diff --git a/404.html b/404.html index 5ec85e54..0e904ced 100644 --- a/404.html +++ b/404.html @@ -5,13 +5,13 @@ Page Not Found | OAuth2 Proxy - +
Skip to main content

Page Not Found

We could not find what you were looking for.

Please contact the owner of the site that linked you to the original URL and let them know their link is broken.

- + \ No newline at end of file diff --git a/assets/js/9f61b932.b7164f76.js b/assets/js/9f61b932.5d97e9b6.js similarity index 60% rename from assets/js/9f61b932.b7164f76.js rename to assets/js/9f61b932.5d97e9b6.js index 0f50a11e..b6dd221e 100644 --- a/assets/js/9f61b932.b7164f76.js +++ b/assets/js/9f61b932.5d97e9b6.js @@ -1 +1 @@ -"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[8583],{3905:function(e,t,n){n.d(t,{Zo:function(){return c},kt:function(){return m}});var i=n(7294);function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function r(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);t&&(i=i.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,i)}return n}function s(e){for(var t=1;t=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);for(i=0;i=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var l=i.createContext({}),u=function(e){var t=i.useContext(l),n=t;return e&&(n="function"==typeof e?e(t):s(s({},t),e)),n},c=function(e){var t=u(e.components);return i.createElement(l.Provider,{value:t},e.children)},d={inlineCode:"code",wrapper:function(e){var t=e.children;return i.createElement(i.Fragment,{},t)}},p=i.forwardRef((function(e,t){var n=e.components,o=e.mdxType,r=e.originalType,l=e.parentName,c=a(e,["components","mdxType","originalType","parentName"]),p=u(n),m=o,h=p["".concat(l,".").concat(m)]||p[m]||d[m]||r;return n?i.createElement(h,s(s({ref:t},c),{},{components:n})):i.createElement(h,s({ref:t},c))}));function m(e,t){var n=arguments,o=t&&t.mdxType;if("string"==typeof e||o){var r=n.length,s=new Array(r);s[0]=p;var a={};for(var l in t)hasOwnProperty.call(t,l)&&(a[l]=t[l]);a.originalType=e,a.mdxType="string"==typeof e?e:o,s[1]=a;for(var u=2;u=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);for(i=0;i=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var l=i.createContext({}),u=function(e){var t=i.useContext(l),n=t;return e&&(n="function"==typeof e?e(t):s(s({},t),e)),n},c=function(e){var t=u(e.components);return i.createElement(l.Provider,{value:t},e.children)},d={inlineCode:"code",wrapper:function(e){var t=e.children;return i.createElement(i.Fragment,{},t)}},p=i.forwardRef((function(e,t){var n=e.components,o=e.mdxType,r=e.originalType,l=e.parentName,c=a(e,["components","mdxType","originalType","parentName"]),p=u(n),h=o,k=p["".concat(l,".").concat(h)]||p[h]||d[h]||r;return n?i.createElement(k,s(s({ref:t},c),{},{components:n})):i.createElement(k,s({ref:t},c))}));function h(e,t){var n=arguments,o=t&&t.mdxType;if("string"==typeof e||o){var r=n.length,s=new Array(r);s[0]=p;var a={};for(var l in t)hasOwnProperty.call(t,l)&&(a[l]=t[l]);a.originalType=e,a.mdxType="string"==typeof e?e:o,s[1]=a;for(var u=2;u=t)&&Object.keys(r.O).every((function(e){return r.O[e](c[n])}))?c.splice(n--,1):(d=!1,t0&&e[u-1][2]>t;u--)e[u]=e[u-1];e[u]=[c,a,t]},r.n=function(e){var f=e&&e.__esModule?function(){return e.default}:function(){return e};return r.d(f,{a:f}),f},c=Object.getPrototypeOf?function(e){return Object.getPrototypeOf(e)}:function(e){return e.__proto__},r.t=function(e,a){if(1&a&&(e=this(e)),8&a)return e;if("object"==typeof e&&e){if(4&a&&e.__esModule)return e;if(16&a&&"function"==typeof e.then)return e}var t=Object.create(null);r.r(t);var b={};f=f||[null,c({}),c([]),c(c)];for(var d=2&a&&e;"object"==typeof d&&!~f.indexOf(d);d=c(d))Object.getOwnPropertyNames(d).forEach((function(f){b[f]=function(){return e[f]}}));return b.default=function(){return e},r.d(t,b),t},r.d=function(e,f){for(var c in f)r.o(f,c)&&!r.o(e,c)&&Object.defineProperty(e,c,{enumerable:!0,get:f[c]})},r.f={},r.e=function(e){return Promise.all(Object.keys(r.f).reduce((function(f,c){return r.f[c](e,f),f}),[]))},r.u=function(e){return"assets/js/"+({53:"935f2afb",74:"4ae90ba0",268:"9c6b37b9",507:"8f68f251",707:"76aee1e9",811:"e8c74efb",1169:"a68195a4",1351:"7dcecc8d",1365:"b9702c11",1487:"adcdd4d2",1558:"efec474a",1898:"1999cd7b",2098:"92147208",2114:"6f497b56",2158:"35234f08",2260:"d4a2a59c",2423:"e7cb9657",2439:"cd4a49c1",2506:"03a491a5",2575:"ceef21a3",2593:"300a9996",2598:"5a047177",2608:"9ac82b89",2822:"94285305",2844:"f3976560",2871:"a37c03cb",2960:"d319f4c2",3085:"1f391b9e",3217:"3b8c55ea",3291:"230aeb34",3358:"be200c4b",3608:"9e4087bc",3782:"a1bbfb14",3843:"ecc333f0",3938:"65a49553",4024:"f8ffbaca",4042:"08659987",4189:"3def9002",4193:"f69784af",4431:"001ca130",4472:"f4c9d322",4963:"121b3f12",4998:"7b04b1d5",5144:"1737cda1",5322:"00691219",5367:"567d20e7",5410:"9b9cfcc1",5437:"f98fc388",5597:"5dfb0b41",5626:"452b66d6",5679:"4922efd5",5680:"b312ff36",5809:"f5afe1a5",5845:"243cbd97",5874:"ea7cbf6d",5910:"d62b9139",5971:"dc696e54",5995:"cecf159a",6042:"fb908f49",6119:"efc9be4b",6482:"7874e99f",6760:"0721a2c0",7165:"3b8e2d60",7240:"0f425520",7250:"41de83de",7356:"64f5dfca",7357:"a916fa41",7401:"63d69a63",7559:"d8b74189",7595:"42326c77",7826:"f5839aac",7918:"17896441",8249:"585bdad0",8338:"de718920",8447:"ade45c9a",8500:"acde588d",8555:"cbc8963c",8583:"9f61b932",8724:"edfc6e1b",8873:"b89e1cb0",8967:"3fa022c7",9267:"357fe94d",9464:"674dcd29",9512:"a991188b",9514:"1be78505",9692:"2c77072c",9890:"8c826f25"}[e]||e)+"."+{53:"4a3f1d92",74:"6207ed77",268:"1a4d8f2a",507:"7e096a77",707:"7f40c9d0",811:"6f3ea057",1169:"c4f67eb7",1351:"02aac3e1",1365:"f7fe4bdb",1487:"f89f4cb4",1558:"d12b8b23",1898:"67af2e9d",2098:"0809b355",2114:"d1fafb1d",2158:"75b00d70",2260:"41f1390f",2423:"4acd2025",2439:"a6f1fbe6",2506:"8596696f",2575:"1b2abcd7",2593:"f753e41d",2598:"1f48e99a",2608:"844c4c60",2822:"1f5fc964",2844:"2cb9bfe2",2871:"4fbaf920",2960:"5f454038",3085:"e29f8c90",3217:"9bc7d1ea",3291:"9e93a797",3358:"0994fc5b",3608:"fcc33365",3782:"191e1df5",3843:"f0614c4d",3938:"8f91bc1a",4024:"6a0ba3f6",4042:"7dcc30c9",4189:"0566d6b8",4193:"4434623e",4431:"df12b21c",4472:"114701fa",4608:"2c7b7ade",4963:"1dbcc0b5",4998:"d117d167",5144:"3fa3c755",5322:"1534c076",5367:"e795b7e6",5410:"37c53500",5437:"3b0c1664",5597:"82243d0a",5626:"4429e7a1",5679:"0d61057c",5680:"ea7721b8",5809:"5b8137ff",5845:"547fc342",5874:"7aaa7faa",5897:"ca6e53fd",5910:"20662a62",5971:"e5bd5bfe",5995:"90b73e88",6042:"120ce48b",6119:"cb4c22f5",6482:"ffe18382",6760:"ffdc7189",7165:"7229dec3",7240:"417bf0b1",7250:"41ba64ac",7356:"e07d0548",7357:"ee61bb9a",7401:"bbcebc27",7559:"4b70dd77",7595:"8e971b20",7826:"b034b05a",7918:"b571fd1c",8249:"dbf4b31b",8338:"cd0c4637",8447:"80d43c0f",8500:"750d9fa4",8555:"4522119e",8583:"b7164f76",8724:"25fb710b",8873:"d176f819",8967:"d245265c",9267:"ad17b3f1",9464:"1771fd0d",9512:"d0024de2",9514:"7b2cd06e",9692:"e9ddc94f",9890:"869d5ddd"}[e]+".js"},r.miniCssF=function(e){return"assets/css/styles.19258e03.css"},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=function(e,f){return Object.prototype.hasOwnProperty.call(e,f)},a={},t="docusaurus:",r.l=function(e,f,c,b){if(a[e])a[e].push(f);else{var d,n;if(void 0!==c)for(var o=document.getElementsByTagName("script"),u=0;u=t)&&Object.keys(r.O).every((function(e){return r.O[e](c[n])}))?c.splice(n--,1):(d=!1,t0&&e[u-1][2]>t;u--)e[u]=e[u-1];e[u]=[c,a,t]},r.n=function(e){var f=e&&e.__esModule?function(){return e.default}:function(){return e};return r.d(f,{a:f}),f},c=Object.getPrototypeOf?function(e){return Object.getPrototypeOf(e)}:function(e){return e.__proto__},r.t=function(e,a){if(1&a&&(e=this(e)),8&a)return e;if("object"==typeof e&&e){if(4&a&&e.__esModule)return e;if(16&a&&"function"==typeof e.then)return e}var t=Object.create(null);r.r(t);var b={};f=f||[null,c({}),c([]),c(c)];for(var d=2&a&&e;"object"==typeof d&&!~f.indexOf(d);d=c(d))Object.getOwnPropertyNames(d).forEach((function(f){b[f]=function(){return e[f]}}));return b.default=function(){return e},r.d(t,b),t},r.d=function(e,f){for(var c in f)r.o(f,c)&&!r.o(e,c)&&Object.defineProperty(e,c,{enumerable:!0,get:f[c]})},r.f={},r.e=function(e){return Promise.all(Object.keys(r.f).reduce((function(f,c){return r.f[c](e,f),f}),[]))},r.u=function(e){return"assets/js/"+({53:"935f2afb",74:"4ae90ba0",268:"9c6b37b9",507:"8f68f251",707:"76aee1e9",811:"e8c74efb",1169:"a68195a4",1351:"7dcecc8d",1365:"b9702c11",1487:"adcdd4d2",1558:"efec474a",1898:"1999cd7b",2098:"92147208",2114:"6f497b56",2158:"35234f08",2260:"d4a2a59c",2423:"e7cb9657",2439:"cd4a49c1",2506:"03a491a5",2575:"ceef21a3",2593:"300a9996",2598:"5a047177",2608:"9ac82b89",2822:"94285305",2844:"f3976560",2871:"a37c03cb",2960:"d319f4c2",3085:"1f391b9e",3217:"3b8c55ea",3291:"230aeb34",3358:"be200c4b",3608:"9e4087bc",3782:"a1bbfb14",3843:"ecc333f0",3938:"65a49553",4024:"f8ffbaca",4042:"08659987",4189:"3def9002",4193:"f69784af",4431:"001ca130",4472:"f4c9d322",4963:"121b3f12",4998:"7b04b1d5",5144:"1737cda1",5322:"00691219",5367:"567d20e7",5410:"9b9cfcc1",5437:"f98fc388",5597:"5dfb0b41",5626:"452b66d6",5679:"4922efd5",5680:"b312ff36",5809:"f5afe1a5",5845:"243cbd97",5874:"ea7cbf6d",5910:"d62b9139",5971:"dc696e54",5995:"cecf159a",6042:"fb908f49",6119:"efc9be4b",6482:"7874e99f",6760:"0721a2c0",7165:"3b8e2d60",7240:"0f425520",7250:"41de83de",7356:"64f5dfca",7357:"a916fa41",7401:"63d69a63",7559:"d8b74189",7595:"42326c77",7826:"f5839aac",7918:"17896441",8249:"585bdad0",8338:"de718920",8447:"ade45c9a",8500:"acde588d",8555:"cbc8963c",8583:"9f61b932",8724:"edfc6e1b",8873:"b89e1cb0",8967:"3fa022c7",9267:"357fe94d",9464:"674dcd29",9512:"a991188b",9514:"1be78505",9692:"2c77072c",9890:"8c826f25"}[e]||e)+"."+{53:"4a3f1d92",74:"6207ed77",268:"1a4d8f2a",507:"7e096a77",707:"7f40c9d0",811:"6f3ea057",1169:"c4f67eb7",1351:"02aac3e1",1365:"f7fe4bdb",1487:"f89f4cb4",1558:"d12b8b23",1898:"67af2e9d",2098:"0809b355",2114:"d1fafb1d",2158:"75b00d70",2260:"41f1390f",2423:"4acd2025",2439:"a6f1fbe6",2506:"8596696f",2575:"1b2abcd7",2593:"f753e41d",2598:"1f48e99a",2608:"844c4c60",2822:"1f5fc964",2844:"2cb9bfe2",2871:"4fbaf920",2960:"5f454038",3085:"e29f8c90",3217:"9bc7d1ea",3291:"9e93a797",3358:"0994fc5b",3608:"fcc33365",3782:"191e1df5",3843:"f0614c4d",3938:"8f91bc1a",4024:"6a0ba3f6",4042:"7dcc30c9",4189:"0566d6b8",4193:"4434623e",4431:"df12b21c",4472:"114701fa",4608:"2c7b7ade",4963:"1dbcc0b5",4998:"d117d167",5144:"3fa3c755",5322:"1534c076",5367:"e795b7e6",5410:"37c53500",5437:"3b0c1664",5597:"82243d0a",5626:"4429e7a1",5679:"0d61057c",5680:"ea7721b8",5809:"5b8137ff",5845:"547fc342",5874:"7aaa7faa",5897:"ca6e53fd",5910:"20662a62",5971:"e5bd5bfe",5995:"90b73e88",6042:"120ce48b",6119:"cb4c22f5",6482:"ffe18382",6760:"ffdc7189",7165:"7229dec3",7240:"417bf0b1",7250:"41ba64ac",7356:"e07d0548",7357:"ee61bb9a",7401:"bbcebc27",7559:"4b70dd77",7595:"8e971b20",7826:"b034b05a",7918:"b571fd1c",8249:"dbf4b31b",8338:"cd0c4637",8447:"80d43c0f",8500:"750d9fa4",8555:"4522119e",8583:"5d97e9b6",8724:"25fb710b",8873:"d176f819",8967:"d245265c",9267:"ad17b3f1",9464:"1771fd0d",9512:"d0024de2",9514:"7b2cd06e",9692:"e9ddc94f",9890:"869d5ddd"}[e]+".js"},r.miniCssF=function(e){return"assets/css/styles.19258e03.css"},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=function(e,f){return Object.prototype.hasOwnProperty.call(e,f)},a={},t="docusaurus:",r.l=function(e,f,c,b){if(a[e])a[e].push(f);else{var d,n;if(void 0!==c)for(var o=document.getElementsByTagName("script"),u=0;u Archive | OAuth2 Proxy - +

Archive

Archive

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/behaviour/index.html b/docs/6.1.x/behaviour/index.html index 695f86d7..e53af06a 100644 --- a/docs/6.1.x/behaviour/index.html +++ b/docs/6.1.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 6.1.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/community/security/index.html b/docs/6.1.x/community/security/index.html index 56b0b97c..18e60f0a 100644 --- a/docs/6.1.x/community/security/index.html +++ b/docs/6.1.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/oauth_provider/index.html b/docs/6.1.x/configuration/oauth_provider/index.html index b6ac0ca8..76cab791 100644 --- a/docs/6.1.x/configuration/oauth_provider/index.html +++ b/docs/6.1.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -46,7 +46,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/overview/index.html b/docs/6.1.x/configuration/overview/index.html index 63f77ccb..9e544f72 100644 --- a/docs/6.1.x/configuration/overview/index.html +++ b/docs/6.1.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/session_storage/index.html b/docs/6.1.x/configuration/session_storage/index.html index 4227e6c3..4616e6d7 100644 --- a/docs/6.1.x/configuration/session_storage/index.html +++ b/docs/6.1.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/configuration/tls/index.html b/docs/6.1.x/configuration/tls/index.html index 0aed2517..b9984fb4 100644 --- a/docs/6.1.x/configuration/tls/index.html +++ b/docs/6.1.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/features/endpoints/index.html b/docs/6.1.x/features/endpoints/index.html index 1aa491be..170e61fc 100644 --- a/docs/6.1.x/features/endpoints/index.html +++ b/docs/6.1.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 6.1.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/features/request_signatures/index.html b/docs/6.1.x/features/request_signatures/index.html index 036d5bba..e262e449 100644 --- a/docs/6.1.x/features/request_signatures/index.html +++ b/docs/6.1.x/features/request_signatures/index.html @@ -5,7 +5,7 @@ Request Signatures | OAuth2 Proxy - + @@ -18,7 +18,7 @@ in oauthproxy.go.

signature_key must be of t following:

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/6.1.x/index.html b/docs/6.1.x/index.html index c618e9dc..2fea3b6c 100644 --- a/docs/6.1.x/index.html +++ b/docs/6.1.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 6.1.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v6.1.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/behaviour/index.html b/docs/7.0.x/behaviour/index.html index 9cf76ec1..5958630b 100644 --- a/docs/7.0.x/behaviour/index.html +++ b/docs/7.0.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.0.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/community/security/index.html b/docs/7.0.x/community/security/index.html index baf78ce6..ee7876a5 100644 --- a/docs/7.0.x/community/security/index.html +++ b/docs/7.0.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/alpha-config/index.html b/docs/7.0.x/configuration/alpha-config/index.html index a66225b3..16e8e5fe 100644 --- a/docs/7.0.x/configuration/alpha-config/index.html +++ b/docs/7.0.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

SecretSource​

(Appears on: ClaimSource, HeaderValue)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Upstream​

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams​

([]Upstream alias)​

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/oauth_provider/index.html b/docs/7.0.x/configuration/oauth_provider/index.html index e94efb6b..6ee6ce0c 100644 --- a/docs/7.0.x/configuration/oauth_provider/index.html +++ b/docs/7.0.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/overview/index.html b/docs/7.0.x/configuration/overview/index.html index edca372b..be4ebb18 100644 --- a/docs/7.0.x/configuration/overview/index.html +++ b/docs/7.0.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverseproxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/session_storage/index.html b/docs/7.0.x/configuration/session_storage/index.html index 42389ce6..8615b28c 100644 --- a/docs/7.0.x/configuration/session_storage/index.html +++ b/docs/7.0.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/configuration/tls/index.html b/docs/7.0.x/configuration/tls/index.html index 20b153eb..4cefd771 100644 --- a/docs/7.0.x/configuration/tls/index.html +++ b/docs/7.0.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/features/endpoints/index.html b/docs/7.0.x/features/endpoints/index.html index c2d1540f..311b8542 100644 --- a/docs/7.0.x/features/endpoints/index.html +++ b/docs/7.0.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.0.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/features/request_signatures/index.html b/docs/7.0.x/features/request_signatures/index.html index d28e29ae..0ecf40a0 100644 --- a/docs/7.0.x/features/request_signatures/index.html +++ b/docs/7.0.x/features/request_signatures/index.html @@ -5,7 +5,7 @@ Request Signatures | OAuth2 Proxy - + @@ -18,7 +18,7 @@ in oauthproxy.go.

signature_key must be of t following:

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.0.x/index.html b/docs/7.0.x/index.html index 2cf34f38..5b9d730a 100644 --- a/docs/7.0.x/index.html +++ b/docs/7.0.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.0.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.0.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/behaviour/index.html b/docs/7.1.x/behaviour/index.html index 435393a5..815cf2a6 100644 --- a/docs/7.1.x/behaviour/index.html +++ b/docs/7.1.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.1.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/community/security/index.html b/docs/7.1.x/community/security/index.html index 9be1f147..ffe91bf1 100644 --- a/docs/7.1.x/community/security/index.html +++ b/docs/7.1.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/alpha-config/index.html b/docs/7.1.x/configuration/alpha-config/index.html index d0ba223b..831e6b5c 100644 --- a/docs/7.1.x/configuration/alpha-config/index.html +++ b/docs/7.1.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

SecretSource​

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server​

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic.

TLS​

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.

Upstream​

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams​

([]Upstream alias)​

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/oauth_provider/index.html b/docs/7.1.x/configuration/oauth_provider/index.html index 29ad33e7..f878b5f9 100644 --- a/docs/7.1.x/configuration/oauth_provider/index.html +++ b/docs/7.1.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/overview/index.html b/docs/7.1.x/configuration/overview/index.html index 494442cf..7b172068 100644 --- a/docs/7.1.x/configuration/overview/index.html +++ b/docs/7.1.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverseproxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/session_storage/index.html b/docs/7.1.x/configuration/session_storage/index.html index ed29b7db..ce9c984f 100644 --- a/docs/7.1.x/configuration/session_storage/index.html +++ b/docs/7.1.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/configuration/tls/index.html b/docs/7.1.x/configuration/tls/index.html index 5e3f714b..d17964e6 100644 --- a/docs/7.1.x/configuration/tls/index.html +++ b/docs/7.1.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/features/endpoints/index.html b/docs/7.1.x/features/endpoints/index.html index 783e8f39..607baa94 100644 --- a/docs/7.1.x/features/endpoints/index.html +++ b/docs/7.1.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.1.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.1.x/index.html b/docs/7.1.x/index.html index 61c0f759..8a9735f4 100644 --- a/docs/7.1.x/index.html +++ b/docs/7.1.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.1.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.1.3)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

    d. Using a Kubernetes manifest (Helm)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/behaviour/index.html b/docs/7.2.x/behaviour/index.html index 1c157b7a..272fba31 100644 --- a/docs/7.2.x/behaviour/index.html +++ b/docs/7.2.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.2.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/community/security/index.html b/docs/7.2.x/community/security/index.html index 08c78371..bb216a01 100644 --- a/docs/7.2.x/community/security/index.html +++ b/docs/7.2.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/alpha-config/index.html b/docs/7.2.x/configuration/alpha-config/index.html index 63aaf535..0483831a 100644 --- a/docs/7.2.x/configuration/alpha-config/index.html +++ b/docs/7.2.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -35,7 +35,7 @@ response header.

FieldTypeDescription make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

KeycloakOptions​

(Appears on: Provider)

FieldTypeDescription
groups[]stringGroup enables to restrict login to members of indicated group
roles[]stringRole enables to restrict login to users with role (only available when using the keycloak-oidc provider)

LoginGovOptions​

(Appears on: Provider)

FieldTypeDescription
jwtKeystringJWTKey is a private key in PEM format used to sign JWT,
jwtKeyFilestringJWTKeyFile is a path to the private key file in PEM format used to sign the JWT
pubjwkURLstringPubJWKURL is the JWK pubkey access endpoint

OIDCOptions​

(Appears on: Provider)

FieldTypeDescription
issuerURLstringIssuerURL is the OpenID Connect issuer URL
eg: https://accounts.google.com
insecureAllowUnverifiedEmailboolInsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified
default set to 'false'
insecureSkipIssuerVerificationboolInsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
default set to 'false'
insecureSkipNonceboolInsecureSkipNonce skips verifying the ID Token's nonce claim that must match
the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
after the initial OAuth redeem & subsequent token refreshes.
default set to 'true'
Warning: In a future release, this will change to 'false' by default for enhanced security.
skipDiscoveryboolSkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
default set to 'false'
jwksURLstringJwksURL is the OpenID Connect JWKS URL
eg: https://www.googleapis.com/oauth2/v3/certs
emailClaimstringEmailClaim indicates which claim contains the user email,
default set to 'email'
groupsClaimstringGroupsClaim indicates which claim contains the user groups
default set to 'groups'
userIDClaimstringUserIDClaim indicates which claim contains the user ID
default set to 'email'

Provider​

(Appears on: Providers)

Provider holds all configuration for a single provider

FieldTypeDescription
clientIDstringClientID is the OAuth Client ID that is defined in the provider
This value is required for all providers.
clientSecretstringClientSecret is the OAuth Client Secret that is defined in the provider
This value is required for all providers.
clientSecretFilestringClientSecretFile is the name of the file
containing the OAuth Client Secret, it will be used if ClientSecret is not set.
keycloakConfigKeycloakOptionsKeycloakConfig holds all configurations for Keycloak provider.
azureConfigAzureOptionsAzureConfig holds all configurations for Azure provider.
ADFSConfigADFSOptionsADFSConfig holds all configurations for ADFS provider.
bitbucketConfigBitbucketOptionsBitbucketConfig holds all configurations for Bitbucket provider.
githubConfigGitHubOptionsGitHubConfig holds all configurations for GitHubC provider.
gitlabConfigGitLabOptionsGitLabConfig holds all configurations for GitLab provider.
googleConfigGoogleOptionsGoogleConfig holds all configurations for Google provider.
oidcConfigOIDCOptionsOIDCConfig holds all configurations for OIDC provider
or providers utilize OIDC configurations.
loginGovConfigLoginGovOptionsLoginGovConfig holds all configurations for LoginGov provider.
idstringID should be a unique identifier for the provider.
This value is required for all providers.
providerstringType is the OAuth provider
must be set from the supported providers group,
otherwise 'Google' is set as default
namestringName is the providers display name
if set, it will be shown to the users in the login page.
caFiles[]stringCAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
If not specified, the default Go trust sources are used instead
loginURLstringLoginURL is the authentication endpoint
redeemURLstringRedeemURL is the token redemption endpoint
profileURLstringProfileURL is the profile access endpoint
resourcestringProtectedResource is the resource that is protected (Azure AD and ADFS only)
validateURLstringValidateURL is the access token validation endpoint
scopestringScope is the OAuth scope specification
promptstringPrompt is OIDC prompt
approvalPromptstringApprovalPrompt is the OAuth approval_prompt
default is set to 'force'
allowedGroups[]stringAllowedGroups is a list of restrict logins to members of this group
acrValuesstringAcrValues is a string of acr values

Providers​

([]Provider alias)​

(Appears on: AlphaOptions)

Providers is a collection of definitions for providers.

SecretSource​

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server​

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic.

TLS​

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.

Upstream​

(Appears on: UpstreamConfig)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- ^/foo$: Match only the explicit path /foo
- ^/bar/$: Match any path prefixed with /bar/
- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
the request /baz/abc/123 to /foo/abc/123 before proxying to the
upstream server.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

UpstreamConfig​

(Appears on: AlphaOptions)

UpstreamConfig is a collection of definitions for upstream servers.

FieldTypeDescription
proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
like: "/%2F/" which would otherwise be redirected to "/"
upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
Requests will be proxied to this upstream if the path matches the request path.
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/oauth_provider/index.html b/docs/7.2.x/configuration/oauth_provider/index.html index bddf265f..2bce17f9 100644 --- a/docs/7.2.x/configuration/oauth_provider/index.html +++ b/docs/7.2.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/overview/index.html b/docs/7.2.x/configuration/overview/index.html index 7f3f05f7..0e6979fb 100644 --- a/docs/7.2.x/configuration/overview/index.html +++ b/docs/7.2.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/session_storage/index.html b/docs/7.2.x/configuration/session_storage/index.html index d5ba3b20..e0b0e0d5 100644 --- a/docs/7.2.x/configuration/session_storage/index.html +++ b/docs/7.2.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/configuration/tls/index.html b/docs/7.2.x/configuration/tls/index.html index 751c20fa..579c7b6a 100644 --- a/docs/7.2.x/configuration/tls/index.html +++ b/docs/7.2.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -16,7 +16,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --reverse-proxy=true \
   --client-id=... \
   --client-secret=...
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/features/endpoints/index.html b/docs/7.2.x/features/endpoints/index.html index 3e8fb03f..1ea12a72 100644 --- a/docs/7.2.x/features/endpoints/index.html +++ b/docs/7.2.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
Version: 7.2.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out​

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.2.x/index.html b/docs/7.2.x/index.html index 86421391..5c4437ac 100644 --- a/docs/7.2.x/index.html +++ b/docs/7.2.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
Version: 7.2.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.2.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

    d. Using a Kubernetes manifest (Helm)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/behaviour/index.html b/docs/7.3.x/behaviour/index.html index 6b021a70..712df62e 100644 --- a/docs/7.3.x/behaviour/index.html +++ b/docs/7.3.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
Version: 7.3.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/community/security/index.html b/docs/7.3.x/community/security/index.html index b3f3b34d..96ce2aa3 100644 --- a/docs/7.3.x/community/security/index.html +++ b/docs/7.3.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/alpha-config/index.html b/docs/7.3.x/configuration/alpha-config/index.html index 91650963..938037ea 100644 --- a/docs/7.3.x/configuration/alpha-config/index.html +++ b/docs/7.3.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

FieldTypeDescription
valuestringA Value rule matches just this specific value
patternstringA Pattern rule gives a regular expression that must be matched by
some substring of the value. The expression is not automatically
anchored to the start and end of the value, if you want to restrict
the whole parameter value you must anchor it yourself with ^ and $.

Upstream​

(Appears on: UpstreamConfig)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- ^/foo$: Match only the explicit path /foo
- ^/bar/$: Match any path prefixed with /bar/
- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
the request /baz/abc/123 to /foo/abc/123 before proxying to the
upstream server.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.
timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
Defaults to 30 seconds.

UpstreamConfig​

(Appears on: AlphaOptions)

UpstreamConfig is a collection of definitions for upstream servers.

FieldTypeDescription
proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
like: "/%2F/" which would otherwise be redirected to "/"
upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
Requests will be proxied to this upstream if the path matches the request path.
Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/oauth_provider/index.html b/docs/7.3.x/configuration/oauth_provider/index.html index da7e9b3e..15dc571b 100644 --- a/docs/7.3.x/configuration/oauth_provider/index.html +++ b/docs/7.3.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -50,7 +50,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/overview/index.html b/docs/7.3.x/configuration/overview/index.html index ffe3c71e..eb8697d8 100644 --- a/docs/7.3.x/configuration/overview/index.html +++ b/docs/7.3.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format​

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Configuring for use with the Nginx auth_request directive​

The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

server {
  listen 443 ssl;
  server_name ...;
  include ssl/ssl.conf;

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    proxy_pass http://backend/;
    # or "root /path/to/site;" or "fastcgi_pass ..." etc
  }
}

When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;

  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

Configuring for use with the Traefik (v2) ForwardAuth middleware​

This option requires --reverse-proxy option to be set.

ForwardAuth with 401 errors middleware​

The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

http:
  routers:
    a-service:
      rule: "Host(`a-service.example.com`)"
      service: a-service-backend
      middlewares:
        - oauth-errors
        - oauth-auth
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth:
      rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
    oauth-errors:
      errors:
        status:
          - "401-403"
        service: oauth-backend
        query: "/oauth2/sign_in"

ForwardAuth with static upstreams configuration​

Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

Following options need to be set on oauth2-proxy:

  • --upstream=static://202: Configures a static response for authenticated sessions
  • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
http:
  routers:
    a-service-route-1:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    a-service-route-2:
      rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
      service: a-service-backend
      middlewares:
        - oauth-auth-wo-redirect # unauthenticated session will return a 401
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    services-oauth2-route:
      rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    oauth2-proxy-route:
      rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
      middlewares:
        - auth-headers
      service: oauth-backend
      tls:
        certResolver: default
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  services:
    a-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.2:7555
    b-service-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.3:7555
    oauth-backend:
      loadBalancer:
        servers:
          - url: http://172.16.0.1:4180

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: example.com
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: true
    oauth-auth-redirect:
      forwardAuth:
        address: https://oauth.example.com/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
    oauth-auth-wo-redirect:
      forwardAuth:
        address: https://oauth.example.com/oauth2/auth
        trustForwardHeader: true
        authResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/session_storage/index.html b/docs/7.3.x/configuration/session_storage/index.html index f58d0ab7..3219b37e 100644 --- a/docs/7.3.x/configuration/session_storage/index.html +++ b/docs/7.3.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -26,7 +26,7 @@ disclosure.

Usage--redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

Copyright © 2023 OAuth2 Proxy.
- + \ No newline at end of file diff --git a/docs/7.3.x/configuration/tls/index.html b/docs/7.3.x/configuration/tls/index.html index 1188bb40..4731c777 100644 --- a/docs/7.3.x/configuration/tls/index.html +++ b/docs/7.3.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -19,7 +19,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.3.x/features/endpoints/index.html b/docs/7.3.x/features/endpoints/index.html index 49010d8d..a4b8d5f2 100644 --- a/docs/7.3.x/features/endpoints/index.html +++ b/docs/7.3.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: 7.3.x

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.3.x/index.html b/docs/7.3.x/index.html index 2072171f..8f746323 100644 --- a/docs/7.3.x/index.html +++ b/docs/7.3.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    Version: 7.3.x

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.3.0)

      b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/behaviour/index.html b/docs/7.4.x/behaviour/index.html index fc7cff46..382bdfab 100644 --- a/docs/7.4.x/behaviour/index.html +++ b/docs/7.4.x/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
    Version: 7.4.x

    Behaviour

    1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
    2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
    3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
    4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

    Notice that the proxy also provides a number of useful endpoints.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/community/security/index.html b/docs/7.4.x/community/security/index.html index 88bd0c5c..07d83a5e 100644 --- a/docs/7.4.x/community/security/index.html +++ b/docs/7.4.x/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/configuration/alpha-config/index.html b/docs/7.4.x/configuration/alpha-config/index.html index 27e74c94..e1e8f8a9 100644 --- a/docs/7.4.x/configuration/alpha-config/index.html +++ b/docs/7.4.x/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

    FieldTypeDescription
    valuestringA Value rule matches just this specific value
    patternstringA Pattern rule gives a regular expression that must be matched by
    some substring of the value. The expression is not automatically
    anchored to the start and end of the value, if you want to restrict
    the whole parameter value you must anchor it yourself with ^ and $.

    Upstream​

    (Appears on: UpstreamConfig)

    Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

    FieldTypeDescription
    idstringID should be a unique identifier for the upstream.
    This value is required for all upstreams.
    pathstringPath is used to map requests to the upstream server.
    The closest match will take precedence and all Paths must be unique.
    Path can also take a pattern when used with RewriteTarget.
    Path segments can be captured and matched using regular experessions.
    Eg:
    - ^/foo$: Match only the explicit path /foo
    - ^/bar/$: Match any path prefixed with /bar/
    - ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
    rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
    the upstream server.
    Use the Path to capture segments for reuse within the rewrite target.
    Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
    the request /baz/abc/123 to /foo/abc/123 before proxying to the
    upstream server.
    uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
    based URL. It may include a path, in which case all requests will be served
    under that path.
    Eg:
    - http://localhost:8080
    - https://service.localhost
    - https://service.localhost/path
    - file://host/path
    If the URI's path is "/base" and the incoming request was for "/dir",
    the upstream request will be for "/base/dir".
    insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
    This option is insecure and will allow potential Man-In-The-Middle attacks
    betweem OAuth2 Proxy and the usptream server.
    Defaults to false.
    staticboolStatic will make all requests to this upstream have a static response.
    The response will have a body of "Authenticated" and a response code
    matching StaticCode.
    If StaticCode is not set, the response will return a 200 response.
    staticCodeintStaticCode determines the response code for the Static response.
    This option can only be used with Static enabled.
    flushIntervalDurationFlushInterval is the period between flushing the response buffer when
    streaming response from the upstream.
    Defaults to 1 second.
    passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
    to the upstream server.
    Defaults to true.
    proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
    Defaults to true.
    timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
    Defaults to 30 seconds.

    UpstreamConfig​

    (Appears on: AlphaOptions)

    UpstreamConfig is a collection of definitions for upstream servers.

    FieldTypeDescription
    proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
    like: "/%2F/" which would otherwise be redirected to "/"
    upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
    Requests will be proxied to this upstream if the path matches the request path.
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/configuration/oauth_provider/index.html b/docs/7.4.x/configuration/oauth_provider/index.html index f3b4bc7e..da74bef8 100644 --- a/docs/7.4.x/configuration/oauth_provider/index.html +++ b/docs/7.4.x/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -60,7 +60,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/configuration/overview/index.html b/docs/7.4.x/configuration/overview/index.html index 3f9244fe..5cae982a 100644 --- a/docs/7.4.x/configuration/overview/index.html +++ b/docs/7.4.x/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

    {{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

    Available variables for request logging:

    VariableExampleDescription
    Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
    Hostdomain.comThe value of the Host header.
    ProtocolHTTP/1.0The request protocol.
    RequestDuration0.001The time in seconds that a request took to process.
    RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
    RequestMethodGETThe request method.
    RequestURI"/oauth2/auth"The URI path of the request.
    ResponseSize12The size in bytes of the response.
    StatusCode200The HTTP status code of the response.
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Upstream-The upstream data of the HTTP request.
    UserAgent-The full user agent as reported by the requesting client.
    Usernameusername@email.comThe email or username of the auth request.

    Standard Log Format​

    All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

    [19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

    If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

    [{{.Timestamp}}] [{{.File}}] {{.Message}}

    Available variables for standard logging:

    VariableExampleDescription
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Filemain.go:40The file and line number of the logging statement.
    MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

    Configuring for use with the Nginx auth_request directive​

    The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

    server {
      listen 443 ssl;
      server_name ...;
      include ssl/ssl.conf;

      location /oauth2/ {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
        # or, if you are handling multiple domains:
        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
      }
      location = /oauth2/auth {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
      }

      location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --pass-access-token, this will pass the token to the backend
        auth_request_set $token  $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
        # limit and so the OAuth2 Proxy splits these into multiple parts.
        # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
        # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
        auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

        # Extract the Cookie attributes from the first Set-Cookie header and append them
        # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
        if ($auth_cookie ~* "(; .*)") {
            set $auth_cookie_name_0 $auth_cookie;
            set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
        }

        # Send both Set-Cookie headers now if there was a second part
        if ($auth_cookie_name_upstream_1) {
            add_header Set-Cookie $auth_cookie_name_0;
            add_header Set-Cookie $auth_cookie_name_1;
        }

        proxy_pass http://backend/;
        # or "root /path/to/site;" or "fastcgi_pass ..." etc
      }
    }

    When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie_name_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }

    It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

    You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

    Configuring for use with the Traefik (v2) ForwardAuth middleware​

    This option requires --reverse-proxy option to be set.

    ForwardAuth with 401 errors middleware​

    The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

    http:
      routers:
        a-service:
          rule: "Host(`a-service.example.com`)"
          service: a-service-backend
          middlewares:
            - oauth-errors
            - oauth-auth
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth:
          rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
        oauth-errors:
          errors:
            status:
              - "401-403"
            service: oauth-backend
            query: "/oauth2/sign_in"

    ForwardAuth with static upstreams configuration​

    Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

    Following options need to be set on oauth2-proxy:

    • --upstream=static://202: Configures a static response for authenticated sessions
    • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
    http:
      routers:
        a-service-route-1:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        a-service-route-2:
          rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-wo-redirect # unauthenticated session will return a 401
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        services-oauth2-route:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth2-proxy-route:
          rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        b-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.3:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth-redirect:
          forwardAuth:
            address: https://oauth.example.com/
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
        oauth-auth-wo-redirect:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
    note

    If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/configuration/session_storage/index.html b/docs/7.4.x/configuration/session_storage/index.html index 5b494504..8a66f4e8 100644 --- a/docs/7.4.x/configuration/session_storage/index.html +++ b/docs/7.4.x/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -28,7 +28,7 @@ and --redis-sentinel-connection-urls appropriately.

    Redis Clu --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

    Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

    Note, if Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. For example: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=14

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/configuration/tls/index.html b/docs/7.4.x/configuration/tls/index.html index 20baaaf9..cc56d36e 100644 --- a/docs/7.4.x/configuration/tls/index.html +++ b/docs/7.4.x/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -20,7 +20,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

    An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

    server {
        listen 443 default ssl;
        server_name internal.yourcompany.com;
        ssl_certificate /path/to/cert.pem;
        ssl_certificate_key /path/to/cert.key;
        add_header Strict-Transport-Security max-age=2592000;

        location / {
            proxy_pass http://127.0.0.1:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_connect_timeout 1;
            proxy_send_timeout 30;
            proxy_read_timeout 30;
        }
    }

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/features/endpoints/index.html b/docs/7.4.x/features/endpoints/index.html index aa003fc7..4ddd3c85 100644 --- a/docs/7.4.x/features/endpoints/index.html +++ b/docs/7.4.x/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: 7.4.x

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored. Make sure to include the actual domain and port (if needed) and not the URL (e.g "localhost:8081" instead of "http://localhost:8081").

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/7.4.x/index.html b/docs/7.4.x/index.html index de4314ae..9426de63 100644 --- a/docs/7.4.x/index.html +++ b/docs/7.4.x/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    Version: 7.4.x

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.4.0)

      b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/behaviour/index.html b/docs/behaviour/index.html index 473978c9..f63e0e55 100644 --- a/docs/behaviour/index.html +++ b/docs/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
    Version: 7.5.x

    Behaviour

    1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
    2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
    3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
    4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

    Notice that the proxy also provides a number of useful endpoints.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/community/security/index.html b/docs/community/security/index.html index d593c6a7..688ff780 100644 --- a/docs/community/security/index.html +++ b/docs/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/alpha-config/index.html b/docs/configuration/alpha-config/index.html index b426f48c..8e9a6fba 100644 --- a/docs/configuration/alpha-config/index.html +++ b/docs/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

    FieldTypeDescription
    valuestringA Value rule matches just this specific value
    patternstringA Pattern rule gives a regular expression that must be matched by
    some substring of the value. The expression is not automatically
    anchored to the start and end of the value, if you want to restrict
    the whole parameter value you must anchor it yourself with ^ and $.

    Upstream​

    (Appears on: UpstreamConfig)

    Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

    FieldTypeDescription
    idstringID should be a unique identifier for the upstream.
    This value is required for all upstreams.
    pathstringPath is used to map requests to the upstream server.
    The closest match will take precedence and all Paths must be unique.
    Path can also take a pattern when used with RewriteTarget.
    Path segments can be captured and matched using regular experessions.
    Eg:
    - ^/foo$: Match only the explicit path /foo
    - ^/bar/$: Match any path prefixed with /bar/
    - ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
    rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
    the upstream server.
    Use the Path to capture segments for reuse within the rewrite target.
    Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
    the request /baz/abc/123 to /foo/abc/123 before proxying to the
    upstream server.
    uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
    based URL. It may include a path, in which case all requests will be served
    under that path.
    Eg:
    - http://localhost:8080
    - https://service.localhost
    - https://service.localhost/path
    - file://host/path
    If the URI's path is "/base" and the incoming request was for "/dir",
    the upstream request will be for "/base/dir".
    insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
    This option is insecure and will allow potential Man-In-The-Middle attacks
    betweem OAuth2 Proxy and the usptream server.
    Defaults to false.
    staticboolStatic will make all requests to this upstream have a static response.
    The response will have a body of "Authenticated" and a response code
    matching StaticCode.
    If StaticCode is not set, the response will return a 200 response.
    staticCodeintStaticCode determines the response code for the Static response.
    This option can only be used with Static enabled.
    flushIntervalDurationFlushInterval is the period between flushing the response buffer when
    streaming response from the upstream.
    Defaults to 1 second.
    passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
    to the upstream server.
    Defaults to true.
    proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
    Defaults to true.
    timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
    Defaults to 30 seconds.

    UpstreamConfig​

    (Appears on: AlphaOptions)

    UpstreamConfig is a collection of definitions for upstream servers.

    FieldTypeDescription
    proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
    like: "/%2F/" which would otherwise be redirected to "/"
    upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
    Requests will be proxied to this upstream if the path matches the request path.
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/oauth_provider/index.html b/docs/configuration/oauth_provider/index.html index bb93096e..93f825cb 100644 --- a/docs/configuration/oauth_provider/index.html +++ b/docs/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -73,7 +73,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/overview/index.html b/docs/configuration/overview/index.html index c1d416f1..4c08cbd6 100644 --- a/docs/configuration/overview/index.html +++ b/docs/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

    {{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

    Available variables for request logging:

    VariableExampleDescription
    Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
    Hostdomain.comThe value of the Host header.
    ProtocolHTTP/1.0The request protocol.
    RequestDuration0.001The time in seconds that a request took to process.
    RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
    RequestMethodGETThe request method.
    RequestURI"/oauth2/auth"The URI path of the request.
    ResponseSize12The size in bytes of the response.
    StatusCode200The HTTP status code of the response.
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Upstream-The upstream data of the HTTP request.
    UserAgent-The full user agent as reported by the requesting client.
    Usernameusername@email.comThe email or username of the auth request.

    Standard Log Format​

    All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

    [19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

    If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

    [{{.Timestamp}}] [{{.File}}] {{.Message}}

    Available variables for standard logging:

    VariableExampleDescription
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Filemain.go:40The file and line number of the logging statement.
    MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

    Configuring for use with the Nginx auth_request directive​

    The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

    server {
      listen 443 ssl;
      server_name ...;
      include ssl/ssl.conf;

      location /oauth2/ {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
        # or, if you are handling multiple domains:
        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
      }
      location = /oauth2/auth {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
      }

      location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --pass-access-token, this will pass the token to the backend
        auth_request_set $token  $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
        # limit and so the OAuth2 Proxy splits these into multiple parts.
        # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
        # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
        auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

        # Extract the Cookie attributes from the first Set-Cookie header and append them
        # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
        if ($auth_cookie ~* "(; .*)") {
            set $auth_cookie_name_0 $auth_cookie;
            set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
        }

        # Send both Set-Cookie headers now if there was a second part
        if ($auth_cookie_name_upstream_1) {
            add_header Set-Cookie $auth_cookie_name_0;
            add_header Set-Cookie $auth_cookie_name_1;
        }

        proxy_pass http://backend/;
        # or "root /path/to/site;" or "fastcgi_pass ..." etc
      }
    }

    When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie_name_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }

    It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

    You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

    Configuring for use with the Traefik (v2) ForwardAuth middleware​

    This option requires --reverse-proxy option to be set.

    ForwardAuth with 401 errors middleware​

    The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

    http:
      routers:
        a-service:
          rule: "Host(`a-service.example.com`)"
          service: a-service-backend
          middlewares:
            - oauth-errors
            - oauth-auth
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth:
          rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
        oauth-errors:
          errors:
            status:
              - "401-403"
            service: oauth-backend
            query: "/oauth2/sign_in"

    ForwardAuth with static upstreams configuration​

    Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

    Following options need to be set on oauth2-proxy:

    • --upstream=static://202: Configures a static response for authenticated sessions
    • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
    http:
      routers:
        a-service-route-1:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        a-service-route-2:
          rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-wo-redirect # unauthenticated session will return a 401
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        services-oauth2-route:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth2-proxy-route:
          rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        b-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.3:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth-redirect:
          forwardAuth:
            address: https://oauth.example.com/
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
        oauth-auth-wo-redirect:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
    note

    If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/session_storage/index.html b/docs/configuration/session_storage/index.html index 03e54365..789de249 100644 --- a/docs/configuration/session_storage/index.html +++ b/docs/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -28,7 +28,7 @@ and --redis-sentinel-connection-urls appropriately.

    Redis Clu --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

    Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

    Note, if Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. For example: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=14

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/configuration/tls/index.html b/docs/configuration/tls/index.html index 98f0f1fd..b463c005 100644 --- a/docs/configuration/tls/index.html +++ b/docs/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -20,7 +20,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

    An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

    server {
        listen 443 default ssl;
        server_name internal.yourcompany.com;
        ssl_certificate /path/to/cert.pem;
        ssl_certificate_key /path/to/cert.key;
        add_header Strict-Transport-Security max-age=2592000;

        location / {
            proxy_pass http://127.0.0.1:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_connect_timeout 1;
            proxy_send_timeout 30;
            proxy_read_timeout 30;
        }
    }

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/features/endpoints/index.html b/docs/features/endpoints/index.html index cc34b294..80f5b1fb 100644 --- a/docs/features/endpoints/index.html +++ b/docs/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: 7.5.x

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /ready - returns a 200 OK response if all the underlying connections (e.g., Redis store) are connected
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive
    • /oauth2/static/* - stylesheets and other dependencies used in the sign_in and error pages

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored. Make sure to include the actual domain and port (if needed) and not the URL (e.g "localhost:8081" instead of "http://localhost:8081").

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/index.html b/docs/index.html index bce5294f..86f77a82 100644 --- a/docs/index.html +++ b/docs/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    Version: 7.5.x

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.5.0)

      b. Build with $ go install github.com/oauth2-proxy/oauth2-proxy/v7@latest which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/behaviour/index.html b/docs/next/behaviour/index.html index 0bbd02fd..d44e43aa 100644 --- a/docs/next/behaviour/index.html +++ b/docs/next/behaviour/index.html @@ -5,13 +5,13 @@ Behaviour | OAuth2 Proxy - +
    Version: Next

    Behaviour

    1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
    2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
    3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
    4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

    Notice that the proxy also provides a number of useful endpoints.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/community/security/index.html b/docs/next/community/security/index.html index 9cbd1d11..f8e076c3 100644 --- a/docs/next/community/security/index.html +++ b/docs/next/community/security/index.html @@ -5,7 +5,7 @@ Security | OAuth2 Proxy - + @@ -29,7 +29,7 @@ If we have multiple security issues in flight simultaneously, we may delay merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/alpha-config/index.html b/docs/next/configuration/alpha-config/index.html index 05a39ec6..489e8c04 100644 --- a/docs/next/configuration/alpha-config/index.html +++ b/docs/next/configuration/alpha-config/index.html @@ -5,7 +5,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -63,7 +63,7 @@ passed to the /oauth2/start endpoint are checked to determine wheth they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

    FieldTypeDescription
    valuestringA Value rule matches just this specific value
    patternstringA Pattern rule gives a regular expression that must be matched by
    some substring of the value. The expression is not automatically
    anchored to the start and end of the value, if you want to restrict
    the whole parameter value you must anchor it yourself with ^ and $.

    Upstream​

    (Appears on: UpstreamConfig)

    Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

    FieldTypeDescription
    idstringID should be a unique identifier for the upstream.
    This value is required for all upstreams.
    pathstringPath is used to map requests to the upstream server.
    The closest match will take precedence and all Paths must be unique.
    Path can also take a pattern when used with RewriteTarget.
    Path segments can be captured and matched using regular experessions.
    Eg:
    - ^/foo$: Match only the explicit path /foo
    - ^/bar/$: Match any path prefixed with /bar/
    - ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
    rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
    the upstream server.
    Use the Path to capture segments for reuse within the rewrite target.
    Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
    the request /baz/abc/123 to /foo/abc/123 before proxying to the
    upstream server.
    uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
    based URL. It may include a path, in which case all requests will be served
    under that path.
    Eg:
    - http://localhost:8080
    - https://service.localhost
    - https://service.localhost/path
    - file://host/path
    If the URI's path is "/base" and the incoming request was for "/dir",
    the upstream request will be for "/base/dir".
    insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
    This option is insecure and will allow potential Man-In-The-Middle attacks
    betweem OAuth2 Proxy and the usptream server.
    Defaults to false.
    staticboolStatic will make all requests to this upstream have a static response.
    The response will have a body of "Authenticated" and a response code
    matching StaticCode.
    If StaticCode is not set, the response will return a 200 response.
    staticCodeintStaticCode determines the response code for the Static response.
    This option can only be used with Static enabled.
    flushIntervalDurationFlushInterval is the period between flushing the response buffer when
    streaming response from the upstream.
    Defaults to 1 second.
    passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
    to the upstream server.
    Defaults to true.
    proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
    Defaults to true.
    timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
    Defaults to 30 seconds.

    UpstreamConfig​

    (Appears on: AlphaOptions)

    UpstreamConfig is a collection of definitions for upstream servers.

    FieldTypeDescription
    proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
    like: "/%2F/" which would otherwise be redirected to "/"
    upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
    Requests will be proxied to this upstream if the path matches the request path.
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/oauth_provider/index.html b/docs/next/configuration/oauth_provider/index.html index 762efac8..e6dc392a 100644 --- a/docs/next/configuration/oauth_provider/index.html +++ b/docs/next/configuration/oauth_provider/index.html @@ -5,7 +5,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -73,7 +73,7 @@ to setup the client id and client secret. Your "Redirection URI" will Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/overview/index.html b/docs/next/configuration/overview/index.html index 5ef2e1d6..2481086a 100644 --- a/docs/next/configuration/overview/index.html +++ b/docs/next/configuration/overview/index.html @@ -5,7 +5,7 @@ Overview | OAuth2 Proxy - + @@ -20,7 +20,7 @@ The default format is configured as follows:

    {{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

    Available variables for request logging:

    VariableExampleDescription
    Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
    Hostdomain.comThe value of the Host header.
    ProtocolHTTP/1.0The request protocol.
    RequestDuration0.001The time in seconds that a request took to process.
    RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
    RequestMethodGETThe request method.
    RequestURI"/oauth2/auth"The URI path of the request.
    ResponseSize12The size in bytes of the response.
    StatusCode200The HTTP status code of the response.
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Upstream-The upstream data of the HTTP request.
    UserAgent-The full user agent as reported by the requesting client.
    Usernameusername@email.comThe email or username of the auth request.

    Standard Log Format​

    All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

    [19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>

    If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

    [{{.Timestamp}}] [{{.File}}] {{.Message}}

    Available variables for standard logging:

    VariableExampleDescription
    Timestamp19/Mar/2015:17:20:19 -0400The date and time of the logging event.
    Filemain.go:40The file and line number of the logging statement.
    MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

    Configuring for use with the Nginx auth_request directive​

    The Nginx auth_request directive allows Nginx to authenticate requests via the oauth2-proxy's /auth endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:

    server {
      listen 443 ssl;
      server_name ...;
      include ssl/ssl.conf;

      location /oauth2/ {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
        # or, if you are handling multiple domains:
        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
      }
      location = /oauth2/auth {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
      }

      location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --pass-access-token, this will pass the token to the backend
        auth_request_set $token  $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
        # limit and so the OAuth2 Proxy splits these into multiple parts.
        # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
        # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
        auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

        # Extract the Cookie attributes from the first Set-Cookie header and append them
        # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
        if ($auth_cookie ~* "(; .*)") {
            set $auth_cookie_name_0 $auth_cookie;
            set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
        }

        # Send both Set-Cookie headers now if there was a second part
        if ($auth_cookie_name_upstream_1) {
            add_header Set-Cookie $auth_cookie_name_0;
            add_header Set-Cookie $auth_cookie_name_1;
        }

        proxy_pass http://backend/;
        # or "root /path/to/site;" or "fastcgi_pass ..." etc
      }
    }

    When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.

    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie_name_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }

    It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

    You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

    Configuring for use with the Traefik (v2) ForwardAuth middleware​

    This option requires --reverse-proxy option to be set.

    ForwardAuth with 401 errors middleware​

    The Traefik v2 ForwardAuth middleware allows Traefik to authenticate requests via the oauth2-proxy's /oauth2/auth endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:

    http:
      routers:
        a-service:
          rule: "Host(`a-service.example.com`)"
          service: a-service-backend
          middlewares:
            - oauth-errors
            - oauth-auth
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth:
          rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
        oauth-errors:
          errors:
            status:
              - "401-403"
            service: oauth-backend
            query: "/oauth2/sign_in"

    ForwardAuth with static upstreams configuration​

    Redirect to sign_in functionality provided without the use of errors middleware with Traefik v2 ForwardAuth middleware pointing to oauth2-proxy service's / endpoint

    Following options need to be set on oauth2-proxy:

    • --upstream=static://202: Configures a static response for authenticated sessions
    • --reverse-proxy=true: Enables the use of X-Forwarded-* headers to determine redirects correctly
    http:
      routers:
        a-service-route-1:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        a-service-route-2:
          rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"
          service: a-service-backend
          middlewares:
            - oauth-auth-wo-redirect # unauthenticated session will return a 401
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        services-oauth2-route:
          rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"
        oauth2-proxy-route:
          rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"
          middlewares:
            - auth-headers
          service: oauth-backend
          tls:
            certResolver: default
            domains:
              - main: "example.com"
                sans:
                  - "*.example.com"

      services:
        a-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.2:7555
        b-service-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.3:7555
        oauth-backend:
          loadBalancer:
            servers:
              - url: http://172.16.0.1:4180

      middlewares:
        auth-headers:
          headers:
            sslRedirect: true
            stsSeconds: 315360000
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            sslHost: example.com
            stsIncludeSubdomains: true
            stsPreload: true
            frameDeny: true
        oauth-auth-redirect:
          forwardAuth:
            address: https://oauth.example.com/
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
        oauth-auth-wo-redirect:
          forwardAuth:
            address: https://oauth.example.com/oauth2/auth
            trustForwardHeader: true
            authResponseHeaders:
              - X-Auth-Request-Access-Token
              - Authorization
    note

    If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/session_storage/index.html b/docs/next/configuration/session_storage/index.html index 39ae3ba8..df3cb1f1 100644 --- a/docs/next/configuration/session_storage/index.html +++ b/docs/next/configuration/session_storage/index.html @@ -5,7 +5,7 @@ Session Storage | OAuth2 Proxy - + @@ -21,14 +21,23 @@ back the client for storage, as in the Cookie storage< to the user as the cookie value instead.

    A ticket is composed as the following:

    {CookieName}-{ticketID}.{secret}

    Where:

    • The CookieName is the OAuth2 cookie name (_oauth2_proxy by default)
    • The ticketID is a 128 bit random number, hex-encoded
    • The secret is a 128 bit random number, base64url encoded (no padding). The secret is unique for every session.
    • The pair of {CookieName}-{ticketID} comprises a ticket handle, and thus, the redis key to which the session is stored. The encoded session is encrypted with the secret and stored in redis via the SETEX command.

    Encrypting every session uniquely protects the refresh/access/id tokens stored in the session from -disclosure.

    Usage​

    When using the redis store, specify --session-store-type=redis as well as the Redis connection URL, via +disclosure.

    Additionally the browser only has to send a short Cookie with every request and not the whole JWT, which can get quite big.

    Two settings are used to configure the OAuth2 Proxy cookie lifetime:

    --cookie-refresh duration   refresh the cookie after this duration; 0 to disable
    --cookie-expire duration    expire timeframe for cookie     168h0m0s

    The "cookie-expire" value should be equal to the lifetime of the Refresh-Token that is issued by the OAuth2 authorization server. +If it expires earlier and is deleted by the browser, OAuth2 Proxy cannot find the stored Refresh-Tokens in Redis and thus cannot start +the refresh flow to get new Access-Tokens. If it is longer, it might be that the old Refresh-Token will be found in Redis but has already +expired.

    The "cookie-refresh" value controls when OAuth2 Proxy tries to refresh an Access-Token. If it is set to "0", the +Access-Token will never be refreshed, even it is already expired and there would be a valid Refresh-Token in the +available. If set, OAuth2 Proxy will refresh the Access-Token after this many seconds even if it is still valid. +Of course, it will also be refreshed after it has expired, as long as a Refresh Token is available.

    Caveat: It can happen that the Access-Token is valid for e.g. "1m" and a request happens after exactly "59s". +It would pass OAuth2 Proxy and be forwarded to the backend but is just expired when the backend tries to validate +it. This is especially relevant if the backend uses the JWT to make requests to other backends. +For this reason, it's advised to set the cookie-refresh a couple of seconds less than the Access-Token lifespan.

    Recommended settings:

    • cookie_refresh := Access-Token lifespan - 1m
    • cookie_expire := Refresh-Token lifespan (i.e. Keycloak's client_session_idle)

    Usage​

    When using the redis store, specify --session-store-type=redis as well as the Redis connection URL, via --redis-connection-url=redis://host[:port][/db-number].

    You may also configure the store for Redis Sentinel. In this case, you will want to use the --redis-use-sentinel=true flag, as well as configure the flags --redis-sentinel-master-name and --redis-sentinel-connection-urls appropriately.

    Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the --redis-use-cluster=true flag, and configure the flags --redis-cluster-connection-urls appropriately.

    Note that flags --redis-use-sentinel=true and --redis-use-cluster=true are mutually exclusive.

    Note, if Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. For example: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=14

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/configuration/tls/index.html b/docs/next/configuration/tls/index.html index 34857fcf..d763837d 100644 --- a/docs/next/configuration/tls/index.html +++ b/docs/next/configuration/tls/index.html @@ -5,7 +5,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -20,7 +20,7 @@ external load balancer like Amazon ELB or Google Platform Load Balancing) use oauth2-proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

    An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

    server {
        listen 443 default ssl;
        server_name internal.yourcompany.com;
        ssl_certificate /path/to/cert.pem;
        ssl_certificate_key /path/to/cert.key;
        add_header Strict-Transport-Security max-age=2592000;

        location / {
            proxy_pass http://127.0.0.1:4180;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_connect_timeout 1;
            proxy_send_timeout 30;
            proxy_read_timeout 30;
        }
    }

  • The command line to run oauth2-proxy in this configuration would look like this:

    ./oauth2-proxy \
       --email-domain="yourcompany.com"  \
       --upstream=http://127.0.0.1:8080/ \
       --cookie-secret=... \
       --cookie-secure=true \
       --provider=... \
       --reverse-proxy=true \
       --client-id=... \
       --client-secret=...
    • Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/features/endpoints/index.html b/docs/next/features/endpoints/index.html index 09990acb..ecd5e894 100644 --- a/docs/next/features/endpoints/index.html +++ b/docs/next/features/endpoints/index.html @@ -5,13 +5,13 @@ Endpoints | OAuth2 Proxy - +
    Version: Next

    Endpoints

    OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

    • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
    • /ping - returns a 200 OK response, which is intended for use with health checks
    • /ready - returns a 200 OK response if all the underlying connections (e.g., Redis store) are connected
    • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
    • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
    • /oauth2/sign_out - this URL is used to clear the session cookie
    • /oauth2/start - a URL that will redirect to start the OAuth cycle
    • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
    • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
    • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive
    • /oauth2/static/* - stylesheets and other dependencies used in the sign_in and error pages

    Sign out​

    To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

    /oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

    Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

    GET /oauth2/sign_out HTTP/1.1
    X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
    ...

    (The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

    BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored. Make sure to include the actual domain and port (if needed) and not the URL (e.g "localhost:8081" instead of "http://localhost:8081").

    Auth​

    This endpoint returns 202 Accepted response or a 401 Unauthorized response.

    It can be configured using the following query parameters query parameters:

    • allowed_groups: comma separated list of allowed groups
    • allowed_email_domains: comma separated list of allowed email domains
    • allowed_emails: comma separated list of allowed emails
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/docs/next/index.html b/docs/next/index.html index f216af39..aae90e5d 100644 --- a/docs/next/index.html +++ b/docs/next/index.html @@ -5,13 +5,13 @@ Installation | OAuth2 Proxy - +
    Version: Next

    Installation

    1. Choose how to deploy:

      a. Download Prebuilt Binary (current release is v7.5.0)

      b. Build with $ go install github.com/oauth2-proxy/oauth2-proxy/v7@latest which will put the binary in $GOPATH/bin

      c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

      d. Using a Kubernetes manifest (Helm)

    Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

    $ sha256sum -c sha256sum.txt
    oauth2-proxy-x.y.z.linux-amd64: OK
    1. Select a Provider and Register an OAuth Application with a Provider
    2. Configure OAuth2 Proxy using config file, command line options, or environment variables
    3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file diff --git a/index.html b/index.html index 57285a94..f67515c7 100644 --- a/index.html +++ b/index.html @@ -5,7 +5,7 @@ Welcome to OAuth2 Proxy | OAuth2 Proxy - + @@ -14,7 +14,7 @@ to validate accounts by email, domain or group.

    note

    This repository was forked from bitly/OAuth2_Proxy on 27/11/2018. Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork. A list of changes can be seen in the CHANGELOG.

    Sign In Page

    Architecture​

    OAuth2 Proxy Architecture

    Copyright © 2023 OAuth2 Proxy.
    - + \ No newline at end of file