diff --git a/404.html b/404.html index 019948ba..ff69f12c 100644 --- a/404.html +++ b/404.html @@ -5,13 +5,13 @@ Page Not Found | OAuth2 Proxy - +
Skip to main content

Page Not Found

We could not find what you were looking for.

Please contact the owner of the site that linked you to the original URL and let them know their link is broken.

- + \ No newline at end of file diff --git a/assets/js/3b8c55ea.79e5ef17.js b/assets/js/3b8c55ea.7197fcf2.js similarity index 69% rename from assets/js/3b8c55ea.79e5ef17.js rename to assets/js/3b8c55ea.7197fcf2.js index ee8e704b..53d8dc46 100644 --- a/assets/js/3b8c55ea.79e5ef17.js +++ b/assets/js/3b8c55ea.7197fcf2.js @@ -1 +1 @@ -"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[3217],{3905:function(e,t,n){n.d(t,{Zo:function(){return c},kt:function(){return f}});var r=n(7294);function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);t&&(r=r.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,r)}return n}function i(e){for(var t=1;t=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(r=0;r=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var p=r.createContext({}),u=function(e){var t=r.useContext(p),n=t;return e&&(n="function"==typeof e?e(t):i(i({},t),e)),n},c=function(e){var t=u(e.components);return r.createElement(p.Provider,{value:t},e.children)},s={inlineCode:"code",wrapper:function(e){var t=e.children;return r.createElement(r.Fragment,{},t)}},m=r.forwardRef((function(e,t){var n=e.components,o=e.mdxType,a=e.originalType,p=e.parentName,c=l(e,["components","mdxType","originalType","parentName"]),m=u(n),f=o,d=m["".concat(p,".").concat(f)]||m[f]||s[f]||a;return n?r.createElement(d,i(i({ref:t},c),{},{components:n})):r.createElement(d,i({ref:t},c))}));function f(e,t){var n=arguments,o=t&&t.mdxType;if("string"==typeof e||o){var a=n.length,i=new Array(a);i[0]=m;var l={};for(var p in t)hasOwnProperty.call(t,p)&&(l[p]=t[p]);l.originalType=e,l.mdxType="string"==typeof e?e:o,i[1]=l;for(var u=2;u=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(r=0;r=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var p=r.createContext({}),u=function(e){var t=r.useContext(p),n=t;return e&&(n="function"==typeof e?e(t):i(i({},t),e)),n},c=function(e){var t=u(e.components);return r.createElement(p.Provider,{value:t},e.children)},s={inlineCode:"code",wrapper:function(e){var t=e.children;return r.createElement(r.Fragment,{},t)}},m=r.forwardRef((function(e,t){var n=e.components,o=e.mdxType,a=e.originalType,p=e.parentName,c=l(e,["components","mdxType","originalType","parentName"]),m=u(n),f=o,d=m["".concat(p,".").concat(f)]||m[f]||s[f]||a;return n?r.createElement(d,i(i({ref:t},c),{},{components:n})):r.createElement(d,i({ref:t},c))}));function f(e,t){var n=arguments,o=t&&t.mdxType;if("string"==typeof e||o){var a=n.length,i=new Array(a);i[0]=m;var l={};for(var p in t)hasOwnProperty.call(t,p)&&(l[p]=t[p]);l.originalType=e,l.mdxType="string"==typeof e?e:o,i[1]=l;for(var u=2;u=t)&&Object.keys(d.O).every((function(e){return d.O[e](f[b])}))?f.splice(b--,1):(n=!1,t0&&e[u-1][2]>t;u--)e[u]=e[u-1];e[u]=[f,a,t]},d.n=function(e){var c=e&&e.__esModule?function(){return e.default}:function(){return e};return d.d(c,{a:c}),c},f=Object.getPrototypeOf?function(e){return Object.getPrototypeOf(e)}:function(e){return e.__proto__},d.t=function(e,a){if(1&a&&(e=this(e)),8&a)return e;if("object"==typeof e&&e){if(4&a&&e.__esModule)return e;if(16&a&&"function"==typeof e.then)return e}var t=Object.create(null);d.r(t);var r={};c=c||[null,f({}),f([]),f(f)];for(var n=2&a&&e;"object"==typeof n&&!~c.indexOf(n);n=f(n))Object.getOwnPropertyNames(n).forEach((function(c){r[c]=function(){return e[c]}}));return r.default=function(){return e},d.d(t,r),t},d.d=function(e,c){for(var f in c)d.o(c,f)&&!d.o(e,f)&&Object.defineProperty(e,f,{enumerable:!0,get:c[f]})},d.f={},d.e=function(e){return Promise.all(Object.keys(d.f).reduce((function(c,f){return d.f[f](e,c),c}),[]))},d.u=function(e){return"assets/js/"+({53:"935f2afb",74:"4ae90ba0",268:"9c6b37b9",507:"8f68f251",707:"76aee1e9",811:"e8c74efb",1351:"7dcecc8d",1365:"b9702c11",1487:"adcdd4d2",1558:"efec474a",1898:"1999cd7b",2098:"92147208",2114:"6f497b56",2158:"35234f08",2260:"d4a2a59c",2439:"cd4a49c1",2506:"03a491a5",2593:"300a9996",2598:"5a047177",2608:"9ac82b89",2822:"94285305",2844:"f3976560",2871:"a37c03cb",2960:"d319f4c2",3085:"1f391b9e",3217:"3b8c55ea",3291:"230aeb34",3358:"be200c4b",3608:"9e4087bc",3782:"a1bbfb14",3843:"ecc333f0",3938:"65a49553",4024:"f8ffbaca",4042:"08659987",4189:"3def9002",4431:"001ca130",4472:"f4c9d322",4998:"7b04b1d5",5144:"1737cda1",5322:"00691219",5410:"9b9cfcc1",5437:"f98fc388",5597:"5dfb0b41",5626:"452b66d6",5679:"4922efd5",5809:"f5afe1a5",5845:"243cbd97",5874:"ea7cbf6d",5995:"cecf159a",6042:"fb908f49",6119:"efc9be4b",6482:"7874e99f",6760:"0721a2c0",7165:"3b8e2d60",7240:"0f425520",7250:"41de83de",7356:"64f5dfca",7401:"63d69a63",7559:"d8b74189",7595:"42326c77",7826:"f5839aac",7918:"17896441",8249:"585bdad0",8338:"de718920",8447:"ade45c9a",8500:"acde588d",8555:"cbc8963c",8583:"9f61b932",8724:"edfc6e1b",8873:"b89e1cb0",8967:"3fa022c7",9267:"357fe94d",9464:"674dcd29",9512:"a991188b",9514:"1be78505",9692:"2c77072c",9890:"8c826f25"}[e]||e)+"."+{53:"4a3f1d92",74:"1b7f95b8",268:"1a4d8f2a",507:"7e096a77",707:"198d514c",811:"6f3ea057",1351:"02aac3e1",1365:"f7fe4bdb",1487:"f89f4cb4",1558:"bccec428",1898:"67af2e9d",2098:"93096b74",2114:"d1fafb1d",2158:"75b00d70",2260:"41f1390f",2439:"d290876f",2506:"e2cd0143",2593:"f753e41d",2598:"1f48e99a",2608:"844c4c60",2822:"1f5fc964",2844:"2cb9bfe2",2871:"4fbaf920",2960:"aa47a8c1",3085:"e29f8c90",3217:"79e5ef17",3291:"9e93a797",3358:"0994fc5b",3608:"fcc33365",3782:"191e1df5",3843:"f0614c4d",3938:"8f91bc1a",4024:"7dab5eab",4042:"7dcc30c9",4189:"0566d6b8",4431:"df12b21c",4472:"114701fa",4608:"2c7b7ade",4998:"d117d167",5144:"3fa3c755",5322:"1534c076",5410:"37c53500",5437:"3b0c1664",5597:"9e45482d",5626:"afac7ad4",5679:"a555c365",5809:"8c2bc2da",5845:"547fc342",5874:"7aaa7faa",5897:"ca6e53fd",5995:"90b73e88",6042:"120ce48b",6119:"904748ed",6482:"ffe18382",6760:"ffdc7189",7165:"7229dec3",7240:"99ece349",7250:"41ba64ac",7356:"7aecfa1a",7401:"bbcebc27",7559:"4b70dd77",7595:"8e971b20",7826:"b034b05a",7918:"b571fd1c",8249:"dbf4b31b",8338:"cd0c4637",8447:"fb2dab7b",8500:"750d9fa4",8555:"4522119e",8583:"b7164f76",8724:"25fb710b",8873:"d176f819",8967:"d245265c",9267:"89fabb9f",9464:"385786f5",9512:"d0024de2",9514:"7b2cd06e",9692:"e9ddc94f",9890:"e65a6b95"}[e]+".js"},d.miniCssF=function(e){return"assets/css/styles.19258e03.css"},d.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),d.o=function(e,c){return Object.prototype.hasOwnProperty.call(e,c)},a={},t="docusaurus:",d.l=function(e,c,f,r){if(a[e])a[e].push(c);else{var n,b;if(void 0!==f)for(var o=document.getElementsByTagName("script"),u=0;u=t)&&Object.keys(n.O).every((function(e){return n.O[e](f[b])}))?f.splice(b--,1):(d=!1,t0&&e[u-1][2]>t;u--)e[u]=e[u-1];e[u]=[f,a,t]},n.n=function(e){var c=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(c,{a:c}),c},f=Object.getPrototypeOf?function(e){return Object.getPrototypeOf(e)}:function(e){return e.__proto__},n.t=function(e,a){if(1&a&&(e=this(e)),8&a)return e;if("object"==typeof e&&e){if(4&a&&e.__esModule)return e;if(16&a&&"function"==typeof e.then)return e}var t=Object.create(null);n.r(t);var r={};c=c||[null,f({}),f([]),f(f)];for(var d=2&a&&e;"object"==typeof d&&!~c.indexOf(d);d=f(d))Object.getOwnPropertyNames(d).forEach((function(c){r[c]=function(){return e[c]}}));return r.default=function(){return e},n.d(t,r),t},n.d=function(e,c){for(var f in c)n.o(c,f)&&!n.o(e,f)&&Object.defineProperty(e,f,{enumerable:!0,get:c[f]})},n.f={},n.e=function(e){return Promise.all(Object.keys(n.f).reduce((function(c,f){return n.f[f](e,c),c}),[]))},n.u=function(e){return"assets/js/"+({53:"935f2afb",74:"4ae90ba0",268:"9c6b37b9",507:"8f68f251",707:"76aee1e9",811:"e8c74efb",1351:"7dcecc8d",1365:"b9702c11",1487:"adcdd4d2",1558:"efec474a",1898:"1999cd7b",2098:"92147208",2114:"6f497b56",2158:"35234f08",2260:"d4a2a59c",2439:"cd4a49c1",2506:"03a491a5",2593:"300a9996",2598:"5a047177",2608:"9ac82b89",2822:"94285305",2844:"f3976560",2871:"a37c03cb",2960:"d319f4c2",3085:"1f391b9e",3217:"3b8c55ea",3291:"230aeb34",3358:"be200c4b",3608:"9e4087bc",3782:"a1bbfb14",3843:"ecc333f0",3938:"65a49553",4024:"f8ffbaca",4042:"08659987",4189:"3def9002",4431:"001ca130",4472:"f4c9d322",4998:"7b04b1d5",5144:"1737cda1",5322:"00691219",5410:"9b9cfcc1",5437:"f98fc388",5597:"5dfb0b41",5626:"452b66d6",5679:"4922efd5",5809:"f5afe1a5",5845:"243cbd97",5874:"ea7cbf6d",5995:"cecf159a",6042:"fb908f49",6119:"efc9be4b",6482:"7874e99f",6760:"0721a2c0",7165:"3b8e2d60",7240:"0f425520",7250:"41de83de",7356:"64f5dfca",7401:"63d69a63",7559:"d8b74189",7595:"42326c77",7826:"f5839aac",7918:"17896441",8249:"585bdad0",8338:"de718920",8447:"ade45c9a",8500:"acde588d",8555:"cbc8963c",8583:"9f61b932",8724:"edfc6e1b",8873:"b89e1cb0",8967:"3fa022c7",9267:"357fe94d",9464:"674dcd29",9512:"a991188b",9514:"1be78505",9692:"2c77072c",9890:"8c826f25"}[e]||e)+"."+{53:"4a3f1d92",74:"1b7f95b8",268:"1a4d8f2a",507:"7e096a77",707:"198d514c",811:"6f3ea057",1351:"02aac3e1",1365:"f7fe4bdb",1487:"f89f4cb4",1558:"bccec428",1898:"67af2e9d",2098:"93096b74",2114:"d1fafb1d",2158:"75b00d70",2260:"41f1390f",2439:"d290876f",2506:"e2cd0143",2593:"f753e41d",2598:"1f48e99a",2608:"844c4c60",2822:"1f5fc964",2844:"2cb9bfe2",2871:"4fbaf920",2960:"aa47a8c1",3085:"e29f8c90",3217:"7197fcf2",3291:"9e93a797",3358:"0994fc5b",3608:"fcc33365",3782:"191e1df5",3843:"f0614c4d",3938:"8f91bc1a",4024:"7dab5eab",4042:"7dcc30c9",4189:"0566d6b8",4431:"df12b21c",4472:"114701fa",4608:"2c7b7ade",4998:"d117d167",5144:"3fa3c755",5322:"1534c076",5410:"37c53500",5437:"3b0c1664",5597:"9e45482d",5626:"afac7ad4",5679:"a555c365",5809:"8c2bc2da",5845:"547fc342",5874:"7aaa7faa",5897:"ca6e53fd",5995:"90b73e88",6042:"120ce48b",6119:"904748ed",6482:"ffe18382",6760:"ffdc7189",7165:"7229dec3",7240:"99ece349",7250:"41ba64ac",7356:"7aecfa1a",7401:"bbcebc27",7559:"4b70dd77",7595:"8e971b20",7826:"b034b05a",7918:"b571fd1c",8249:"dbf4b31b",8338:"cd0c4637",8447:"fb2dab7b",8500:"750d9fa4",8555:"4522119e",8583:"b7164f76",8724:"25fb710b",8873:"d176f819",8967:"d245265c",9267:"89fabb9f",9464:"385786f5",9512:"d0024de2",9514:"7b2cd06e",9692:"e9ddc94f",9890:"e65a6b95"}[e]+".js"},n.miniCssF=function(e){return"assets/css/styles.19258e03.css"},n.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),n.o=function(e,c){return Object.prototype.hasOwnProperty.call(e,c)},a={},t="docusaurus:",n.l=function(e,c,f,r){if(a[e])a[e].push(c);else{var d,b;if(void 0!==f)for(var o=document.getElementsByTagName("script"),u=0;u Archive | OAuth2 Proxy - +

Archive

Archive

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/behaviour/index.html b/docs/6.1.x/behaviour/index.html index 3f880b65..16504654 100644 --- a/docs/6.1.x/behaviour/index.html +++ b/docs/6.1.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 6.1.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/community/security/index.html b/docs/6.1.x/community/security/index.html index a7cd6c38..f07e76c9 100644 --- a/docs/6.1.x/community/security/index.html +++ b/docs/6.1.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/oauth_provider/index.html b/docs/6.1.x/configuration/oauth_provider/index.html index 542e4f0a..c7cb9332 100644 --- a/docs/6.1.x/configuration/oauth_provider/index.html +++ b/docs/6.1.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -46,7 +46,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/overview/index.html b/docs/6.1.x/configuration/overview/index.html index d108e7cf..b8d0965a 100644 --- a/docs/6.1.x/configuration/overview/index.html +++ b/docs/6.1.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/session_storage/index.html b/docs/6.1.x/configuration/session_storage/index.html index 7120e41f..ded258bb 100644 --- a/docs/6.1.x/configuration/session_storage/index.html +++ b/docs/6.1.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/tls/index.html b/docs/6.1.x/configuration/tls/index.html index ab7bb94c..fe6b0662 100644 --- a/docs/6.1.x/configuration/tls/index.html +++ b/docs/6.1.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/features/endpoints/index.html b/docs/6.1.x/features/endpoints/index.html index 0ddf31e3..6f38a1bb 100644 --- a/docs/6.1.x/features/endpoints/index.html +++ b/docs/6.1.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 6.1.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/features/request_signatures/index.html b/docs/6.1.x/features/request_signatures/index.html index 5af5ea32..c431340e 100644 --- a/docs/6.1.x/features/request_signatures/index.html +++ b/docs/6.1.x/features/request_signatures/index.html @@ -5,7 +5,7 @@ Request Signatures | OAuth2 Proxy - + @@ -18,7 +18,7 @@ in oauthproxy.go.

signature_key must be of t following:

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/index.html b/docs/6.1.x/index.html index 90dac148..e5503591 100644 --- a/docs/6.1.x/index.html +++ b/docs/6.1.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 6.1.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v6.1.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/behaviour/index.html b/docs/7.0.x/behaviour/index.html index b79f220c..2b42a7b9 100644 --- a/docs/7.0.x/behaviour/index.html +++ b/docs/7.0.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.0.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/community/security/index.html b/docs/7.0.x/community/security/index.html index a0824329..b84f49c3 100644 --- a/docs/7.0.x/community/security/index.html +++ b/docs/7.0.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/alpha-config/index.html b/docs/7.0.x/configuration/alpha-config/index.html index cad77343..d30142d9 100644 --- a/docs/7.0.x/configuration/alpha-config/index.html +++ b/docs/7.0.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

SecretSource​

(Appears on: ClaimSource, HeaderValue)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Upstream​

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams​

([]Upstream alias)​

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/oauth_provider/index.html b/docs/7.0.x/configuration/oauth_provider/index.html index 908c3c56..731899d2 100644 --- a/docs/7.0.x/configuration/oauth_provider/index.html +++ b/docs/7.0.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/overview/index.html b/docs/7.0.x/configuration/overview/index.html index 74cd5dea..db571e01 100644 --- a/docs/7.0.x/configuration/overview/index.html +++ b/docs/7.0.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverseproxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/session_storage/index.html b/docs/7.0.x/configuration/session_storage/index.html index 80519a07..7c1975e3 100644 --- a/docs/7.0.x/configuration/session_storage/index.html +++ b/docs/7.0.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/tls/index.html b/docs/7.0.x/configuration/tls/index.html index 56edd05d..4d796d38 100644 --- a/docs/7.0.x/configuration/tls/index.html +++ b/docs/7.0.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/features/endpoints/index.html b/docs/7.0.x/features/endpoints/index.html index 015a1e7e..6a8084e9 100644 --- a/docs/7.0.x/features/endpoints/index.html +++ b/docs/7.0.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.0.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/features/request_signatures/index.html b/docs/7.0.x/features/request_signatures/index.html index e8cbf4c5..d3355c5d 100644 --- a/docs/7.0.x/features/request_signatures/index.html +++ b/docs/7.0.x/features/request_signatures/index.html @@ -5,7 +5,7 @@ Request Signatures | OAuth2 Proxy - + @@ -18,7 +18,7 @@ in oauthproxy.go.

signature_key must be of t following:

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/index.html b/docs/7.0.x/index.html index b6528ddb..d145e6aa 100644 --- a/docs/7.0.x/index.html +++ b/docs/7.0.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.0.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.0.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/behaviour/index.html b/docs/7.1.x/behaviour/index.html index 19a09e0d..961f08cf 100644 --- a/docs/7.1.x/behaviour/index.html +++ b/docs/7.1.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.1.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/community/security/index.html b/docs/7.1.x/community/security/index.html index b23ebeab..180315a5 100644 --- a/docs/7.1.x/community/security/index.html +++ b/docs/7.1.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/alpha-config/index.html b/docs/7.1.x/configuration/alpha-config/index.html index d96996af..d5f90c39 100644 --- a/docs/7.1.x/configuration/alpha-config/index.html +++ b/docs/7.1.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

SecretSource​

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server​

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic.

TLS​

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.

Upstream​

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams​

([]Upstream alias)​

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/oauth_provider/index.html b/docs/7.1.x/configuration/oauth_provider/index.html index e6da1e6c..24560a5d 100644 --- a/docs/7.1.x/configuration/oauth_provider/index.html +++ b/docs/7.1.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/overview/index.html b/docs/7.1.x/configuration/overview/index.html index a5c91ed4..376b4637 100644 --- a/docs/7.1.x/configuration/overview/index.html +++ b/docs/7.1.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverseproxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/session_storage/index.html b/docs/7.1.x/configuration/session_storage/index.html index 3c9be21c..93af5e03 100644 --- a/docs/7.1.x/configuration/session_storage/index.html +++ b/docs/7.1.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/tls/index.html b/docs/7.1.x/configuration/tls/index.html index 82d16127..511b7bdc 100644 --- a/docs/7.1.x/configuration/tls/index.html +++ b/docs/7.1.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/features/endpoints/index.html b/docs/7.1.x/features/endpoints/index.html index a5e135ee..e3a378ed 100644 --- a/docs/7.1.x/features/endpoints/index.html +++ b/docs/7.1.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.1.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/index.html b/docs/7.1.x/index.html index 2756e91e..dd37f497 100644 --- a/docs/7.1.x/index.html +++ b/docs/7.1.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.1.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.1.3)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

    d. Using a Kubernetes manifest (Helm)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/behaviour/index.html b/docs/7.2.x/behaviour/index.html index 37cab31a..a0199445 100644 --- a/docs/7.2.x/behaviour/index.html +++ b/docs/7.2.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.2.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/community/security/index.html b/docs/7.2.x/community/security/index.html index e75cf039..24bd1b01 100644 --- a/docs/7.2.x/community/security/index.html +++ b/docs/7.2.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/alpha-config/index.html b/docs/7.2.x/configuration/alpha-config/index.html index 32044d96..e1d8db35 100644 --- a/docs/7.2.x/configuration/alpha-config/index.html +++ b/docs/7.2.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

KeycloakOptions​

(Appears on: Provider)

FieldTypeDescription
groups[]stringGroup enables to restrict login to members of indicated group
roles[]stringRole enables to restrict login to users with role (only available when using the keycloak-oidc provider)

LoginGovOptions​

(Appears on: Provider)

FieldTypeDescription
jwtKeystringJWTKey is a private key in PEM format used to sign JWT,
jwtKeyFilestringJWTKeyFile is a path to the private key file in PEM format used to sign the JWT
pubjwkURLstringPubJWKURL is the JWK pubkey access endpoint

OIDCOptions​

(Appears on: Provider)

FieldTypeDescription
issuerURLstringIssuerURL is the OpenID Connect issuer URL
eg: https://accounts.google.com
insecureAllowUnverifiedEmailboolInsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified
default set to 'false'
insecureSkipIssuerVerificationboolInsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
default set to 'false'
insecureSkipNonceboolInsecureSkipNonce skips verifying the ID Token's nonce claim that must match
the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
after the initial OAuth redeem & subsequent token refreshes.
default set to 'true'
Warning: In a future release, this will change to 'false' by default for enhanced security.
skipDiscoveryboolSkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
default set to 'false'
jwksURLstringJwksURL is the OpenID Connect JWKS URL
eg: https://www.googleapis.com/oauth2/v3/certs
emailClaimstringEmailClaim indicates which claim contains the user email,
default set to 'email'
groupsClaimstringGroupsClaim indicates which claim contains the user groups
default set to 'groups'
userIDClaimstringUserIDClaim indicates which claim contains the user ID
default set to 'email'

Provider​

(Appears on: Providers)

Provider holds all configuration for a single provider

FieldTypeDescription
clientIDstringClientID is the OAuth Client ID that is defined in the provider
This value is required for all providers.
clientSecretstringClientSecret is the OAuth Client Secret that is defined in the provider
This value is required for all providers.
clientSecretFilestringClientSecretFile is the name of the file
containing the OAuth Client Secret, it will be used if ClientSecret is not set.
keycloakConfigKeycloakOptionsKeycloakConfig holds all configurations for Keycloak provider.
azureConfigAzureOptionsAzureConfig holds all configurations for Azure provider.
ADFSConfigADFSOptionsADFSConfig holds all configurations for ADFS provider.
bitbucketConfigBitbucketOptionsBitbucketConfig holds all configurations for Bitbucket provider.
githubConfigGitHubOptionsGitHubConfig holds all configurations for GitHubC provider.
gitlabConfigGitLabOptionsGitLabConfig holds all configurations for GitLab provider.
googleConfigGoogleOptionsGoogleConfig holds all configurations for Google provider.
oidcConfigOIDCOptionsOIDCConfig holds all configurations for OIDC provider
or providers utilize OIDC configurations.
loginGovConfigLoginGovOptionsLoginGovConfig holds all configurations for LoginGov provider.
idstringID should be a unique identifier for the provider.
This value is required for all providers.
providerstringType is the OAuth provider
must be set from the supported providers group,
otherwise 'Google' is set as default
namestringName is the providers display name
if set, it will be shown to the users in the login page.
caFiles[]stringCAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
If not specified, the default Go trust sources are used instead
loginURLstringLoginURL is the authentication endpoint
redeemURLstringRedeemURL is the token redemption endpoint
profileURLstringProfileURL is the profile access endpoint
resourcestringProtectedResource is the resource that is protected (Azure AD and ADFS only)
validateURLstringValidateURL is the access token validation endpoint
scopestringScope is the OAuth scope specification
promptstringPrompt is OIDC prompt
approvalPromptstringApprovalPrompt is the OAuth approval_prompt
default is set to 'force'
allowedGroups[]stringAllowedGroups is a list of restrict logins to members of this group
acrValuesstringAcrValues is a string of acr values

Providers​

([]Provider alias)​

(Appears on: AlphaOptions)

Providers is a collection of definitions for providers.

SecretSource​

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server​

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic.

TLS​

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.

Upstream​

(Appears on: UpstreamConfig)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- ^/foo$: Match only the explicit path /foo
- ^/bar/$: Match any path prefixed with /bar/
- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
the request /baz/abc/123 to /foo/abc/123 before proxying to the
upstream server.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

UpstreamConfig​

(Appears on: AlphaOptions)

UpstreamConfig is a collection of definitions for upstream servers.

FieldTypeDescription
proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
like: "/%2F/" which would otherwise be redirected to "/"
upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
Requests will be proxied to this upstream if the path matches the request path.
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/oauth_provider/index.html b/docs/7.2.x/configuration/oauth_provider/index.html index 7d7dfea2..4878a8e8 100644 --- a/docs/7.2.x/configuration/oauth_provider/index.html +++ b/docs/7.2.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/overview/index.html b/docs/7.2.x/configuration/overview/index.html index 2c65c361..7211aac3 100644 --- a/docs/7.2.x/configuration/overview/index.html +++ b/docs/7.2.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/session_storage/index.html b/docs/7.2.x/configuration/session_storage/index.html index 308c4535..be589e71 100644 --- a/docs/7.2.x/configuration/session_storage/index.html +++ b/docs/7.2.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/tls/index.html b/docs/7.2.x/configuration/tls/index.html index b7f5d830..25f81a44 100644 --- a/docs/7.2.x/configuration/tls/index.html +++ b/docs/7.2.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/features/endpoints/index.html b/docs/7.2.x/features/endpoints/index.html index 9a42c5b4..dd09d8e3 100644 --- a/docs/7.2.x/features/endpoints/index.html +++ b/docs/7.2.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.2.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/index.html b/docs/7.2.x/index.html index 944df11a..bc772021 100644 --- a/docs/7.2.x/index.html +++ b/docs/7.2.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.2.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.2.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

    d. Using a Kubernetes manifest (Helm)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/behaviour/index.html b/docs/7.3.x/behaviour/index.html index 7044759f..f01733f1 100644 --- a/docs/7.3.x/behaviour/index.html +++ b/docs/7.3.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.3.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/community/security/index.html b/docs/7.3.x/community/security/index.html index 036c537b..458a7dec 100644 --- a/docs/7.3.x/community/security/index.html +++ b/docs/7.3.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/alpha-config/index.html b/docs/7.3.x/configuration/alpha-config/index.html index be0401b6..7a9b80f0 100644 --- a/docs/7.3.x/configuration/alpha-config/index.html +++ b/docs/7.3.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

FieldTypeDescription
valuestringA Value rule matches just this specific value
patternstringA Pattern rule gives a regular expression that must be matched by
some substring of the value. The expression is not automatically
anchored to the start and end of the value, if you want to restrict
the whole parameter value you must anchor it yourself with ^ and $.

Upstream​

(Appears on: UpstreamConfig)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- ^/foo$: Match only the explicit path /foo
- ^/bar/$: Match any path prefixed with /bar/
- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
the request /baz/abc/123 to /foo/abc/123 before proxying to the
upstream server.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.
timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
Defaults to 30 seconds.

UpstreamConfig​

(Appears on: AlphaOptions)

UpstreamConfig is a collection of definitions for upstream servers.

FieldTypeDescription
proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
like: "/%2F/" which would otherwise be redirected to "/"
upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
Requests will be proxied to this upstream if the path matches the request path.
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/oauth_provider/index.html b/docs/7.3.x/configuration/oauth_provider/index.html index aeb7ad3a..27ca9aca 100644 --- a/docs/7.3.x/configuration/oauth_provider/index.html +++ b/docs/7.3.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/overview/index.html b/docs/7.3.x/configuration/overview/index.html index a3b4bfeb..013a9688 100644 --- a/docs/7.3.x/configuration/overview/index.html +++ b/docs/7.3.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/session_storage/index.html b/docs/7.3.x/configuration/session_storage/index.html index 583bf995..0b34d0c7 100644 --- a/docs/7.3.x/configuration/session_storage/index.html +++ b/docs/7.3.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/tls/index.html b/docs/7.3.x/configuration/tls/index.html index acce8f15..ee3030d3 100644 --- a/docs/7.3.x/configuration/tls/index.html +++ b/docs/7.3.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -19,7 +19,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.3.x/features/endpoints/index.html b/docs/7.3.x/features/endpoints/index.html index d6cb7cfb..5a339de5 100644 --- a/docs/7.3.x/features/endpoints/index.html +++ b/docs/7.3.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: 7.3.x

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.3.x/index.html b/docs/7.3.x/index.html index d772810f..92cb17a7 100644 --- a/docs/7.3.x/index.html +++ b/docs/7.3.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    Version: 7.3.x

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.3.0)

      b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/behaviour/index.html b/docs/behaviour/index.html index 55b92c53..8b4ce44d 100644 --- a/docs/behaviour/index.html +++ b/docs/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
    Version: 7.4.x

    Behaviour

    1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
    2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
    3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
    4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

    Notice that the proxy also provides a number of useful endpoints.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/community/security/index.html b/docs/community/security/index.html index 5789b2ff..66affc32 100644 --- a/docs/community/security/index.html +++ b/docs/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/alpha-config/index.html b/docs/configuration/alpha-config/index.html index b3a23f9b..9cf30b8f 100644 --- a/docs/configuration/alpha-config/index.html +++ b/docs/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

    FieldTypeDescription
    valuestringA Value rule matches just this specific value
    patternstringA Pattern rule gives a regular expression that must be matched by
    some substring of the value. The expression is not automatically
    anchored to the start and end of the value, if you want to restrict
    the whole parameter value you must anchor it yourself with ^ and $.

    Upstream​

    (Appears on: UpstreamConfig)

    Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

    FieldTypeDescription
    idstringID should be a unique identifier for the upstream.
    This value is required for all upstreams.
    pathstringPath is used to map requests to the upstream server.
    The closest match will take precedence and all Paths must be unique.
    Path can also take a pattern when used with RewriteTarget.
    Path segments can be captured and matched using regular experessions.
    Eg:
    - ^/foo$: Match only the explicit path /foo
    - ^/bar/$: Match any path prefixed with /bar/
    - ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
    rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
    the upstream server.
    Use the Path to capture segments for reuse within the rewrite target.
    Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
    the request /baz/abc/123 to /foo/abc/123 before proxying to the
    upstream server.
    uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
    based URL. It may include a path, in which case all requests will be served
    under that path.
    Eg:
    - http://localhost:8080
    - https://service.localhost
    - https://service.localhost/path
    - file://host/path
    If the URI's path is "/base" and the incoming request was for "/dir",
    the upstream request will be for "/base/dir".
    insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
    This option is insecure and will allow potential Man-In-The-Middle attacks
    betweem OAuth2 Proxy and the usptream server.
    Defaults to false.
    staticboolStatic will make all requests to this upstream have a static response.
    The response will have a body of "Authenticated" and a response code
    matching StaticCode.
    If StaticCode is not set, the response will return a 200 response.
    staticCodeintStaticCode determines the response code for the Static response.
    This option can only be used with Static enabled.
    flushIntervalDurationFlushInterval is the period between flushing the response buffer when
    streaming response from the upstream.
    Defaults to 1 second.
    passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
    to the upstream server.
    Defaults to true.
    proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
    Defaults to true.
    timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
    Defaults to 30 seconds.

    UpstreamConfig​

    (Appears on: AlphaOptions)

    UpstreamConfig is a collection of definitions for upstream servers.

    FieldTypeDescription
    proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
    like: "/%2F/" which would otherwise be redirected to "/"
    upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
    Requests will be proxied to this upstream if the path matches the request path.
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/oauth_provider/index.html b/docs/configuration/oauth_provider/index.html index af5fed6b..15a05f65 100644 --- a/docs/configuration/oauth_provider/index.html +++ b/docs/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -60,7 +60,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/overview/index.html b/docs/configuration/overview/index.html index 738deccc..1599c51c 100644 --- a/docs/configuration/overview/index.html +++ b/docs/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

    {{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

    Available variables for request logging:

    VariableExampleDescription
    Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
    Hostdomain.comThe value of the Host header.
    ProtocolHTTP/1.0The request protocol.
    RequestDuration0.001The time in seconds that a request took to process.
    RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
    RequestMethodGETThe request method.
    RequestURI"/oauth2/auth"The URI path of the request.
    ResponseSize12The size in bytes of the response.
    StatusCode200The HTTP status code of the response.
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Upstream-The upstream data of the HTTP request.
    UserAgent-The full user agent as reported by the requesting client.
    Usernameusername@email.comThe email or username of the auth request.

    Standard Log Format​

    All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

    [19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

    If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

    [{{.Timestamp}}] [{{.File}}] {{.Message}}

    Available variables for standard logging:

    VariableExampleDescription
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Filemain.go:40The file and line number of the logging statement.
    MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

    Configuring for use with the Nginx auth_request directive​

    The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

    server {
      listen 443 ssl;
      server_name ...;
      include ssl/ssl.conf;

      location /oauth2/ {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
        # or, if you are handling multiple domains:
        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
      }
      location = /oauth2/auth {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
      }

      location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --pass-access-token, this will pass the token to the backend
        auth_request_set $token  $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
        # limit and so the OAuth2 Proxy splits these into multiple parts.
        # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
        # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
        auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

        # Extract the Cookie attributes from the first Set-Cookie header and append them
        # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
        if ($auth_cookie ~* "(; .*)") {
            set $auth_cookie_name_0 $auth_cookie;
            set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
        }

        # Send both Set-Cookie headers now if there was a second part
        if ($auth_cookie_name_upstream_1) {
            add_header Set-Cookie $auth_cookie_name_0;
            add_header Set-Cookie $auth_cookie_name_1;
        }

        proxy_pass http://backend/;
        # or "root /path/to/site;" or "fastcgi_pass ..." etc
      }
    }

    When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie_name_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }

    It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

    You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

    Configuring for use with the Traefik (v2) ForwardAuth middleware​

    This option requires --reverse-proxy option to be set.

    ForwardAuth with 401 errors middleware​

    The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

    http:
      routers:
        a-service:
          rule: "Host(`a-service.example.com`)"
          service: a-service-backend
          middlewares:
            - oauth-errors
            - oauth-auth
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth:
          rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
        oauth-errors:
          errors:
            status:
              - "401-403"
            service: oauth-backend
            query: "/oauth2/sign_in"

    ForwardAuth with static upstreams configuration​

    Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

    Following options need to be set on oauth2-proxy:

    • --upstream=static://202: Configures a static response for authenticated sessions
    • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
    http:
      routers:
        a-service-route-1:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        a-service-route-2:
          rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-wo-redirect # unauthenticated session will return a 401
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        services-oauth2-route:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth2-proxy-route:
          rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        b-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.3:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth-redirect:
          forwardAuth:
            address: https://oauth.example.com/
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
        oauth-auth-wo-redirect:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
    note

    If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/session_storage/index.html b/docs/configuration/session_storage/index.html index f23d4a02..926aae85 100644 --- a/docs/configuration/session_storage/index.html +++ b/docs/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -28,7 +28,7 @@ and --redis-sentinel-connection-urls appropriately.

    Redis Clu --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

    Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

    Note, if Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. For example: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=14

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/tls/index.html b/docs/configuration/tls/index.html index 596c94f6..25dc71ac 100644 --- a/docs/configuration/tls/index.html +++ b/docs/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -20,7 +20,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

    An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

    server {
        listen 443 default ssl;
        server_name internal.yourcompany.com;
        ssl_certificate /path/to/cert.pem;
        ssl_certificate_key /path/to/cert.key;
        add_header Strict-Transport-Security max-age=2592000;

        location / {
            proxy_pass http://127.0.0.1:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_connect_timeout 1;
            proxy_send_timeout 30;
            proxy_read_timeout 30;
        }
    }

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/features/endpoints/index.html b/docs/features/endpoints/index.html index 3624638b..2faf7b41 100644 --- a/docs/features/endpoints/index.html +++ b/docs/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: 7.4.x

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored. Make sure to include the actual domain and port (if needed) and not the URL (e.g "localhost:8081" instead of "http://localhost:8081").

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/index.html b/docs/index.html index eca1bbd1..dbbbefab 100644 --- a/docs/index.html +++ b/docs/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    Version: 7.4.x

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.4.0)

      b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/behaviour/index.html b/docs/next/behaviour/index.html index a03faac5..73bfb174 100644 --- a/docs/next/behaviour/index.html +++ b/docs/next/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
    Version: Next

    Behaviour

    1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
    2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
    3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
    4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

    Notice that the proxy also provides a number of useful endpoints.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/community/security/index.html b/docs/next/community/security/index.html index 1ec0efff..7e6abcbb 100644 --- a/docs/next/community/security/index.html +++ b/docs/next/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/alpha-config/index.html b/docs/next/configuration/alpha-config/index.html index 47a3a2f6..607e1105 100644 --- a/docs/next/configuration/alpha-config/index.html +++ b/docs/next/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

    FieldTypeDescription
    valuestringA Value rule matches just this specific value
    patternstringA Pattern rule gives a regular expression that must be matched by
    some substring of the value. The expression is not automatically
    anchored to the start and end of the value, if you want to restrict
    the whole parameter value you must anchor it yourself with ^ and $.

    Upstream​

    (Appears on: UpstreamConfig)

    Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

    FieldTypeDescription
    idstringID should be a unique identifier for the upstream.
    This value is required for all upstreams.
    pathstringPath is used to map requests to the upstream server.
    The closest match will take precedence and all Paths must be unique.
    Path can also take a pattern when used with RewriteTarget.
    Path segments can be captured and matched using regular experessions.
    Eg:
    - ^/foo$: Match only the explicit path /foo
    - ^/bar/$: Match any path prefixed with /bar/
    - ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
    rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
    the upstream server.
    Use the Path to capture segments for reuse within the rewrite target.
    Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
    the request /baz/abc/123 to /foo/abc/123 before proxying to the
    upstream server.
    uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
    based URL. It may include a path, in which case all requests will be served
    under that path.
    Eg:
    - http://localhost:8080
    - https://service.localhost
    - https://service.localhost/path
    - file://host/path
    If the URI's path is "/base" and the incoming request was for "/dir",
    the upstream request will be for "/base/dir".
    insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
    This option is insecure and will allow potential Man-In-The-Middle attacks
    betweem OAuth2 Proxy and the usptream server.
    Defaults to false.
    staticboolStatic will make all requests to this upstream have a static response.
    The response will have a body of "Authenticated" and a response code
    matching StaticCode.
    If StaticCode is not set, the response will return a 200 response.
    staticCodeintStaticCode determines the response code for the Static response.
    This option can only be used with Static enabled.
    flushIntervalDurationFlushInterval is the period between flushing the response buffer when
    streaming response from the upstream.
    Defaults to 1 second.
    passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
    to the upstream server.
    Defaults to true.
    proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
    Defaults to true.
    timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
    Defaults to 30 seconds.

    UpstreamConfig​

    (Appears on: AlphaOptions)

    UpstreamConfig is a collection of definitions for upstream servers.

    FieldTypeDescription
    proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
    like: "/%2F/" which would otherwise be redirected to "/"
    upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
    Requests will be proxied to this upstream if the path matches the request path.
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/oauth_provider/index.html b/docs/next/configuration/oauth_provider/index.html index 5a0445ec..74bdea79 100644 --- a/docs/next/configuration/oauth_provider/index.html +++ b/docs/next/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -69,7 +69,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/overview/index.html b/docs/next/configuration/overview/index.html index 3924b967..96f06c2a 100644 --- a/docs/next/configuration/overview/index.html +++ b/docs/next/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

    {{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

    Available variables for request logging:

    VariableExampleDescription
    Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
    Hostdomain.comThe value of the Host header.
    ProtocolHTTP/1.0The request protocol.
    RequestDuration0.001The time in seconds that a request took to process.
    RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
    RequestMethodGETThe request method.
    RequestURI"/oauth2/auth"The URI path of the request.
    ResponseSize12The size in bytes of the response.
    StatusCode200The HTTP status code of the response.
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Upstream-The upstream data of the HTTP request.
    UserAgent-The full user agent as reported by the requesting client.
    Usernameusername@email.comThe email or username of the auth request.

    Standard Log Format​

    All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

    [19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

    If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

    [{{.Timestamp}}] [{{.File}}] {{.Message}}

    Available variables for standard logging:

    VariableExampleDescription
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Filemain.go:40The file and line number of the logging statement.
    MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

    Configuring for use with the Nginx auth_request directive​

    The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

    server {
      listen 443 ssl;
      server_name ...;
      include ssl/ssl.conf;

      location /oauth2/ {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
        # or, if you are handling multiple domains:
        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
      }
      location = /oauth2/auth {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
      }

      location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --pass-access-token, this will pass the token to the backend
        auth_request_set $token  $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
        # limit and so the OAuth2 Proxy splits these into multiple parts.
        # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
        # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
        auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

        # Extract the Cookie attributes from the first Set-Cookie header and append them
        # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
        if ($auth_cookie ~* "(; .*)") {
            set $auth_cookie_name_0 $auth_cookie;
            set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
        }

        # Send both Set-Cookie headers now if there was a second part
        if ($auth_cookie_name_upstream_1) {
            add_header Set-Cookie $auth_cookie_name_0;
            add_header Set-Cookie $auth_cookie_name_1;
        }

        proxy_pass http://backend/;
        # or "root /path/to/site;" or "fastcgi_pass ..." etc
      }
    }

    When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie_name_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }

    It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

    You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

    Configuring for use with the Traefik (v2) ForwardAuth middleware​

    This option requires --reverse-proxy option to be set.

    ForwardAuth with 401 errors middleware​

    The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

    http:
      routers:
        a-service:
          rule: "Host(`a-service.example.com`)"
          service: a-service-backend
          middlewares:
            - oauth-errors
            - oauth-auth
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth:
          rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
        oauth-errors:
          errors:
            status:
              - "401-403"
            service: oauth-backend
            query: "/oauth2/sign_in"

    ForwardAuth with static upstreams configuration​

    Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

    Following options need to be set on oauth2-proxy:

    • --upstream=static://202: Configures a static response for authenticated sessions
    • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
    http:
      routers:
        a-service-route-1:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        a-service-route-2:
          rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-wo-redirect # unauthenticated session will return a 401
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        services-oauth2-route:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth2-proxy-route:
          rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        b-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.3:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth-redirect:
          forwardAuth:
            address: https://oauth.example.com/
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
        oauth-auth-wo-redirect:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
    note

    If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/session_storage/index.html b/docs/next/configuration/session_storage/index.html index 12255da2..9ac57274 100644 --- a/docs/next/configuration/session_storage/index.html +++ b/docs/next/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -28,7 +28,7 @@ and --redis-sentinel-connection-urls appropriately.

    Redis Clu --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

    Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

    Note, if Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. For example: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=14

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/tls/index.html b/docs/next/configuration/tls/index.html index c6dadb79..ba52c269 100644 --- a/docs/next/configuration/tls/index.html +++ b/docs/next/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -20,7 +20,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

    An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

    server {
        listen 443 default ssl;
        server_name internal.yourcompany.com;
        ssl_certificate /path/to/cert.pem;
        ssl_certificate_key /path/to/cert.key;
        add_header Strict-Transport-Security max-age=2592000;

        location / {
            proxy_pass http://127.0.0.1:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_connect_timeout 1;
            proxy_send_timeout 30;
            proxy_read_timeout 30;
        }
    }

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/features/endpoints/index.html b/docs/next/features/endpoints/index.html index 651b51b1..5f71b817 100644 --- a/docs/next/features/endpoints/index.html +++ b/docs/next/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: Next

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /ready - returns a 200 OK response if all the underlying connections (e.g., Redis store) are connected
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored. Make sure to include the actual domain and port (if needed) and not the URL (e.g "localhost:8081" instead of "http://localhost:8081").

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/index.html b/docs/next/index.html index d3b90de3..5c565874 100644 --- a/docs/next/index.html +++ b/docs/next/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    -
    Version: Next

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.4.0)

      b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2023 OAuth2 Proxy.
    - +
    Version: Next

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.4.0)

      b. Build with $ go install github.com/oauth2-proxy/oauth2-proxy/v7@latest which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2023 OAuth2 Proxy.
    + \ No newline at end of file diff --git a/index.html b/index.html index 9fd95d51..086fc136 100644 --- a/index.html +++ b/index.html @@ -5,7 +5,7 @@ Welcome to OAuth2 Proxy | OAuth2 Proxy - + @@ -14,7 +14,7 @@ to validate accounts by email, domain or group.

    note

    This repository was forked from bitly/OAuth2_Proxy on 27/11/2018. Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork. A list of changes can be seen in the CHANGELOG.

    Sign In Page

    Architecture​

    OAuth2 Proxy Architecture

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file