the argument can be specified multiple times, the\nenvironment variable should be plural (trailing ",Object(b.b)("inlineCode",{parentName:"p"},"S"),")."),Object(b.b)("p",null,"This is particularly useful for storing secrets outside of a configuration file\nor the command line."),Object(b.b)("p",null,"For example, the ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-secret")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_COOKIE_SECRET"),",\nand the ",Object(b.b)("inlineCode",{parentName:"p"},"--email-domain")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_EMAIL_DOMAINS"),"."),Object(b.b)("h2",{id:"logging-configuration"},"Logging Configuration"),Object(b.b)("p",null,"By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the ",Object(b.b)("inlineCode",{parentName:"p"},"--logging-filename")," command."),Object(b.b)("p",null,"If logging to a file you can also configure the maximum file size (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-size"),"), age (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-age"),"), max backup logs (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-backups"),"), and if backup logs should be compressed (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-compress"),")."),Object(b.b)("p",null,"There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging"),", ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging"),", and ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging"),"."),Object(b.b)("p",null,"Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log."),Object(b.b)("p",null,"Logging of requests to the ",Object(b.b)("inlineCode",{parentName:"p"},"/ping")," endpoint (or using ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-user-agent"),") can be disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--silence-ping-logging")," reducing log volume. This flag appends the ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-path")," to ",Object(b.b)("inlineCode",{parentName:"p"},"--exclude-logging-paths"),"."),Object(b.b)("h3",{id:"auth-log-format"},"Auth Log Format"),Object(b.b)("p",null,"Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] [<STATUS>] <MESSAGE>\n")),Object(b.b)("p",null,"The status block will contain one of the below strings:"),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthSuccess")," If a user has authenticated successfully by any method"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthFailure")," If the user failed to authenticate explicitly"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthError")," If there was an unexpected error during authentication")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for auth logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Status"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"AuthSuccess"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The status of the auth request. See above for details.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authenticated via OAuth2"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the auth attempt.")))),Object(b.b)("h3",{id:"request-log-format"},"Request Log Format"),Object(b.b)("p",null,"HTTP request logs will output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),'<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>\n')),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\n")),Object(b.b)("p",null,"Available variables for request logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestDuration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0.001"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The time in seconds that a request took to process.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestURI"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),'"/oauth2/auth"'),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The URI path of the request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"ResponseSize"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"12"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The size in bytes of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"StatusCode"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"200"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The HTTP status code of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The upstream data of the HTTP request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")))),Object(b.b)("h3",{id:"standard-log-format"},"Standard Log Format"),Object(b.b)("p",null,"All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>\n")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging-format")," flag. The default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[{{.Timestamp}}] [{{.File}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for standard logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"main.go:40"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The file and line number of the logging statement.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP: listening on 127.0.0.1:4180"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the log statement.")))),Object(b.b)("h2",{id:"configuring-for-use-with-the-nginx-auth_request-directive"},"Configuring for use with the Nginx ",Object(b.b)("inlineCode",{parentName:"h2"},"auth_request")," directive"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"}),"Nginx ",Object(b.b)("inlineCode",{parentName:"a"},"auth_request")," directive")," allows Nginx to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/auth")," endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-nginx"}),'server {\n  listen 443 ssl;\n  server_name ...;\n  include ssl/ssl.conf;\n\n  location /oauth2/ {\n    proxy_pass       http://127.0.0.1:4180;\n    proxy_set_header Host                    $host;\n    proxy_set_header X-Real-IP               $remote_addr;\n    proxy_set_header X-Scheme                $scheme;\n    proxy_set_header X-Auth-Request-Redirect $request_uri;\n    # or, if you are handling multiple domains:\n    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;\n  }\n  location = /oauth2/auth {\n    proxy_pass       http://127.0.0.1:4180;\n    proxy_set_header Host             $host;\n    proxy_set_header X-Real-IP        $remote_addr;\n    proxy_set_header X-Scheme         $scheme;\n    # nginx auth_request includes headers but not body\n    proxy_set_header Content-Length   "";\n    proxy_pass_request_body           off;\n  }\n\n  location / {\n    auth_request /oauth2/auth;\n    error_page 401 = /oauth2/sign_in;\n\n    # pass information via X-User and X-Email headers to backend,\n    # requires running with --set-xauthrequest flag\n    auth_request_set $user   $upstream_http_x_auth_request_user;\n    auth_request_set $email  $upstream_http_x_auth_request_email;\n    proxy_set_header X-User  $user;\n    proxy_set_header X-Email $email;\n\n    # if you enabled --pass-access-token, this will pass the token to the backend\n    auth_request_set $token  $upstream_http_x_auth_request_access_token;\n    proxy_set_header X-Access-Token $token;\n\n    # if you enabled --cookie-refresh, this is needed for it to work with auth_request\n    auth_request_set $auth_cookie $upstream_http_set_cookie;\n    add_header Set-Cookie $auth_cookie;\n\n    # When using the --set-authorization-header flag, some provider\'s cookies can exceed the 4kb\n    # limit and so the OAuth2 Proxy splits these into multiple parts.\n    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,\n    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.\n    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;\n\n    # Extract the Cookie attributes from the first Set-Cookie header and append them\n    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)\n    if ($auth_cookie ~* "(; .*)") {\n        set $auth_cookie_name_0 $auth_cookie;\n        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";\n    }\n\n    # Send both Set-Cookie headers now if there was a second part\n    if ($auth_cookie_name_upstream_1) {\n        add_header Set-Cookie $auth_cookie_name_0;\n        add_header Set-Cookie $auth_cookie_name_1;\n    }\n\n    proxy_pass http://backend/;\n    # or "root /path/to/site;" or "fastcgi_pass ..." etc\n  }\n}\n')),Object(b.b)("p",null,"When you use ingress-nginx in Kubernetes, you MUST use ",Object(b.b)("inlineCode",{parentName:"p"},"kubernetes/ingress-nginx")," (which includes the Lua module) and the following configuration snippet for your ",Object(b.b)("inlineCode",{parentName:"p"},"Ingress"),".\nVariables set with ",Object(b.b)("inlineCode",{parentName:"p"},"auth_request_set")," are not ",Object(b.b)("inlineCode",{parentName:"p"},"set"),"-able in plain nginx config when the location is processed via ",Object(b.b)("inlineCode",{parentName:"p"},"proxy_pass")," and then may only be processed by Lua.\nNote that ",Object(b.b)("inlineCode",{parentName:"p"},"nginxinc/kubernetes-ingress")," does not include the Lua module."),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'nginx.ingress.kubernetes.io/auth-response-headers: Authorization\nnginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri\nnginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth\nnginx.ingress.kubernetes.io/configuration-snippet: |\n  auth_request_set $name_upstream_1 $upstream_cookie_name_1;\n\n  access_by_lua_block {\n    if ngx.var.name_upstream_1 ~= "" then\n      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")\n    end\n  }\n')),Object(b.b)("p",null,"It is recommended to use ",Object(b.b)("inlineCode",{parentName:"p"},"--session-store-type=redis")," when expecting large sessions/OIDC tokens (",Object(b.b)("em",{parentName:"p"},"e.g.")," with MS Azure)."),Object(b.b)("p",null,"You have to substitute ",Object(b.b)("em",{parentName:"p"},"name"),' with the actual cookie name you configured via --cookie-name parameter. If you don\'t set a custom cookie name the variable  should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".'),Object(b.b)("h2",{id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware"},"Configuring for use with the Traefik (v2) ",Object(b.b)("inlineCode",{parentName:"h2"},"ForwardAuth")," middleware"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"This option requires ",Object(b.b)("inlineCode",{parentName:"strong"},"--reverse-proxy")," option to be set.")),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," allows Traefik to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/oauth2/auth")," endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n  routers:\n    a-service:\n      rule: "Host(`a-service.example.com`)"\n      service: a-service-backend\n      middlewares:\n        - oauth-errors\n        - oauth-auth\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n    oauth:\n      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"\n      middlewares:\n        - auth-headers\n      service: oauth-backend\n      tls:\n        certResolver: default\n        domains:\n          - main: "example.com"\n            sans:\n              - "*.example.com"\n\n  services:\n    a-service-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.2:7555\n    oauth-backend:\n      loadBalancer:\n        servers:\n          - url: http://172.16.0.1:4180\n\n  middlewares:\n    auth-headers:\n      headers:\n        sslRedirect: true\n        stsSeconds: 315360000\n        browserXssFilter: true\n        contentTypeNosniff: true\n        forceSTSHeader: true\n        sslHost: example.com\n        stsIncludeSubdomains: true\n        stsPreload: true\n        frameDeny: true\n    oauth-auth:\n      forwardAuth:\n        address: https://oauth.example.com/oauth2/auth\n        trustForwardHeader: true\n    oauth-errors:\n      errors:\n        status:\n          - "401-403"\n        service: oauth-backend\n        query: "/oauth2/sign_in"\n')),Object(b.b)("div",{className:"admonition admonition-note alert alert--secondary"},Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-heading"}),Object(b.b)("h5",{parentName:"div"},Object(b.b)("span",Object(n.a)({parentName:"h5"},{className:"admonition-icon"}),Object(b.b)("svg",Object(n.a)({parentName:"span"},{xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"}),Object(b.b)("path",Object(n.a)({parentName:"svg"},{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})))),"note")),Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-content"}),Object(b.b)("p",{parentName:"div"},"If you set up your OAuth2 provider to rotate your client secret, you can use the ",Object(b.b)("inlineCode",{parentName:"p"},"client-secret-file")," option to reload the secret when it is updated."))))}d.isMDXComponent=!0},96:function(e,t,a){"use strict";a.d(t,"a",(function(){return p})),a.d(t,"b",(function(){return s}));var n=a(0),r=a.n(n);function b(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function l(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,n)}return a}function i(e){for(var t=1;t<arguments.length;t++){var a=null!=arguments[t]?arguments[t]:{};t%2?l(Object(a),!0).forEach((function(t){b(e,t,a[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):l(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))}))}return e}function c(e,t){if(null==e)return{};var a,n,r=function(e,t){if(null==e)return{};var a,n,r={},b=Object.keys(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||(r[a]=e[a]);return r}(e,t);if(Object.getOwnPropertySymbols){var b=Object.getOwnPropertySymbols(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(r[a]=e[a])}return r}var o=r.a.createContext({}),d=function(e){var t=r.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},p=function(e){var t=d(e.components);return r.a.createElement(o.Provider,{value:t},e.children)},O={inlineCode:"code",wrapper:function(e){var t=e.children;return r.a.createElement(r.a.Fragment,{},t)}},j=r.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,b=e.originalType,l=e.parentName,o=c(e,["components","mdxType","originalType","parentName"]),p=d(a),j=n,s=p["".concat(l,".").concat(j)]||p[j]||O[j]||b;return a?r.a.createElement(s,i(i({ref:t},o),{},{components:a})):r.a.createElement(s,i({ref:t},o))}));function s(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var b=a.length,l=new Array(b);l[0]=j;var i={};for(var c in t)hasOwnProperty.call(t,c)&&(i[c]=t[c]);i.originalType=e,i.mdxType="string"==typeof e?e:n,l[1]=i;for(var o=2;o<b;o++)l[o]=a[o];return r.a.createElement.apply(null,l)}return r.a.createElement.apply(null,a)}j.displayName="MDXCreateElement"}}]);
\ No newline at end of file
diff --git a/docs/6.1.x/behaviour/index.html b/docs/6.1.x/behaviour/index.html
index 4d69c805..fbb04fa1 100644
--- a/docs/6.1.x/behaviour/index.html
+++ b/docs/6.1.x/behaviour/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Behaviour | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Behaviour | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy&#x27;s session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy&#x27;s session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/behaviour"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/behaviour"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/behaviour">7.0.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">7.0.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">Installation</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/6.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/tls">TLS Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>6.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/behaviour">latest version</a></strong> (7.0.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 6.1.x</span></div><header><h1 class="docTitle_1Lrw">Behaviour</h1></header><div class="markdown"><ol><li>Any request passing through the proxy (and not matched by <code>--skip-auth-regex</code>) is checked for the proxy&#x27;s session cookie (<code>--cookie-name</code>) (or, if allowed, a JWT token - see <code>--skip-jwt-bearer-tokens</code>).</li><li>If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with <code>Accept: application/json</code>, in which case 401 Unauthorized is returned)</li><li>After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set</li><li>The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)</li></ol><p>Notice that the proxy also provides a number of useful <a href="/oauth2-proxy/docs/6.1.x/features/endpoints">endpoints</a>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/behaviour.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Installation</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/overview"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Overview »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/6.1.x/community/security/index.html b/docs/6.1.x/community/security/index.html
index e1639fb5..02d908c9 100644
--- a/docs/6.1.x/community/security/index.html
+++ b/docs/6.1.x/community/security/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -38,7 +38,7 @@ merging fixes until all patches are ready.
 We may also backport the fix to previous releases,
 but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/features/request_signatures"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Request Signatures</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/6.1.x/configuration/oauth_provider/index.html b/docs/6.1.x/configuration/oauth_provider/index.html
index f8606f1c..3003c165 100644
--- a/docs/6.1.x/configuration/oauth_provider/index.html
+++ b/docs/6.1.x/configuration/oauth_provider/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -55,7 +55,7 @@ to setup the client id and client secret. Your &quot;Redirection URI&quot; will
 <a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
 new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#microsoft-azure-ad-provider" class="table-of-contents__link">Microsoft Azure AD Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/6.1.x/configuration/overview/index.html b/docs/6.1.x/configuration/overview/index.html
index 73a953d1..8fb7d138 100644
--- a/docs/6.1.x/configuration/overview/index.html
+++ b/docs/6.1.x/configuration/overview/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Overview | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Overview | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="oauth2-proxy can be configured via config file, command line options or environment variables."><meta data-react-helmet="true" property="og:description" content="oauth2-proxy can be configured via config file, command line options or environment variables."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/overview"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/overview"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -39,7 +39,7 @@ Variables set with <code>auth_request_set</code> are not <code>set</code>-able i
 Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua module.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">nginx.ingress.kubernetes.io/auth-response-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/auth-signin</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//$host/oauth2/start</span><span class="token punctuation" style="color:rgb(199, 146, 234)">?</span><span class="token plain">rd=$escaped_request_uri</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/auth-url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//$host/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/configuration-snippet</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">|</span><span class="token scalar string" style="color:rgb(195, 232, 141)"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token scalar string" style="color:rgb(195, 232, 141)">  auth_request_set $name_upstream_1 $upstream_cookie_name_1;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
 </span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  access_by_lua_block </span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    if ngx.var.name_upstream_1 ~= &quot;&quot; then</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      ngx.header</span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Set-Cookie&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"> = &quot;name_1=&quot; .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">match(&quot;(; .*)&quot;)</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    end</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span></div></div></div></div></div><p>It is recommended to use <code>--session-store-type=redis</code> when expecting large sessions/OIDC tokens (<em>e.g.</em> with MS Azure).</p><p>You have to substitute <em>name</em> with the actual cookie name you configured via --cookie-name parameter. If you don&#x27;t set a custom cookie name the variable  should be &quot;$upstream_cookie__oauth2_proxy_1&quot; instead of &quot;$upstream_cookie_name_1&quot; and the new cookie-name should be &quot;_oauth2_proxy_1=&quot; instead of &quot;name_1=&quot;.</p><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/6.1.x/configuration/session_storage/index.html b/docs/6.1.x/configuration/session_storage/index.html
index 39f686c1..10da8913 100644
--- a/docs/6.1.x/configuration/session_storage/index.html
+++ b/docs/6.1.x/configuration/session_storage/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user&#x27;s authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user&#x27;s authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -35,7 +35,7 @@ disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnc
 and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
 <code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/6.1.x/configuration/tls/index.html b/docs/6.1.x/configuration/tls/index.html
index 261ab3d3..46c36d3c 100644
--- a/docs/6.1.x/configuration/tls/index.html
+++ b/docs/6.1.x/configuration/tls/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -26,7 +26,7 @@ would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx
 via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
 </span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;yourcompany.com&quot;</span><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/6.1.x/features/endpoints/index.html b/docs/6.1.x/features/endpoints/index.html
index 931d56f0..d2a0c1f8 100644
--- a/docs/6.1.x/features/endpoints/index.html
+++ b/docs/6.1.x/features/endpoints/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Endpoints | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Endpoints | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/features/endpoints"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/features/endpoints"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/features/endpoints">7.0.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/tls">TLS Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>6.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/features/endpoints">latest version</a></strong> (7.0.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 6.1.x</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user&#x27;s email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/6.1.x/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy&#x27;s own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider&#x27;s sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The &quot;sign_out_page&quot; should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/6.1.x/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« TLS Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/features/request_signatures"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Request Signatures »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/6.1.x/features/request_signatures/index.html b/docs/6.1.x/features/request_signatures/index.html
index 6d704413..165c054d 100644
--- a/docs/6.1.x/features/request_signatures/index.html
+++ b/docs/6.1.x/features/request_signatures/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Request Signatures | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Request Signatures | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/features/request_signatures"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/features/request_signatures"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -27,7 +27,7 @@ following:</p><ul><li><a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/R
 Requests</a></li><li><a href="http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/" target="_blank" rel="noopener noreferrer">rc3.org: Using HMAC to authenticate Web service
 requests</a></li></ul></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/features/request_signatures.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Endpoints</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/6.1.x/index.html b/docs/6.1.x/index.html
index 9962d0a9..b530a3cf 100644
--- a/docs/6.1.x/index.html
+++ b/docs/6.1.x/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Installation | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Installation | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1.  Choose how to deploy:"><meta data-react-helmet="true" property="og:description" content="1.  Choose how to deploy:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.0.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">7.0.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/6.1.x/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/tls">TLS Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>6.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/">latest version</a></strong> (7.0.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 6.1.x</span></div><header><h1 class="docTitle_1Lrw">Installation</h1></header><div class="markdown"><ol><li><p>Choose how to deploy:</p><p>a. Download <a href="https://github.com/oauth2-proxy/oauth2-proxy/releases" target="_blank" rel="noopener noreferrer">Prebuilt Binary</a> (current release is <code>v6.1.1</code>)</p><p>b. Build with <code>$ go get github.com/oauth2-proxy/oauth2-proxy</code> which will put the binary in <code>$GOPATH/bin</code></p><p>c. Using the prebuilt docker image <a href="https://quay.io/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer">quay.io/oauth2-proxy/oauth2-proxy</a> (AMD64, ARMv6 and ARM64 tags available)</p></li></ol><p>Prebuilt binaries can be validated by extracting the file and verifying it against the <code>sha256sum.txt</code> checksum file provided for each release starting with version <code>v3.0.0</code>.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">$ sha256sum -c sha256sum.txt 2&gt;&amp;1 | grep OK</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy-x.y.z.linux-amd64: OK</span></div></div></div></div></div><ol start="2"><li><a href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider">Select a Provider and Register an OAuth Application with a Provider</a></li><li><a href="/oauth2-proxy/docs/6.1.x/configuration/overview">Configure OAuth2 Proxy using config file, command line options, or environment variables</a></li><li><a href="/oauth2-proxy/docs/6.1.x/configuration/tls">Configure SSL or Deploy behind a SSL endpoint</a> (example provided for Nginx)</li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/installation.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/behaviour"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Behaviour »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/behaviour/index.html b/docs/behaviour/index.html
index 2b381662..570d95e3 100644
--- a/docs/behaviour/index.html
+++ b/docs/behaviour/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Behaviour | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Behaviour | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy&#x27;s session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy&#x27;s session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/behaviour"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/behaviour"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.0.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/behaviour">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/behaviour">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">Installation</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.0.x</span></div><header><h1 class="docTitle_1Lrw">Behaviour</h1></header><div class="markdown"><ol><li>Any request passing through the proxy (and not matched by <code>--skip-auth-regex</code>) is checked for the proxy&#x27;s session cookie (<code>--cookie-name</code>) (or, if allowed, a JWT token - see <code>--skip-jwt-bearer-tokens</code>).</li><li>If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with <code>Accept: application/json</code>, in which case 401 Unauthorized is returned)</li><li>After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set</li><li>The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)</li></ol><p>Notice that the proxy also provides a number of useful <a href="/oauth2-proxy/docs/features/endpoints">endpoints</a>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/behaviour.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Installation</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/overview"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Overview »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/community/security/index.html b/docs/community/security/index.html
index 7169b371..5f6337e6 100644
--- a/docs/community/security/index.html
+++ b/docs/community/security/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -38,7 +38,7 @@ merging fixes until all patches are ready.
 We may also backport the fix to previous releases,
 but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/features/request_signatures"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Request Signatures</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/configuration/alpha-config/index.html b/docs/configuration/alpha-config/index.html
index a9326699..99f7ade4 100644
--- a/docs/configuration/alpha-config/index.html
+++ b/docs/configuration/alpha-config/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Alpha Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Alpha Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/alpha-config"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/alpha-config"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -44,7 +44,7 @@ make up the header value</p><table><thead><tr><th>Field</th><th>Type</th><th>Des
 Only one source within the struct should be defined at any time.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream"></a>Upstream<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#upstreams">Upstreams</a>)</p><p>Upstream represents the configuration for an upstream server.
 Requests will be proxied to this upstream if the path matches the request path.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the upstream.<br>This value is required for all upstreams.</td></tr><tr><td><code>path</code></td><td><em>string</em></td><td>Path is used to map requests to the upstream server.<br>The closest match will take precedence and all Paths must be unique.</td></tr><tr><td><code>uri</code></td><td><em>string</em></td><td>The URI of the upstream server. This may be an HTTP(S) server of a File<br>based URL. It may include a path, in which case all requests will be served<br>under that path.<br>Eg:<br>- http://localhost:8080<br>- <a href="https://service.localhost" target="_blank" rel="noopener noreferrer">https://service.localhost</a><br>- <a href="https://service.localhost/path" target="_blank" rel="noopener noreferrer">https://service.localhost/path</a><br>- file://host/path<br>If the URI&#x27;s path is &quot;/base&quot; and the incoming request was for &quot;/dir&quot;,<br>the upstream request will be for &quot;/base/dir&quot;.</td></tr><tr><td><code>insecureSkipTLSVerify</code></td><td><em>bool</em></td><td>InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br>This option is insecure and will allow potential Man-In-The-Middle attacks<br>betweem OAuth2 Proxy and the usptream server.<br>Defaults to false.</td></tr><tr><td><code>static</code></td><td><em>bool</em></td><td>Static will make all requests to this upstream have a static response.<br>The response will have a body of &quot;Authenticated&quot; and a response code<br>matching StaticCode.<br>If StaticCode is not set, the response will return a 200 response.</td></tr><tr><td><code>staticCode</code></td><td><em>int</em></td><td>StaticCode determines the response code for the Static response.<br>This option can only be used with Static enabled.</td></tr><tr><td><code>flushInterval</code></td><td><em><a href="#duration">Duration</a></em></td><td>FlushInterval is the period between flushing the response buffer when<br>streaming response from the upstream.<br>Defaults to 1 second.</td></tr><tr><td><code>passHostHeader</code></td><td><em>bool</em></td><td>PassHostHeader determines whether the request host header should be proxied<br>to the upstream server.<br>Defaults to true.</td></tr><tr><td><code>proxyWebSockets</code></td><td><em>bool</em></td><td>ProxyWebSockets enables proxying of websockets to upstream servers<br>Defaults to true.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstreams"></a>Upstreams<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstreams" title="Direct link to heading">#</a></h3><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream-alias"></a>(<a href="#upstream">[]Upstream</a> alias)<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream-alias" title="Direct link to heading">#</a></h4><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Upstreams is a collection of definitions for upstream servers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/alpha_config.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« TLS Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#using-alpha-configuration" class="table-of-contents__link">Using Alpha Configuration</a><ul><li><a href="#converting-configuration-to-the-new-structure" class="table-of-contents__link">Converting configuration to the new structure</a></li></ul></li><li><a href="#removed-options" class="table-of-contents__link">Removed options</a></li><li><a href="#configuration-reference" class="table-of-contents__link">Configuration Reference</a><ul><li><a href="#alphaoptions" class="table-of-contents__link">AlphaOptions</a></li><li><a href="#claimsource" class="table-of-contents__link">ClaimSource</a></li><li><a href="#duration" class="table-of-contents__link">Duration</a></li><li><a href="#header" class="table-of-contents__link">Header</a></li><li><a href="#headervalue" class="table-of-contents__link">HeaderValue</a></li><li><a href="#secretsource" class="table-of-contents__link">SecretSource</a></li><li><a href="#upstream" class="table-of-contents__link">Upstream</a></li><li><a href="#upstreams" class="table-of-contents__link">Upstreams</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/configuration/oauth_provider/index.html b/docs/configuration/oauth_provider/index.html
index 1b536a73..a8ed4143 100644
--- a/docs/configuration/oauth_provider/index.html
+++ b/docs/configuration/oauth_provider/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -59,7 +59,7 @@ to setup the client id and client secret. Your &quot;Redirection URI&quot; will
 <a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
 new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#microsoft-azure-ad-provider" class="table-of-contents__link">Microsoft Azure AD Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/configuration/overview/index.html b/docs/configuration/overview/index.html
index 0370bcea..86d6a536 100644
--- a/docs/configuration/overview/index.html
+++ b/docs/configuration/overview/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Overview | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Overview | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="oauth2-proxy can be configured via config file, command line options or environment variables."><meta data-react-helmet="true" property="og:description" content="oauth2-proxy can be configured via config file, command line options or environment variables."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -14,7 +14,7 @@
 <link rel="preload" href="/oauth2-proxy/41.2d80f77f.js" as="script">
 <link rel="preload" href="/oauth2-proxy/230aeb34.b0a8f7b9.js" as="script">
 <link rel="preload" href="/oauth2-proxy/17896441.2c25168c.js" as="script">
-<link rel="preload" href="/oauth2-proxy/8c826f25.c93cdc82.js" as="script">
+<link rel="preload" href="/oauth2-proxy/8c826f25.19b6a6ee.js" as="script">
 </head>
 <body>
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
@@ -37,11 +37,13 @@ The default format is configured as follows:</p><div class="mdxCodeBlock_1XEh"><
 </span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    proxy_pass http://backend/;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    # or &quot;root /path/to/site;&quot; or &quot;fastcgi_pass ...&quot; etc</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>When you use ingress-nginx in Kubernetes, you MUST use <code>kubernetes/ingress-nginx</code> (which includes the Lua module) and the following configuration snippet for your <code>Ingress</code>.
 Variables set with <code>auth_request_set</code> are not <code>set</code>-able in plain nginx config when the location is processed via <code>proxy_pass</code> and then may only be processed by Lua.
 Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua module.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">nginx.ingress.kubernetes.io/auth-response-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/auth-signin</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//$host/oauth2/start</span><span class="token punctuation" style="color:rgb(199, 146, 234)">?</span><span class="token plain">rd=$escaped_request_uri</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/auth-url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//$host/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/configuration-snippet</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">|</span><span class="token scalar string" style="color:rgb(195, 232, 141)"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token scalar string" style="color:rgb(195, 232, 141)">  auth_request_set $name_upstream_1 $upstream_cookie_name_1;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
-</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  access_by_lua_block </span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    if ngx.var.name_upstream_1 ~= &quot;&quot; then</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      ngx.header</span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Set-Cookie&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"> = &quot;name_1=&quot; .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">match(&quot;(; .*)&quot;)</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    end</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span></div></div></div></div></div><p>It is recommended to use <code>--session-store-type=redis</code> when expecting large sessions/OIDC tokens (<em>e.g.</em> with MS Azure).</p><p>You have to substitute <em>name</em> with the actual cookie name you configured via --cookie-name parameter. If you don&#x27;t set a custom cookie name the variable  should be &quot;$upstream_cookie__oauth2_proxy_1&quot; instead of &quot;$upstream_cookie_name_1&quot; and the new cookie-name should be &quot;_oauth2_proxy_1=&quot; instead of &quot;name_1=&quot;.</p><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="configuring-for-use-with-the-traefik-v2-forwardauth-middleware"></a>Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware<a aria-hidden="true" tabindex="-1" class="hash-link" href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" title="Direct link to heading">#</a></h2><p><strong>This option requires <code>--reverse-proxy</code> option to be set.</strong></p><p>The <a href="https://doc.traefik.io/traefik/middlewares/forwardauth/" target="_blank" rel="noopener noreferrer">Traefik v2 <code>ForwardAuth</code> middleware</a> allows Traefik to authenticate requests via the oauth2-proxy&#x27;s <code>/oauth2/auth</code> endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">routers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> a</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">errors</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`, `oauth.example.com`) &amp;&amp; PathPrefix(`/oauth2/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">headers</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
+</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  access_by_lua_block </span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    if ngx.var.name_upstream_1 ~= &quot;&quot; then</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      ngx.header</span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Set-Cookie&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"> = &quot;name_1=&quot; .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">match(&quot;(; .*)&quot;)</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    end</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span></div></div></div></div></div><p>It is recommended to use <code>--session-store-type=redis</code> when expecting large sessions/OIDC tokens (<em>e.g.</em> with MS Azure).</p><p>You have to substitute <em>name</em> with the actual cookie name you configured via --cookie-name parameter. If you don&#x27;t set a custom cookie name the variable  should be &quot;$upstream_cookie__oauth2_proxy_1&quot; instead of &quot;$upstream_cookie_name_1&quot; and the new cookie-name should be &quot;_oauth2_proxy_1=&quot; instead of &quot;name_1=&quot;.</p><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="configuring-for-use-with-the-traefik-v2-forwardauth-middleware"></a>Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware<a aria-hidden="true" tabindex="-1" class="hash-link" href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" title="Direct link to heading">#</a></h2><p><strong>This option requires <code>--reverse-proxy</code> option to be set.</strong></p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="forwardauth-with-401-errors-middleware"></a>ForwardAuth with 401 errors middleware<a aria-hidden="true" tabindex="-1" class="hash-link" href="#forwardauth-with-401-errors-middleware" title="Direct link to heading">#</a></h3><p>The <a href="https://doc.traefik.io/traefik/middlewares/forwardauth/" target="_blank" rel="noopener noreferrer">Traefik v2 <code>ForwardAuth</code> middleware</a> allows Traefik to authenticate requests via the oauth2-proxy&#x27;s <code>/oauth2/auth</code> endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">routers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> a</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">errors</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`, `oauth.example.com`) &amp;&amp; PathPrefix(`/oauth2/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">headers</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
 </span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">services</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">4180</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
-</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-errors</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">errors</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">status</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;401-403&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">query</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;/oauth2/sign_in&quot;</span></div></div></div></div></div><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li><li><a href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" class="table-of-contents__link">Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
+</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-errors</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">errors</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">status</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;401-403&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">query</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;/oauth2/sign_in&quot;</span></div></div></div></div></div><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="forwardauth-with-static-upstreams-configuration"></a>ForwardAuth with static upstreams configuration<a aria-hidden="true" tabindex="-1" class="hash-link" href="#forwardauth-with-static-upstreams-configuration" title="Direct link to heading">#</a></h3><p>Redirect to sign_in functionality provided without the use of <code>errors</code> middleware with <a href="https://doc.traefik.io/traefik/middlewares/forwardauth/" target="_blank" rel="noopener noreferrer">Traefik v2 <code>ForwardAuth</code> middleware</a> pointing to oauth2-proxy service&#x27;s <code>/</code> endpoint</p><p><strong>Following options need to be set on <code>oauth2-proxy</code>:</strong></p><ul><li><code>--upstream=static://202</code>: Configures a static response for authenticated sessions</li><li><code>--reverseproxy=true</code>: Enables the use of <code>X-Forwarded-*</code> headers to determine redirects correctly</li></ul><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">routers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service-route-1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`, `b-service.example.com`) &amp;&amp; PathPrefix(`/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> a</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">redirect </span><span class="token comment" style="color:rgb(105, 112, 152);font-style:italic"># redirects all unauthenticated to oauth2 signin</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service-route-2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`) &amp;&amp; PathPrefix(`/no-auto-redirect`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> a</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">wo</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">redirect </span><span class="token comment" style="color:rgb(105, 112, 152);font-style:italic"># unauthenticated session will return a 401</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">services-oauth2-route</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`, `b-service.example.com`) &amp;&amp; PathPrefix(`/oauth2/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">headers</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth2-proxy-route</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`oauth.example.com`) &amp;&amp; PathPrefix(`/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">headers</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
+</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">services</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">b-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.3</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">4180</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
+</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-auth-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-auth-wo-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div></div></div></div></div><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li><li><a href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" class="table-of-contents__link">Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware</a><ul><li><a href="#forwardauth-with-401-errors-middleware" class="table-of-contents__link">ForwardAuth with 401 errors middleware</a></li><li><a href="#forwardauth-with-static-upstreams-configuration" class="table-of-contents__link">ForwardAuth with static upstreams configuration</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
@@ -49,6 +51,6 @@ Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua modu
 <script src="/oauth2-proxy/41.2d80f77f.js"></script>
 <script src="/oauth2-proxy/230aeb34.b0a8f7b9.js"></script>
 <script src="/oauth2-proxy/17896441.2c25168c.js"></script>
-<script src="/oauth2-proxy/8c826f25.c93cdc82.js"></script>
+<script src="/oauth2-proxy/8c826f25.19b6a6ee.js"></script>
 </body>
 </html>
\ No newline at end of file
diff --git a/docs/configuration/session_storage/index.html b/docs/configuration/session_storage/index.html
index 9dbe006f..298ea161 100644
--- a/docs/configuration/session_storage/index.html
+++ b/docs/configuration/session_storage/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user&#x27;s authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user&#x27;s authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -35,7 +35,7 @@ disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnc
 and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
 <code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/configuration/tls/index.html b/docs/configuration/tls/index.html
index 877a2b74..d217fa22 100644
--- a/docs/configuration/tls/index.html
+++ b/docs/configuration/tls/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -26,7 +26,7 @@ would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx
 via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
 </span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;yourcompany.com&quot;</span><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/alpha-config"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Alpha Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/features/endpoints/index.html b/docs/features/endpoints/index.html
index 2ab591ae..b833a976 100644
--- a/docs/features/endpoints/index.html
+++ b/docs/features/endpoints/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Endpoints | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Endpoints | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.0.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/features/endpoints">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.0.x</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user&#x27;s email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy&#x27;s own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider&#x27;s sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The &quot;sign_out_page&quot; should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/alpha-config"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Alpha Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/features/request_signatures"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Request Signatures »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/features/request_signatures/index.html b/docs/features/request_signatures/index.html
index e3f2df60..6c320214 100644
--- a/docs/features/request_signatures/index.html
+++ b/docs/features/request_signatures/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Request Signatures | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Request Signatures | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/features/request_signatures"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/features/request_signatures"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -27,7 +27,7 @@ following:</p><ul><li><a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/R
 Requests</a></li><li><a href="http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/" target="_blank" rel="noopener noreferrer">rc3.org: Using HMAC to authenticate Web service
 requests</a></li></ul></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/features/request_signatures.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/features/endpoints"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Endpoints</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/index.html b/docs/index.html
index c977d1e0..922a76fd 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Installation | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Installation | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1.  Choose how to deploy:"><meta data-react-helmet="true" property="og:description" content="1.  Choose how to deploy:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.0.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.0.x</span></div><header><h1 class="docTitle_1Lrw">Installation</h1></header><div class="markdown"><ol><li><p>Choose how to deploy:</p><p>a. Download <a href="https://github.com/oauth2-proxy/oauth2-proxy/releases" target="_blank" rel="noopener noreferrer">Prebuilt Binary</a> (current release is <code>v7.0.1</code>)</p><p>b. Build with <code>$ go get github.com/oauth2-proxy/oauth2-proxy/v7</code> which will put the binary in <code>$GOPATH/bin</code></p><p>c. Using the prebuilt docker image <a href="https://quay.io/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer">quay.io/oauth2-proxy/oauth2-proxy</a> (AMD64, ARMv6 and ARM64 tags available)</p></li></ol><p>Prebuilt binaries can be validated by extracting the file and verifying it against the <code>sha256sum.txt</code> checksum file provided for each release starting with version <code>v3.0.0</code>.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">$ sha256sum -c sha256sum.txt 2&gt;&amp;1 | grep OK</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy-x.y.z.linux-amd64: OK</span></div></div></div></div></div><ol start="2"><li><a href="/oauth2-proxy/docs/configuration/oauth_provider">Select a Provider and Register an OAuth Application with a Provider</a></li><li><a href="/oauth2-proxy/docs/configuration/overview">Configure OAuth2 Proxy using config file, command line options, or environment variables</a></li><li><a href="/oauth2-proxy/docs/configuration/tls">Configure SSL or Deploy behind a SSL endpoint</a> (example provided for Nginx)</li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/installation.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/behaviour"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Behaviour »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/behaviour/index.html b/docs/next/behaviour/index.html
index 0ff642a1..651219e5 100644
--- a/docs/next/behaviour/index.html
+++ b/docs/next/behaviour/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Behaviour | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Behaviour | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy&#x27;s session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy&#x27;s session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/behaviour"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/behaviour"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/behaviour">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/behaviour">latest version</a></strong> (7.0.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Behaviour</h1></header><div class="markdown"><ol><li>Any request passing through the proxy (and not matched by <code>--skip-auth-regex</code>) is checked for the proxy&#x27;s session cookie (<code>--cookie-name</code>) (or, if allowed, a JWT token - see <code>--skip-jwt-bearer-tokens</code>).</li><li>If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with <code>Accept: application/json</code>, in which case 401 Unauthorized is returned)</li><li>After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set</li><li>The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)</li></ol><p>Notice that the proxy also provides a number of useful <a href="/oauth2-proxy/docs/next/features/endpoints">endpoints</a>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/behaviour.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Installation</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/overview"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Overview »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/community/security/index.html b/docs/next/community/security/index.html
index 96b0476e..dfd1ca65 100644
--- a/docs/next/community/security/index.html
+++ b/docs/next/community/security/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -38,7 +38,7 @@ merging fixes until all patches are ready.
 We may also backport the fix to previous releases,
 but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/features/request_signatures"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Request Signatures</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/configuration/alpha-config/index.html b/docs/next/configuration/alpha-config/index.html
index 681ad5ad..b1517361 100644
--- a/docs/next/configuration/alpha-config/index.html
+++ b/docs/next/configuration/alpha-config/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Alpha Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Alpha Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/alpha-config"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/alpha-config"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -44,7 +44,7 @@ make up the header value</p><table><thead><tr><th>Field</th><th>Type</th><th>Des
 Only one source within the struct should be defined at any time.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream"></a>Upstream<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#upstreams">Upstreams</a>)</p><p>Upstream represents the configuration for an upstream server.
 Requests will be proxied to this upstream if the path matches the request path.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the upstream.<br>This value is required for all upstreams.</td></tr><tr><td><code>path</code></td><td><em>string</em></td><td>Path is used to map requests to the upstream server.<br>The closest match will take precedence and all Paths must be unique.</td></tr><tr><td><code>uri</code></td><td><em>string</em></td><td>The URI of the upstream server. This may be an HTTP(S) server of a File<br>based URL. It may include a path, in which case all requests will be served<br>under that path.<br>Eg:<br>- http://localhost:8080<br>- <a href="https://service.localhost" target="_blank" rel="noopener noreferrer">https://service.localhost</a><br>- <a href="https://service.localhost/path" target="_blank" rel="noopener noreferrer">https://service.localhost/path</a><br>- file://host/path<br>If the URI&#x27;s path is &quot;/base&quot; and the incoming request was for &quot;/dir&quot;,<br>the upstream request will be for &quot;/base/dir&quot;.</td></tr><tr><td><code>insecureSkipTLSVerify</code></td><td><em>bool</em></td><td>InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br>This option is insecure and will allow potential Man-In-The-Middle attacks<br>betweem OAuth2 Proxy and the usptream server.<br>Defaults to false.</td></tr><tr><td><code>static</code></td><td><em>bool</em></td><td>Static will make all requests to this upstream have a static response.<br>The response will have a body of &quot;Authenticated&quot; and a response code<br>matching StaticCode.<br>If StaticCode is not set, the response will return a 200 response.</td></tr><tr><td><code>staticCode</code></td><td><em>int</em></td><td>StaticCode determines the response code for the Static response.<br>This option can only be used with Static enabled.</td></tr><tr><td><code>flushInterval</code></td><td><em><a href="#duration">Duration</a></em></td><td>FlushInterval is the period between flushing the response buffer when<br>streaming response from the upstream.<br>Defaults to 1 second.</td></tr><tr><td><code>passHostHeader</code></td><td><em>bool</em></td><td>PassHostHeader determines whether the request host header should be proxied<br>to the upstream server.<br>Defaults to true.</td></tr><tr><td><code>proxyWebSockets</code></td><td><em>bool</em></td><td>ProxyWebSockets enables proxying of websockets to upstream servers<br>Defaults to true.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstreams"></a>Upstreams<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstreams" title="Direct link to heading">#</a></h3><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream-alias"></a>(<a href="#upstream">[]Upstream</a> alias)<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream-alias" title="Direct link to heading">#</a></h4><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Upstreams is a collection of definitions for upstream servers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/alpha_config.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« TLS Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#using-alpha-configuration" class="table-of-contents__link">Using Alpha Configuration</a><ul><li><a href="#converting-configuration-to-the-new-structure" class="table-of-contents__link">Converting configuration to the new structure</a></li></ul></li><li><a href="#removed-options" class="table-of-contents__link">Removed options</a></li><li><a href="#configuration-reference" class="table-of-contents__link">Configuration Reference</a><ul><li><a href="#alphaoptions" class="table-of-contents__link">AlphaOptions</a></li><li><a href="#claimsource" class="table-of-contents__link">ClaimSource</a></li><li><a href="#duration" class="table-of-contents__link">Duration</a></li><li><a href="#header" class="table-of-contents__link">Header</a></li><li><a href="#headervalue" class="table-of-contents__link">HeaderValue</a></li><li><a href="#secretsource" class="table-of-contents__link">SecretSource</a></li><li><a href="#upstream" class="table-of-contents__link">Upstream</a></li><li><a href="#upstreams" class="table-of-contents__link">Upstreams</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/configuration/oauth_provider/index.html b/docs/next/configuration/oauth_provider/index.html
index af799571..c027b3ae 100644
--- a/docs/next/configuration/oauth_provider/index.html
+++ b/docs/next/configuration/oauth_provider/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -59,7 +59,7 @@ to setup the client id and client secret. Your &quot;Redirection URI&quot; will
 <a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
 new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#microsoft-azure-ad-provider" class="table-of-contents__link">Microsoft Azure AD Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/configuration/overview/index.html b/docs/next/configuration/overview/index.html
index 27cd443e..f158f2b9 100644
--- a/docs/next/configuration/overview/index.html
+++ b/docs/next/configuration/overview/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Overview | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Overview | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="oauth2-proxy can be configured via config file, command line options or environment variables."><meta data-react-helmet="true" property="og:description" content="oauth2-proxy can be configured via config file, command line options or environment variables."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/overview"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/overview"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -14,7 +14,7 @@
 <link rel="preload" href="/oauth2-proxy/41.2d80f77f.js" as="script">
 <link rel="preload" href="/oauth2-proxy/935f2afb.86ec86d4.js" as="script">
 <link rel="preload" href="/oauth2-proxy/17896441.2c25168c.js" as="script">
-<link rel="preload" href="/oauth2-proxy/0f425520.c51701a7.js" as="script">
+<link rel="preload" href="/oauth2-proxy/0f425520.0ebb3fbb.js" as="script">
 </head>
 <body>
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
@@ -37,11 +37,13 @@ The default format is configured as follows:</p><div class="mdxCodeBlock_1XEh"><
 </span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    proxy_pass http://backend/;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    # or &quot;root /path/to/site;&quot; or &quot;fastcgi_pass ...&quot; etc</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>When you use ingress-nginx in Kubernetes, you MUST use <code>kubernetes/ingress-nginx</code> (which includes the Lua module) and the following configuration snippet for your <code>Ingress</code>.
 Variables set with <code>auth_request_set</code> are not <code>set</code>-able in plain nginx config when the location is processed via <code>proxy_pass</code> and then may only be processed by Lua.
 Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua module.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">nginx.ingress.kubernetes.io/auth-response-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/auth-signin</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//$host/oauth2/start</span><span class="token punctuation" style="color:rgb(199, 146, 234)">?</span><span class="token plain">rd=$escaped_request_uri</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/auth-url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//$host/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/configuration-snippet</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">|</span><span class="token scalar string" style="color:rgb(195, 232, 141)"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token scalar string" style="color:rgb(195, 232, 141)">  auth_request_set $name_upstream_1 $upstream_cookie_name_1;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
-</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  access_by_lua_block </span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    if ngx.var.name_upstream_1 ~= &quot;&quot; then</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      ngx.header</span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Set-Cookie&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"> = &quot;name_1=&quot; .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">match(&quot;(; .*)&quot;)</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    end</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span></div></div></div></div></div><p>It is recommended to use <code>--session-store-type=redis</code> when expecting large sessions/OIDC tokens (<em>e.g.</em> with MS Azure).</p><p>You have to substitute <em>name</em> with the actual cookie name you configured via --cookie-name parameter. If you don&#x27;t set a custom cookie name the variable  should be &quot;$upstream_cookie__oauth2_proxy_1&quot; instead of &quot;$upstream_cookie_name_1&quot; and the new cookie-name should be &quot;_oauth2_proxy_1=&quot; instead of &quot;name_1=&quot;.</p><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="configuring-for-use-with-the-traefik-v2-forwardauth-middleware"></a>Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware<a aria-hidden="true" tabindex="-1" class="hash-link" href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" title="Direct link to heading">#</a></h2><p><strong>This option requires <code>--reverse-proxy</code> option to be set.</strong></p><p>The <a href="https://doc.traefik.io/traefik/middlewares/forwardauth/" target="_blank" rel="noopener noreferrer">Traefik v2 <code>ForwardAuth</code> middleware</a> allows Traefik to authenticate requests via the oauth2-proxy&#x27;s <code>/oauth2/auth</code> endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">routers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> a</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">errors</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`, `oauth.example.com`) &amp;&amp; PathPrefix(`/oauth2/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">headers</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
+</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  access_by_lua_block </span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    if ngx.var.name_upstream_1 ~= &quot;&quot; then</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      ngx.header</span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Set-Cookie&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"> = &quot;name_1=&quot; .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">match(&quot;(; .*)&quot;)</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    end</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span></div></div></div></div></div><p>It is recommended to use <code>--session-store-type=redis</code> when expecting large sessions/OIDC tokens (<em>e.g.</em> with MS Azure).</p><p>You have to substitute <em>name</em> with the actual cookie name you configured via --cookie-name parameter. If you don&#x27;t set a custom cookie name the variable  should be &quot;$upstream_cookie__oauth2_proxy_1&quot; instead of &quot;$upstream_cookie_name_1&quot; and the new cookie-name should be &quot;_oauth2_proxy_1=&quot; instead of &quot;name_1=&quot;.</p><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="configuring-for-use-with-the-traefik-v2-forwardauth-middleware"></a>Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware<a aria-hidden="true" tabindex="-1" class="hash-link" href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" title="Direct link to heading">#</a></h2><p><strong>This option requires <code>--reverse-proxy</code> option to be set.</strong></p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="forwardauth-with-401-errors-middleware"></a>ForwardAuth with 401 errors middleware<a aria-hidden="true" tabindex="-1" class="hash-link" href="#forwardauth-with-401-errors-middleware" title="Direct link to heading">#</a></h3><p>The <a href="https://doc.traefik.io/traefik/middlewares/forwardauth/" target="_blank" rel="noopener noreferrer">Traefik v2 <code>ForwardAuth</code> middleware</a> allows Traefik to authenticate requests via the oauth2-proxy&#x27;s <code>/oauth2/auth</code> endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">routers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> a</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">errors</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`, `oauth.example.com`) &amp;&amp; PathPrefix(`/oauth2/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">headers</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
 </span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">services</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">4180</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
-</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-errors</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">errors</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">status</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;401-403&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">query</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;/oauth2/sign_in&quot;</span></div></div></div></div></div><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li><li><a href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" class="table-of-contents__link">Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
+</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-errors</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">errors</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">status</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;401-403&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">query</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;/oauth2/sign_in&quot;</span></div></div></div></div></div><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="forwardauth-with-static-upstreams-configuration"></a>ForwardAuth with static upstreams configuration<a aria-hidden="true" tabindex="-1" class="hash-link" href="#forwardauth-with-static-upstreams-configuration" title="Direct link to heading">#</a></h3><p>Redirect to sign_in functionality provided without the use of <code>errors</code> middleware with <a href="https://doc.traefik.io/traefik/middlewares/forwardauth/" target="_blank" rel="noopener noreferrer">Traefik v2 <code>ForwardAuth</code> middleware</a> pointing to oauth2-proxy service&#x27;s <code>/</code> endpoint</p><p><strong>Following options need to be set on <code>oauth2-proxy</code>:</strong></p><ul><li><code>--upstream=static://202</code>: Configures a static response for authenticated sessions</li><li><code>--reverseproxy=true</code>: Enables the use of <code>X-Forwarded-*</code> headers to determine redirects correctly</li></ul><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">routers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service-route-1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`, `b-service.example.com`) &amp;&amp; PathPrefix(`/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> a</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">redirect </span><span class="token comment" style="color:rgb(105, 112, 152);font-style:italic"># redirects all unauthenticated to oauth2 signin</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service-route-2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`) &amp;&amp; PathPrefix(`/no-auto-redirect`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> a</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">wo</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">redirect </span><span class="token comment" style="color:rgb(105, 112, 152);font-style:italic"># unauthenticated session will return a 401</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">services-oauth2-route</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`a-service.example.com`, `b-service.example.com`) &amp;&amp; PathPrefix(`/oauth2/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">headers</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth2-proxy-route</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">rule</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;Host(`oauth.example.com`) &amp;&amp; PathPrefix(`/`)&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">headers</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">service</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> oauth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">backend</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">tls</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">certResolver</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> default</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">domains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">main</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">            </span><span class="token key atrule">sans</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">              </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;*.example.com&quot;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
+</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">services</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">a-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">b-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.3</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">4180</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
+</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">  </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-auth-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    </span><span class="token key atrule">oauth-auth-wo-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">      </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">          </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div></div></div></div></div><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li><li><a href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" class="table-of-contents__link">Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware</a><ul><li><a href="#forwardauth-with-401-errors-middleware" class="table-of-contents__link">ForwardAuth with 401 errors middleware</a></li><li><a href="#forwardauth-with-static-upstreams-configuration" class="table-of-contents__link">ForwardAuth with static upstreams configuration</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
@@ -49,6 +51,6 @@ Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua modu
 <script src="/oauth2-proxy/41.2d80f77f.js"></script>
 <script src="/oauth2-proxy/935f2afb.86ec86d4.js"></script>
 <script src="/oauth2-proxy/17896441.2c25168c.js"></script>
-<script src="/oauth2-proxy/0f425520.c51701a7.js"></script>
+<script src="/oauth2-proxy/0f425520.0ebb3fbb.js"></script>
 </body>
 </html>
\ No newline at end of file
diff --git a/docs/next/configuration/session_storage/index.html b/docs/next/configuration/session_storage/index.html
index 39ca613b..996ea79e 100644
--- a/docs/next/configuration/session_storage/index.html
+++ b/docs/next/configuration/session_storage/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user&#x27;s authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user&#x27;s authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -35,7 +35,7 @@ disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnc
 and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
 <code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/configuration/tls/index.html b/docs/next/configuration/tls/index.html
index 92e92f98..d64ef948 100644
--- a/docs/next/configuration/tls/index.html
+++ b/docs/next/configuration/tls/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -26,7 +26,7 @@ would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx
 via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
 </span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">        proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">    }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">&quot;yourcompany.com&quot;</span><span class="token plain">  </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">   --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/alpha-config"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Alpha Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/features/endpoints/index.html b/docs/next/features/endpoints/index.html
index 6746447d..57520af6 100644
--- a/docs/next/features/endpoints/index.html
+++ b/docs/next/features/endpoints/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Endpoints | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Endpoints | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/features/endpoints"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/features/endpoints"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/features/endpoints">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/features/endpoints">latest version</a></strong> (7.0.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by <code>--metrics-address</code>, disabled by default</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user&#x27;s email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/next/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy&#x27;s own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider&#x27;s sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The &quot;sign_out_page&quot; should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/next/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/alpha-config"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Alpha Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/features/request_signatures"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Request Signatures »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/features/request_signatures/index.html b/docs/next/features/request_signatures/index.html
index a4e23ed5..ba830758 100644
--- a/docs/next/features/request_signatures/index.html
+++ b/docs/next/features/request_signatures/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Request Signatures | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Request Signatures | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/features/request_signatures"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/features/request_signatures"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -27,7 +27,7 @@ following:</p><ul><li><a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/R
 Requests</a></li><li><a href="http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/" target="_blank" rel="noopener noreferrer">rc3.org: Using HMAC to authenticate Web service
 requests</a></li></ul></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/features/request_signatures.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/features/endpoints"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Endpoints</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/docs/next/index.html b/docs/next/index.html
index 428c2799..2ea3726e 100644
--- a/docs/next/index.html
+++ b/docs/next/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Installation | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Installation | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1.  Choose how to deploy:"><meta data-react-helmet="true" property="og:description" content="1.  Choose how to deploy:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/">latest version</a></strong> (7.0.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Installation</h1></header><div class="markdown"><ol><li><p>Choose how to deploy:</p><p>a. Download <a href="https://github.com/oauth2-proxy/oauth2-proxy/releases" target="_blank" rel="noopener noreferrer">Prebuilt Binary</a> (current release is <code>v7.0.1</code>)</p><p>b. Build with <code>$ go get github.com/oauth2-proxy/oauth2-proxy/v7</code> which will put the binary in <code>$GOPATH/bin</code></p><p>c. Using the prebuilt docker image <a href="https://quay.io/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer">quay.io/oauth2-proxy/oauth2-proxy</a> (AMD64, ARMv6 and ARM64 tags available)</p></li></ol><p>Prebuilt binaries can be validated by extracting the file and verifying it against the <code>sha256sum.txt</code> checksum file provided for each release starting with version <code>v3.0.0</code>.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">$ sha256sum -c sha256sum.txt 2&gt;&amp;1 | grep OK</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy-x.y.z.linux-amd64: OK</span></div></div></div></div></div><ol start="2"><li><a href="/oauth2-proxy/docs/next/configuration/oauth_provider">Select a Provider and Register an OAuth Application with a Provider</a></li><li><a href="/oauth2-proxy/docs/next/configuration/overview">Configure OAuth2 Proxy using config file, command line options, or environment variables</a></li><li><a href="/oauth2-proxy/docs/next/configuration/tls">Configure SSL or Deploy behind a SSL endpoint</a> (example provided for Nginx)</li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/installation.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/behaviour"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Behaviour »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/index.html b/index.html
index 3e62303f..6190c42d 100644
--- a/index.html
+++ b/index.html
@@ -6,7 +6,7 @@
 <meta name="generator" content="Docusaurus v2.0.0-alpha.66">
 <title data-react-helmet="true">Welcome to OAuth2 Proxy | OAuth2 Proxy</title><meta data-react-helmet="true" property="og:title" content="Welcome to OAuth2 Proxy | OAuth2 Proxy"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/"><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_tag" content="default"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
 <link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.60b69515.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.c2c7862a.js" as="script">
 <link rel="preload" href="/oauth2-proxy/main.02092c2d.js" as="script">
 <link rel="preload" href="/oauth2-proxy/1.6bed8819.js" as="script">
 <link rel="preload" href="/oauth2-proxy/2.f73f779a.js" as="script">
@@ -20,7 +20,7 @@ to validate accounts by email, domain or group.</p><div class="admonition admoni
 Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork.
 A list of changes can be seen in the <a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/CHANGELOG.md" target="_blank" rel="noopener noreferrer">CHANGELOG</a>.</p></div></div><p><img alt="Sign In Page" src="/oauth2-proxy/assets/images/sign-in-page-947a0ef7ee9fb0aa2b7179b8c7a1cc76.png"></p><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="architecture"></a>Architecture<a aria-hidden="true" tabindex="-1" class="hash-link" href="#architecture" title="Direct link to heading">#</a></h2><p><img alt="OAuth2 Proxy Architecture" src="/oauth2-proxy/assets/images/architecture-08b382c30c02b227fa4c86cb158b600e.png"></p></div></div></div></div></div></main></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
 <script src="/oauth2-proxy/styles.2e624daf.js"></script>
-<script src="/oauth2-proxy/runtime~main.60b69515.js"></script>
+<script src="/oauth2-proxy/runtime~main.c2c7862a.js"></script>
 <script src="/oauth2-proxy/main.02092c2d.js"></script>
 <script src="/oauth2-proxy/1.6bed8819.js"></script>
 <script src="/oauth2-proxy/2.f73f779a.js"></script>
diff --git a/runtime~main.60b69515.js b/runtime~main.c2c7862a.js
similarity index 96%
rename from runtime~main.60b69515.js
rename to runtime~main.c2c7862a.js
index 705fd566..ac682f9c 100644
--- a/runtime~main.60b69515.js
+++ b/runtime~main.c2c7862a.js
@@ -1 +1 @@
-!function(e){function c(c){for(var a,f,o=c[0],b=c[1],d=c[2],u=0,l=[];u<o.length;u++)f=o[u],Object.prototype.hasOwnProperty.call(t,f)&&t[f]&&l.push(t[f][0]),t[f]=0;for(a in b)Object.prototype.hasOwnProperty.call(b,a)&&(e[a]=b[a]);for(i&&i(c);l.length;)l.shift()();return n.push.apply(n,d||[]),r()}function r(){for(var e,c=0;c<n.length;c++){for(var r=n[c],a=!0,f=1;f<r.length;f++){var b=r[f];0!==t[b]&&(a=!1)}a&&(n.splice(c--,1),e=o(o.s=r[0]))}return e}var a={},t={38:0},n=[];function f(e){return o.p+""+({3:"001ca130",4:"00691219",5:"0721a2c0",6:"0f425520",7:"17896441",8:"230aeb34",9:"35234f08",10:"357fe94d",11:"3b8c55ea",12:"3def9002",13:"3fa022c7",14:"42326c77",15:"585bdad0",16:"5a047177",17:"6f497b56",18:"7b04b1d5",19:"7dcecc8d",20:"8c826f25",21:"935f2afb",22:"94285305",23:"9f61b932",24:"a37c03cb",25:"a991188b",26:"ade45c9a",27:"b5649f1e",28:"b89e1cb0",29:"be200c4b",30:"cd4a49c1",31:"ea7cbf6d",32:"edfc6e1b",33:"efc9be4b",34:"f3976560",35:"f4c9d322",36:"f5839aac"}[e]||e)+"."+{1:"6bed8819",2:"f73f779a",3:"864ff6c9",4:"5a332c9c",5:"c40b0d06",6:"c51701a7",7:"2c25168c",8:"b0a8f7b9",9:"540f1aca",10:"f0a0c172",11:"1396475e",12:"8829538f",13:"2a08f900",14:"09a0e8e4",15:"2c674a88",16:"05c93143",17:"ffc09987",18:"49cea530",19:"1a244b07",20:"c93cdc82",21:"86ec86d4",22:"c1f11fb3",23:"52eb58d3",24:"cb23f5eb",25:"3c713607",26:"0673a20d",27:"3a95cf7b",28:"3196bbbd",29:"0ad1e075",30:"5cd770a7",31:"51c5dea8",32:"4df93a8a",33:"4d539956",34:"5b30cd66",35:"ee82cb40",36:"d42acf97",39:"6bb7dda7",40:"24f08f88",41:"2d80f77f"}[e]+".js"}function o(c){if(a[c])return a[c].exports;var r=a[c]={i:c,l:!1,exports:{}};return e[c].call(r.exports,r,r.exports,o),r.l=!0,r.exports}o.e=function(e){var c=[],r=t[e];if(0!==r)if(r)c.push(r[2]);else{var a=new Promise((function(c,a){r=t[e]=[c,a]}));c.push(r[2]=a);var n,b=document.createElement("script");b.charset="utf-8",b.timeout=120,o.nc&&b.setAttribute("nonce",o.nc),b.src=f(e);var d=new Error;n=function(c){b.onerror=b.onload=null,clearTimeout(u);var r=t[e];if(0!==r){if(r){var a=c&&("load"===c.type?"missing":c.type),n=c&&c.target&&c.target.src;d.message="Loading chunk "+e+" failed.\n("+a+": "+n+")",d.name="ChunkLoadError",d.type=a,d.request=n,r[1](d)}t[e]=void 0}};var u=setTimeout((function(){n({type:"timeout",target:b})}),12e4);b.onerror=b.onload=n,document.head.appendChild(b)}return Promise.all(c)},o.m=e,o.c=a,o.d=function(e,c,r){o.o(e,c)||Object.defineProperty(e,c,{enumerable:!0,get:r})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,c){if(1&c&&(e=o(e)),8&c)return e;if(4&c&&"object"==typeof e&&e&&e.__esModule)return e;var r=Object.create(null);if(o.r(r),Object.defineProperty(r,"default",{enumerable:!0,value:e}),2&c&&"string"!=typeof e)for(var a in e)o.d(r,a,function(c){return e[c]}.bind(null,a));return r},o.n=function(e){var c=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(c,"a",c),c},o.o=function(e,c){return Object.prototype.hasOwnProperty.call(e,c)},o.p="/oauth2-proxy/",o.gca=function(e){return f(e={17896441:"7",94285305:"22","001ca130":"3","00691219":"4","0721a2c0":"5","0f425520":"6","230aeb34":"8","35234f08":"9","357fe94d":"10","3b8c55ea":"11","3def9002":"12","3fa022c7":"13","42326c77":"14","585bdad0":"15","5a047177":"16","6f497b56":"17","7b04b1d5":"18","7dcecc8d":"19","8c826f25":"20","935f2afb":"21","9f61b932":"23",a37c03cb:"24",a991188b:"25",ade45c9a:"26",b5649f1e:"27",b89e1cb0:"28",be200c4b:"29",cd4a49c1:"30",ea7cbf6d:"31",edfc6e1b:"32",efc9be4b:"33",f3976560:"34",f4c9d322:"35",f5839aac:"36"}[e]||e)},o.oe=function(e){throw console.error(e),e};var b=window.webpackJsonp=window.webpackJsonp||[],d=b.push.bind(b);b.push=c,b=b.slice();for(var u=0;u<b.length;u++)c(b[u]);var i=d;r()}([]);
\ No newline at end of file
+!function(e){function c(c){for(var a,f,o=c[0],b=c[1],d=c[2],u=0,l=[];u<o.length;u++)f=o[u],Object.prototype.hasOwnProperty.call(t,f)&&t[f]&&l.push(t[f][0]),t[f]=0;for(a in b)Object.prototype.hasOwnProperty.call(b,a)&&(e[a]=b[a]);for(i&&i(c);l.length;)l.shift()();return n.push.apply(n,d||[]),r()}function r(){for(var e,c=0;c<n.length;c++){for(var r=n[c],a=!0,f=1;f<r.length;f++){var b=r[f];0!==t[b]&&(a=!1)}a&&(n.splice(c--,1),e=o(o.s=r[0]))}return e}var a={},t={38:0},n=[];function f(e){return o.p+""+({3:"001ca130",4:"00691219",5:"0721a2c0",6:"0f425520",7:"17896441",8:"230aeb34",9:"35234f08",10:"357fe94d",11:"3b8c55ea",12:"3def9002",13:"3fa022c7",14:"42326c77",15:"585bdad0",16:"5a047177",17:"6f497b56",18:"7b04b1d5",19:"7dcecc8d",20:"8c826f25",21:"935f2afb",22:"94285305",23:"9f61b932",24:"a37c03cb",25:"a991188b",26:"ade45c9a",27:"b5649f1e",28:"b89e1cb0",29:"be200c4b",30:"cd4a49c1",31:"ea7cbf6d",32:"edfc6e1b",33:"efc9be4b",34:"f3976560",35:"f4c9d322",36:"f5839aac"}[e]||e)+"."+{1:"6bed8819",2:"f73f779a",3:"864ff6c9",4:"5a332c9c",5:"c40b0d06",6:"0ebb3fbb",7:"2c25168c",8:"b0a8f7b9",9:"540f1aca",10:"f0a0c172",11:"1396475e",12:"8829538f",13:"2a08f900",14:"09a0e8e4",15:"2c674a88",16:"05c93143",17:"ffc09987",18:"49cea530",19:"1a244b07",20:"19b6a6ee",21:"86ec86d4",22:"c1f11fb3",23:"52eb58d3",24:"cb23f5eb",25:"3c713607",26:"0673a20d",27:"3a95cf7b",28:"3196bbbd",29:"0ad1e075",30:"5cd770a7",31:"51c5dea8",32:"4df93a8a",33:"4d539956",34:"5b30cd66",35:"ee82cb40",36:"d42acf97",39:"6bb7dda7",40:"24f08f88",41:"2d80f77f"}[e]+".js"}function o(c){if(a[c])return a[c].exports;var r=a[c]={i:c,l:!1,exports:{}};return e[c].call(r.exports,r,r.exports,o),r.l=!0,r.exports}o.e=function(e){var c=[],r=t[e];if(0!==r)if(r)c.push(r[2]);else{var a=new Promise((function(c,a){r=t[e]=[c,a]}));c.push(r[2]=a);var n,b=document.createElement("script");b.charset="utf-8",b.timeout=120,o.nc&&b.setAttribute("nonce",o.nc),b.src=f(e);var d=new Error;n=function(c){b.onerror=b.onload=null,clearTimeout(u);var r=t[e];if(0!==r){if(r){var a=c&&("load"===c.type?"missing":c.type),n=c&&c.target&&c.target.src;d.message="Loading chunk "+e+" failed.\n("+a+": "+n+")",d.name="ChunkLoadError",d.type=a,d.request=n,r[1](d)}t[e]=void 0}};var u=setTimeout((function(){n({type:"timeout",target:b})}),12e4);b.onerror=b.onload=n,document.head.appendChild(b)}return Promise.all(c)},o.m=e,o.c=a,o.d=function(e,c,r){o.o(e,c)||Object.defineProperty(e,c,{enumerable:!0,get:r})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,c){if(1&c&&(e=o(e)),8&c)return e;if(4&c&&"object"==typeof e&&e&&e.__esModule)return e;var r=Object.create(null);if(o.r(r),Object.defineProperty(r,"default",{enumerable:!0,value:e}),2&c&&"string"!=typeof e)for(var a in e)o.d(r,a,function(c){return e[c]}.bind(null,a));return r},o.n=function(e){var c=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(c,"a",c),c},o.o=function(e,c){return Object.prototype.hasOwnProperty.call(e,c)},o.p="/oauth2-proxy/",o.gca=function(e){return f(e={17896441:"7",94285305:"22","001ca130":"3","00691219":"4","0721a2c0":"5","0f425520":"6","230aeb34":"8","35234f08":"9","357fe94d":"10","3b8c55ea":"11","3def9002":"12","3fa022c7":"13","42326c77":"14","585bdad0":"15","5a047177":"16","6f497b56":"17","7b04b1d5":"18","7dcecc8d":"19","8c826f25":"20","935f2afb":"21","9f61b932":"23",a37c03cb:"24",a991188b:"25",ade45c9a:"26",b5649f1e:"27",b89e1cb0:"28",be200c4b:"29",cd4a49c1:"30",ea7cbf6d:"31",edfc6e1b:"32",efc9be4b:"33",f3976560:"34",f4c9d322:"35",f5839aac:"36"}[e]||e)},o.oe=function(e){throw console.error(e),e};var b=window.webpackJsonp=window.webpackJsonp||[],d=b.push.bind(b);b.push=c,b=b.slice();for(var u=0;u<b.length;u++)c(b[u]);var i=d;r()}([]);
\ No newline at end of file