go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-11-29 22:48:19 +02:00
Code Issues Releases Activity

Deploy website - based on 4f5efd4074

Browse Source
This commit is contained in:
gh-actions
2022-01-18 13:56:37 +00:00
parent 08e19e7d0b
commit 7cfd9675a4
50 changed files with 101 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/configuration/oauth_provider/index.html
View File

@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
<link rel="preload" href="/oauth2-proxy/runtime~main.34f995af.js" as="script">
<link rel="preload" href="/oauth2-proxy/runtime~main.514d3324.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -14,7 +14,7 @@
<link rel="preload" href="/oauth2-proxy/60.0c644c35.js" as="script">
<link rel="preload" href="/oauth2-proxy/e8c74efb.b5ed146a.js" as="script">
<link rel="preload" href="/oauth2-proxy/17896441.3f09010b.js" as="script">
<link rel="preload" href="/oauth2-proxy/a1bbfb14.ec0422a1.js" as="script">
<link rel="preload" href="/oauth2-proxy/a1bbfb14.599b1799.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
@@ -28,7 +28,7 @@ The OpenID Connect Provider (OIDC) can also be used to connect to other Identity
you may wish to configure an authorization server for each application. Otherwise, the provided <code>default</code> will work.</li></ol><ul><li>Navigate to <strong>Security</strong> then select <strong>API</strong></li><li>Click <strong>Add Authorization Server</strong>, if this option is not available you may require an additional license for a custom authorization server.</li><li>Fill out the <strong>Name</strong> with something to describe the application you are protecting. e.g. &#x27;Example App&#x27;.</li><li>For <strong>Audience</strong>, pick the URL of the application you wish to protect: <a href="https://example.corp.com" target="_blank" rel="noopener noreferrer">https://example.corp.com</a></li><li>Fill out a <strong>Description</strong></li><li>Add any <strong>Access Policies</strong> you wish to configure to limit application access.</li><li>The default settings will work for other options.
<a href="https://developer.okta.com/docs/guides/customize-authz-server/overview/" target="_blank" rel="noopener noreferrer">See Okta documentation for more information on Authorization Servers</a></li></ul><ol start="3"><li>Navigate to <strong>Applications</strong> then select <strong>Add Application</strong>.</li></ol><ul><li>Select <strong>Web</strong> for the <strong>Platform</strong> setting.</li><li>Select <strong>OpenID Connect</strong> and click <strong>Create</strong></li><li>Pick an <strong>Application Name</strong> such as <code>Example App</code>.</li><li>Set the <strong>Login redirect URI</strong> to <code>https://example.corp.com</code>.</li><li>Under <strong>General</strong> set the <strong>Allowed grant types</strong> to <code>Authorization Code</code> and <code>Refresh Token</code>.</li><li>Leave the rest as default, taking note of the <code>Client ID</code> and <code>Client Secret</code>.</li><li>Under <strong>Assignments</strong> select the users or groups you wish to access your application.</li></ul><ol start="4"><li><p>Create a configuration file like the following:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">provider = &quot;oidc&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">redirect_url = &quot;https://example.corp.com/oauth2/callback&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oidc_issuer_url = &quot;https://corp.okta.com/oauth2/abCd1234&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">upstreams = [</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> &quot;https://example.corp.com&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">]</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">email_domains = [</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> &quot;corp.com&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">]</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">client_id = &quot;XXXXX&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">client_secret = &quot;YYYYY&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">pass_access_token = true</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">cookie_secret = &quot;ZZZZZ&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">skip_provider_button = true</span></div></div></div></div></div></li></ol><p>The <code>oidc_issuer_url</code> is based on URL from your <strong>Authorization Server</strong>&#x27;s <strong>Issuer</strong> field in step 2, or simply <a href="https://corp.okta.com" target="_blank" rel="noopener noreferrer">https://corp.okta.com</a> .
The <code>client_id</code> and <code>client_secret</code> are configured in the application settings.
Generate a unique <code>client_secret</code> to encrypt the cookie.</p><p>Then you can start the oauth2-proxy with <code>./oauth2-proxy --config /etc/example.cfg</code></p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="okta---localhost"></a>Okta - localhost<a aria-hidden="true" tabindex="-1" class="hash-link" href="#okta---localhost" title="Direct link to heading">#</a></h4><ol><li>Signup for developer account: <a href="https://developer.okta.com/signup/" target="_blank" rel="noopener noreferrer">https://developer.okta.com/signup/</a></li><li>Create New <code>Web</code> Application: https://${your-okta-domain}/dev/console/apps/new</li><li>Example Application Settings for localhost:<ul><li><strong>Name:</strong> My Web App</li><li><strong>Base URIs:</strong> http://localhost:4180/</li><li><strong>Login redirect URIs:</strong> http://localhost:4180/oauth2/callback</li><li><strong>Logout redirect URIs:</strong> http://localhost:4180/</li><li><strong>Group assignments:</strong> <code>Everyone</code></li><li><strong>Grant type allowed:</strong> <code>Authorization Code</code> and <code>Refresh Token</code></li></ul></li><li>Make note of the <code>Client ID</code> and <code>Client secret</code>, they are needed in a future step</li><li>Make note of the <strong>default</strong> Authorization Server Issuer URI from: https://${your-okta-domain}/admin/oauth2/as</li><li>Example config file <code>/etc/localhost.cfg</code><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">provider = &quot;oidc&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">redirect_url = &quot;http://localhost:4180/oauth2/callback&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oidc_issuer_url = &quot;https://${your-okta-domain}/oauth2/default&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">upstreams = [</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> &quot;http://0.0.0.0:8080&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">]</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">email_domains = [</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> &quot;*&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">]</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">client_id = &quot;XXX&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">client_secret = &quot;YYY&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">pass_access_token = true</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">cookie_secret = &quot;ZZZ&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">cookie_secure = false</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">skip_provider_button = true</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"># Note: use the following for testing within a container</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"># http_address = &quot;0.0.0.0:4180&quot;</span></div></div></div></div></div></li><li>Then you can start the oauth2-proxy with <code>./oauth2-proxy --config /etc/localhost.cfg</code></li></ol><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="logingov-provider"></a>login.gov Provider<a aria-hidden="true" tabindex="-1" class="hash-link" href="#logingov-provider" title="Direct link to heading">#</a></h3><p>login.gov is an OIDC provider for the US Government.
Generate a unique <code>cookie_secret</code> to encrypt the cookie.</p><p>Then you can start the oauth2-proxy with <code>./oauth2-proxy --config /etc/example.cfg</code></p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="okta---localhost"></a>Okta - localhost<a aria-hidden="true" tabindex="-1" class="hash-link" href="#okta---localhost" title="Direct link to heading">#</a></h4><ol><li>Signup for developer account: <a href="https://developer.okta.com/signup/" target="_blank" rel="noopener noreferrer">https://developer.okta.com/signup/</a></li><li>Create New <code>Web</code> Application: https://${your-okta-domain}/dev/console/apps/new</li><li>Example Application Settings for localhost:<ul><li><strong>Name:</strong> My Web App</li><li><strong>Base URIs:</strong> http://localhost:4180/</li><li><strong>Login redirect URIs:</strong> http://localhost:4180/oauth2/callback</li><li><strong>Logout redirect URIs:</strong> http://localhost:4180/</li><li><strong>Group assignments:</strong> <code>Everyone</code></li><li><strong>Grant type allowed:</strong> <code>Authorization Code</code> and <code>Refresh Token</code></li></ul></li><li>Make note of the <code>Client ID</code> and <code>Client secret</code>, they are needed in a future step</li><li>Make note of the <strong>default</strong> Authorization Server Issuer URI from: https://${your-okta-domain}/admin/oauth2/as</li><li>Example config file <code>/etc/localhost.cfg</code><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">provider = &quot;oidc&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">redirect_url = &quot;http://localhost:4180/oauth2/callback&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oidc_issuer_url = &quot;https://${your-okta-domain}/oauth2/default&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">upstreams = [</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> &quot;http://0.0.0.0:8080&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">]</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">email_domains = [</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> &quot;*&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">]</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">client_id = &quot;XXX&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">client_secret = &quot;YYY&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">pass_access_token = true</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">cookie_secret = &quot;ZZZ&quot;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">cookie_secure = false</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">skip_provider_button = true</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"># Note: use the following for testing within a container</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"># http_address = &quot;0.0.0.0:4180&quot;</span></div></div></div></div></div></li><li>Then you can start the oauth2-proxy with <code>./oauth2-proxy --config /etc/localhost.cfg</code></li></ol><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="logingov-provider"></a>login.gov Provider<a aria-hidden="true" tabindex="-1" class="hash-link" href="#logingov-provider" title="Direct link to heading">#</a></h3><p>login.gov is an OIDC provider for the US Government.
If you are a US Government agency, you can contact the login.gov team through the contact information
that you can find on <a href="https://login.gov/developers/" target="_blank" rel="noopener noreferrer">https://login.gov/developers/</a> and work with them to understand how to get login.gov
accounts for integration/test and production access.</p><p>A developer guide is available here: <a href="https://developers.login.gov/" target="_blank" rel="noopener noreferrer">https://developers.login.gov/</a>, though this proxy handles everything
@@ -59,7 +59,7 @@ to setup the client id and client secret. Your &quot;Redirection URI&quot; will
<a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#adfs-auth-provider" class="table-of-contents__link">ADFS Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#keycloak-oidc-auth-provider" class="table-of-contents__link">Keycloak OIDC Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
<script src="/oauth2-proxy/runtime~main.34f995af.js"></script>
<script src="/oauth2-proxy/runtime~main.514d3324.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
@@ -67,6 +67,6 @@ new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div
<script src="/oauth2-proxy/60.0c644c35.js"></script>
<script src="/oauth2-proxy/e8c74efb.b5ed146a.js"></script>
<script src="/oauth2-proxy/17896441.3f09010b.js"></script>
<script src="/oauth2-proxy/a1bbfb14.ec0422a1.js"></script>
<script src="/oauth2-proxy/a1bbfb14.599b1799.js"></script>
</body>
</html>