diff --git a/404.html b/404.html index 47fd2134..2620d1e1 100644 --- a/404.html +++ b/404.html @@ -6,14 +6,14 @@ Page Not Found | OAuth2 Proxy - +

Page Not Found

We could not find what you were looking for.

Please contact the owner of the site that linked you to the original URL and let them know their link is broken.

- + \ No newline at end of file diff --git a/cd4a49c1.c74b0f0c.js b/cd4a49c1.4229ad75.js similarity index 91% rename from cd4a49c1.c74b0f0c.js rename to cd4a49c1.4229ad75.js index 7d2b9d64..13b7834a 100644 --- a/cd4a49c1.c74b0f0c.js +++ b/cd4a49c1.4229ad75.js @@ -1 +1 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[36],{106:function(e,t,a){"use strict";a.d(t,"a",(function(){return O})),a.d(t,"b",(function(){return s}));var n=a(0),b=a.n(n);function r(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function l(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,n)}return a}function i(e){for(var t=1;t=0||(b[a]=e[a]);return b}(e,t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);for(n=0;n=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(b[a]=e[a])}return b}var o=b.a.createContext({}),p=function(e){var t=b.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},O=function(e){var t=p(e.components);return b.a.createElement(o.Provider,{value:t},e.children)},j={inlineCode:"code",wrapper:function(e){var t=e.children;return b.a.createElement(b.a.Fragment,{},t)}},d=b.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,r=e.originalType,l=e.parentName,o=c(e,["components","mdxType","originalType","parentName"]),O=p(a),d=n,s=O["".concat(l,".").concat(d)]||O[d]||j[d]||r;return a?b.a.createElement(s,i(i({ref:t},o),{},{components:a})):b.a.createElement(s,i({ref:t},o))}));function s(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var r=a.length,l=new Array(r);l[0]=d;var i={};for(var c in t)hasOwnProperty.call(t,c)&&(i[c]=t[c]);i.originalType=e,i.mdxType="string"==typeof e?e:n,l[1]=i;for(var o=2;o=0||(b[a]=e[a]);return b}(e,t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);for(n=0;n=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(b[a]=e[a])}return b}var o=b.a.createContext({}),p=function(e){var t=b.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},O=function(e){var t=p(e.components);return b.a.createElement(o.Provider,{value:t},e.children)},j={inlineCode:"code",wrapper:function(e){var t=e.children;return b.a.createElement(b.a.Fragment,{},t)}},d=b.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,r=e.originalType,l=e.parentName,o=c(e,["components","mdxType","originalType","parentName"]),O=p(a),d=n,s=O["".concat(l,".").concat(d)]||O[d]||j[d]||r;return a?b.a.createElement(s,i(i({ref:t},o),{},{components:a})):b.a.createElement(s,i({ref:t},o))}));function s(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var r=a.length,l=new Array(r);l[0]=d;var i={};for(var c in t)hasOwnProperty.call(t,c)&&(i[c]=t[c]);i.originalType=e,i.mdxType="string"==typeof e?e:n,l[1]=i;for(var o=2;o Behaviour | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 6.1.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/6.1.x/community/security/index.html b/docs/6.1.x/community/security/index.html index c8217f2f..592eedd0 100644 --- a/docs/6.1.x/community/security/index.html +++ b/docs/6.1.x/community/security/index.html @@ -6,7 +6,7 @@ Security | OAuth2 Proxy - + @@ -38,7 +38,7 @@ merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/6.1.x/configuration/oauth_provider/index.html b/docs/6.1.x/configuration/oauth_provider/index.html index 97bd30c0..6170a4cf 100644 --- a/docs/6.1.x/configuration/oauth_provider/index.html +++ b/docs/6.1.x/configuration/oauth_provider/index.html @@ -6,7 +6,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -55,7 +55,7 @@ to setup the client id and client secret. Your "Redirection URI" will providers.New() to allow oauth2-proxy to use the new Provider.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/6.1.x/configuration/overview/index.html b/docs/6.1.x/configuration/overview/index.html index e304ee28..1428d6bb 100644 --- a/docs/6.1.x/configuration/overview/index.html +++ b/docs/6.1.x/configuration/overview/index.html @@ -6,7 +6,7 @@ Overview | OAuth2 Proxy - + @@ -39,7 +39,7 @@ Variables set with auth_request_set are not set-able i Note that nginxinc/kubernetes-ingress does not include the Lua module.

nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $name_upstream_1 $upstream_cookie_name_1;
access_by_lua_block {
if ngx.var.name_upstream_1 ~= "" then
ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
end
}

It is recommended to use --session-store-type=redis when expecting large sessions/OIDC tokens (e.g. with MS Azure).

You have to substitute name with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".

note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/6.1.x/configuration/session_storage/index.html b/docs/6.1.x/configuration/session_storage/index.html index 29dc591a..39f7d944 100644 --- a/docs/6.1.x/configuration/session_storage/index.html +++ b/docs/6.1.x/configuration/session_storage/index.html @@ -6,7 +6,7 @@ Session Storage | OAuth2 Proxy - + @@ -35,7 +35,7 @@ disclosure.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/6.1.x/configuration/tls/index.html b/docs/6.1.x/configuration/tls/index.html index 6bfe7861..1a8b9703 100644 --- a/docs/6.1.x/configuration/tls/index.html +++ b/docs/6.1.x/configuration/tls/index.html @@ -6,7 +6,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -26,7 +26,7 @@ would be https://internal.yourcompany.com/.

An example Nginx via HSTS:

server {
listen 443 default ssl;
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=2592000;
location / {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--reverse-proxy=true \
--client-id=... \
--client-secret=...
Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/6.1.x/features/endpoints/index.html b/docs/6.1.x/features/endpoints/index.html index e72c5620..a9cc393b 100644 --- a/docs/6.1.x/features/endpoints/index.html +++ b/docs/6.1.x/features/endpoints/index.html @@ -6,7 +6,7 @@ Endpoints | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 6.1.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/6.1.x/features/request_signatures/index.html b/docs/6.1.x/features/request_signatures/index.html index ebba9a2b..4699c168 100644 --- a/docs/6.1.x/features/request_signatures/index.html +++ b/docs/6.1.x/features/request_signatures/index.html @@ -6,7 +6,7 @@ Request Signatures | OAuth2 Proxy - + @@ -27,7 +27,7 @@ following:

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/6.1.x/index.html b/docs/6.1.x/index.html index f87284d0..458c5ffd 100644 --- a/docs/6.1.x/index.html +++ b/docs/6.1.x/index.html @@ -6,7 +6,7 @@ Installation | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 6.1.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v6.1.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/behaviour/index.html b/docs/7.0.x/behaviour/index.html index fef46a18..9e28df8c 100644 --- a/docs/7.0.x/behaviour/index.html +++ b/docs/7.0.x/behaviour/index.html @@ -6,7 +6,7 @@ Behaviour | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 7.0.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/community/security/index.html b/docs/7.0.x/community/security/index.html index f59e731f..41e97ffe 100644 --- a/docs/7.0.x/community/security/index.html +++ b/docs/7.0.x/community/security/index.html @@ -6,7 +6,7 @@ Security | OAuth2 Proxy - + @@ -38,7 +38,7 @@ merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/configuration/alpha-config/index.html b/docs/7.0.x/configuration/alpha-config/index.html index e889c789..957ef63b 100644 --- a/docs/7.0.x/configuration/alpha-config/index.html +++ b/docs/7.0.x/configuration/alpha-config/index.html @@ -6,7 +6,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -44,7 +44,7 @@ make up the header value

FieldTypeDes Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Upstream

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams

([]Upstream alias)

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/configuration/oauth_provider/index.html b/docs/7.0.x/configuration/oauth_provider/index.html index dbcf0d37..03cc6ed6 100644 --- a/docs/7.0.x/configuration/oauth_provider/index.html +++ b/docs/7.0.x/configuration/oauth_provider/index.html @@ -6,7 +6,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -59,7 +59,7 @@ to setup the client id and client secret. Your "Redirection URI" will providers.New() to allow oauth2-proxy to use the new Provider.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/configuration/overview/index.html b/docs/7.0.x/configuration/overview/index.html index ae75f79b..f076c770 100644 --- a/docs/7.0.x/configuration/overview/index.html +++ b/docs/7.0.x/configuration/overview/index.html @@ -6,7 +6,7 @@ Overview | OAuth2 Proxy - + @@ -43,7 +43,7 @@ Note that nginxinc/kubernetes-ingress does not include the Lua modu
services:
a-service-backend:
loadBalancer:
servers:
- url: http://172.16.0.2:7555
b-service-backend:
loadBalancer:
servers:
- url: http://172.16.0.3:7555
oauth-backend:
loadBalancer:
servers:
- url: http://172.16.0.1:4180
middlewares:
auth-headers:
headers:
sslRedirect: true
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
sslHost: example.com
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
oauth-auth-redirect:
forwardAuth:
address: https://oauth.example.com/
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization
oauth-auth-wo-redirect:
forwardAuth:
address: https://oauth.example.com/oauth2/auth
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/configuration/session_storage/index.html b/docs/7.0.x/configuration/session_storage/index.html index 177c6990..d35fbddd 100644 --- a/docs/7.0.x/configuration/session_storage/index.html +++ b/docs/7.0.x/configuration/session_storage/index.html @@ -6,7 +6,7 @@ Session Storage | OAuth2 Proxy - + @@ -35,7 +35,7 @@ disclosure.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/configuration/tls/index.html b/docs/7.0.x/configuration/tls/index.html index afa3eff1..e9a59134 100644 --- a/docs/7.0.x/configuration/tls/index.html +++ b/docs/7.0.x/configuration/tls/index.html @@ -6,7 +6,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -26,7 +26,7 @@ would be https://internal.yourcompany.com/.

An example Nginx via HSTS:

server {
listen 443 default ssl;
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=2592000;
location / {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--reverse-proxy=true \
--client-id=... \
--client-secret=...
Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/features/endpoints/index.html b/docs/7.0.x/features/endpoints/index.html index c03181b3..fb581e8b 100644 --- a/docs/7.0.x/features/endpoints/index.html +++ b/docs/7.0.x/features/endpoints/index.html @@ -6,7 +6,7 @@ Endpoints | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 7.0.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/features/request_signatures/index.html b/docs/7.0.x/features/request_signatures/index.html index b1368a46..e6b0fee6 100644 --- a/docs/7.0.x/features/request_signatures/index.html +++ b/docs/7.0.x/features/request_signatures/index.html @@ -6,7 +6,7 @@ Request Signatures | OAuth2 Proxy - + @@ -27,7 +27,7 @@ following:

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/7.0.x/index.html b/docs/7.0.x/index.html index cb9d5396..8f835634 100644 --- a/docs/7.0.x/index.html +++ b/docs/7.0.x/index.html @@ -6,7 +6,7 @@ Installation | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 7.0.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.0.1)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/behaviour/index.html b/docs/behaviour/index.html index b2d3b7cd..7bfefbe8 100644 --- a/docs/behaviour/index.html +++ b/docs/behaviour/index.html @@ -6,7 +6,7 @@ Behaviour | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 7.1.x

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/community/security/index.html b/docs/community/security/index.html index 27cc6b67..28417c32 100644 --- a/docs/community/security/index.html +++ b/docs/community/security/index.html @@ -6,7 +6,7 @@ Security | OAuth2 Proxy - + @@ -38,7 +38,7 @@ merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/configuration/alpha-config/index.html b/docs/configuration/alpha-config/index.html index 688a5742..db17d93e 100644 --- a/docs/configuration/alpha-config/index.html +++ b/docs/configuration/alpha-config/index.html @@ -6,7 +6,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -44,7 +44,7 @@ make up the header value

FieldTypeDes Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic.

TLS

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.

Upstream

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams

([]Upstream alias)

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/configuration/oauth_provider/index.html b/docs/configuration/oauth_provider/index.html index d6bf8aa2..a30d8628 100644 --- a/docs/configuration/oauth_provider/index.html +++ b/docs/configuration/oauth_provider/index.html @@ -6,7 +6,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -59,7 +59,7 @@ to setup the client id and client secret. Your "Redirection URI" will providers.New() to allow oauth2-proxy to use the new Provider.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/configuration/overview/index.html b/docs/configuration/overview/index.html index a68032aa..3e5fd9aa 100644 --- a/docs/configuration/overview/index.html +++ b/docs/configuration/overview/index.html @@ -6,7 +6,7 @@ Overview | OAuth2 Proxy - + @@ -43,7 +43,7 @@ Note that nginxinc/kubernetes-ingress does not include the Lua modu
services:
a-service-backend:
loadBalancer:
servers:
- url: http://172.16.0.2:7555
b-service-backend:
loadBalancer:
servers:
- url: http://172.16.0.3:7555
oauth-backend:
loadBalancer:
servers:
- url: http://172.16.0.1:4180
middlewares:
auth-headers:
headers:
sslRedirect: true
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
sslHost: example.com
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
oauth-auth-redirect:
forwardAuth:
address: https://oauth.example.com/
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization
oauth-auth-wo-redirect:
forwardAuth:
address: https://oauth.example.com/oauth2/auth
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/configuration/session_storage/index.html b/docs/configuration/session_storage/index.html index 4fbbbfe1..c2589097 100644 --- a/docs/configuration/session_storage/index.html +++ b/docs/configuration/session_storage/index.html @@ -6,7 +6,7 @@ Session Storage | OAuth2 Proxy - + @@ -35,7 +35,7 @@ disclosure.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/configuration/tls/index.html b/docs/configuration/tls/index.html index 855d230b..62a2ad81 100644 --- a/docs/configuration/tls/index.html +++ b/docs/configuration/tls/index.html @@ -6,7 +6,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -26,7 +26,7 @@ would be https://internal.yourcompany.com/.

An example Nginx via HSTS:

server {
listen 443 default ssl;
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=2592000;
location / {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--reverse-proxy=true \
--client-id=... \
--client-secret=...
Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/features/endpoints/index.html b/docs/features/endpoints/index.html index e6d60af8..29e2b5a1 100644 --- a/docs/features/endpoints/index.html +++ b/docs/features/endpoints/index.html @@ -6,7 +6,7 @@ Endpoints | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 7.1.x

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/index.html b/docs/index.html index 87c38d78..9eec3910 100644 --- a/docs/index.html +++ b/docs/index.html @@ -6,7 +6,7 @@ Installation | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: 7.1.x

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.1.3)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

    d. Using a Kubernetes manifest (Helm)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/next/behaviour/index.html b/docs/next/behaviour/index.html index eab940dd..3777021e 100644 --- a/docs/next/behaviour/index.html +++ b/docs/next/behaviour/index.html @@ -6,7 +6,7 @@ Behaviour | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: Next

Behaviour

  1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens).
  2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with Accept: application/json, in which case 401 Unauthorized is returned)
  3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
  4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful endpoints.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/next/community/security/index.html b/docs/next/community/security/index.html index 9c2e6afa..e7b41218 100644 --- a/docs/next/community/security/index.html +++ b/docs/next/community/security/index.html @@ -6,7 +6,7 @@ Security | OAuth2 Proxy - + @@ -38,7 +38,7 @@ merging fixes until all patches are ready. We may also backport the fix to previous releases, but this will be at the discretion of the maintainers.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/next/configuration/alpha-config/index.html b/docs/next/configuration/alpha-config/index.html index 576ef30c..e1b09d26 100644 --- a/docs/next/configuration/alpha-config/index.html +++ b/docs/next/configuration/alpha-config/index.html @@ -6,7 +6,7 @@ Alpha Configuration | OAuth2 Proxy - + @@ -14,7 +14,7 @@ - +
@@ -42,9 +42,9 @@ Valid time units are "ns", "us" (or "µs"), " response header.

FieldTypeDescription
namestringName is the header name to be used for this set of values.
Names should be unique within a list of Headers.
preserveRequestValueboolPreserveRequestValue determines whether any values for this header
should be preserved for the request to the upstream server.
This option only applies to injected request headers.
Defaults to false (headers that match this header will be stripped).
values[]HeaderValueValues contains the desired values for this header

HeaderValue

(Appears on: Header)

HeaderValue represents a single header value and the sources that can make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

KeycloakOptions

(Appears on: Provider)

FieldTypeDescription
groups[]stringGroup enables to restrict login to members of indicated group

LoginGovOptions

(Appears on: Provider)

FieldTypeDescription
jwtKeystringJWTKey is a private key in PEM format used to sign JWT,
jwtKeyFilestringJWTKeyFile is a path to the private key file in PEM format used to sign the JWT
pubjwkURLstringPubJWKURL is the JWK pubkey access endpoint

OIDCOptions

(Appears on: Provider)

FieldTypeDescription
issuerURLstringIssuerURL is the OpenID Connect issuer URL
eg: https://accounts.google.com
insecureAllowUnverifiedEmailboolInsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified
default set to 'false'
insecureSkipIssuerVerificationboolInsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
default set to 'false'
insecureSkipNonceboolInsecureSkipNonce skips verifying the ID Token's nonce claim that must match
the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
after the initial OAuth redeem & subsequent token refreshes.
default set to 'true'
Warning: In a future release, this will change to 'false' by default for enhanced security.
skipDiscoveryboolSkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
default set to 'false'
jwksURLstringJwksURL is the OpenID Connect JWKS URL
eg: https://www.googleapis.com/oauth2/v3/certs
emailClaimstringEmailClaim indicates which claim contains the user email,
default set to 'email'
groupsClaimstringGroupsClaim indicates which claim contains the user groups
default set to 'groups'
userIDClaimstringUserIDClaim indicates which claim contains the user ID
default set to 'email'

Provider

(Appears on: Providers)

Provider holds all configuration for a single provider

FieldTypeDescription
clientIDstringClientID is the OAuth Client ID that is defined in the provider
This value is required for all providers.
clientSecretstringClientSecret is the OAuth Client Secret that is defined in the provider
This value is required for all providers.
clientSecretFilestringClientSecretFile is the name of the file
containing the OAuth Client Secret, it will be used if ClientSecret is not set.
keycloakConfigKeycloakOptionsKeycloakConfig holds all configurations for Keycloak provider.
azureConfigAzureOptionsAzureConfig holds all configurations for Azure provider.
ADFSConfigADFSOptionsADFSConfig holds all configurations for ADFS provider.
bitbucketConfigBitbucketOptionsBitbucketConfig holds all configurations for Bitbucket provider.
githubConfigGitHubOptionsGitHubConfig holds all configurations for GitHubC provider.
gitlabConfigGitLabOptionsGitLabConfig holds all configurations for GitLab provider.
googleConfigGoogleOptionsGoogleConfig holds all configurations for Google provider.
oidcConfigOIDCOptionsOIDCConfig holds all configurations for OIDC provider
or providers utilize OIDC configurations.
loginGovConfigLoginGovOptionsLoginGovConfig holds all configurations for LoginGov provider.
idstringID should be a unique identifier for the provider.
This value is required for all providers.
providerstringType is the OAuth provider
must be set from the supported providers group,
otherwise 'Google' is set as default
namestringName is the providers display name
if set, it will be shown to the users in the login page.
caFiles[]stringCAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
If not specified, the default Go trust sources are used instead
loginURLstringLoginURL is the authentication endpoint
redeemURLstringRedeemURL is the token redemption endpoint
profileURLstringProfileURL is the profile access endpoint
resourcestringProtectedResource is the resource that is protected (Azure AD and ADFS only)
validateURLstringValidateURL is the access token validation endpoint
scopestringScope is the OAuth scope specification
promptstringPrompt is OIDC prompt
approvalPromptstringApprovalPrompt is the OAuth approval_prompt
default is set to 'force'
allowedGroups[]stringAllowedGroups is a list of restrict logins to members of this group
acrValuesstringAcrValues is a string of acr values

Providers

([]Provider alias)

(Appears on: AlphaOptions)

Providers is a collection of definitions for providers.

SecretSource

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic.

TLS

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.

Upstream

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. -Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams

([]Upstream alias)

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Edit this page
Copyright © 2021 OAuth2 Proxy.
+Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- ^/foo$: Match only the explicit path /foo
- ^/bar/$: Match any path prefixed with /bar/
- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
the request /baz/abc/123 to /foo/abc/123 before proxying to the
upstream server.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.

Upstreams

([]Upstream alias)

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + @@ -52,6 +52,6 @@ Requests will be proxied to this upstream if the path matches the request path.< - + \ No newline at end of file diff --git a/docs/next/configuration/oauth_provider/index.html b/docs/next/configuration/oauth_provider/index.html index fefeb11f..50381202 100644 --- a/docs/next/configuration/oauth_provider/index.html +++ b/docs/next/configuration/oauth_provider/index.html @@ -6,7 +6,7 @@ OAuth Provider Configuration | OAuth2 Proxy - + @@ -59,7 +59,7 @@ to setup the client id and client secret. Your "Redirection URI" will providers.New() to allow oauth2-proxy to use the new Provider.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/next/configuration/overview/index.html b/docs/next/configuration/overview/index.html index 786041c9..d9f68b35 100644 --- a/docs/next/configuration/overview/index.html +++ b/docs/next/configuration/overview/index.html @@ -6,7 +6,7 @@ Overview | OAuth2 Proxy - + @@ -43,7 +43,7 @@ Note that nginxinc/kubernetes-ingress does not include the Lua modu
services:
a-service-backend:
loadBalancer:
servers:
- url: http://172.16.0.2:7555
b-service-backend:
loadBalancer:
servers:
- url: http://172.16.0.3:7555
oauth-backend:
loadBalancer:
servers:
- url: http://172.16.0.1:4180
middlewares:
auth-headers:
headers:
sslRedirect: true
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
sslHost: example.com
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
oauth-auth-redirect:
forwardAuth:
address: https://oauth.example.com/
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization
oauth-auth-wo-redirect:
forwardAuth:
address: https://oauth.example.com/oauth2/auth
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-Access-Token
- Authorization
note

If you set up your OAuth2 provider to rotate your client secret, you can use the client-secret-file option to reload the secret when it is updated.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/next/configuration/session_storage/index.html b/docs/next/configuration/session_storage/index.html index 7d1410fb..96d247ec 100644 --- a/docs/next/configuration/session_storage/index.html +++ b/docs/next/configuration/session_storage/index.html @@ -6,7 +6,7 @@ Session Storage | OAuth2 Proxy - + @@ -35,7 +35,7 @@ disclosure.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/next/configuration/tls/index.html b/docs/next/configuration/tls/index.html index 5f57a324..ad2e98da 100644 --- a/docs/next/configuration/tls/index.html +++ b/docs/next/configuration/tls/index.html @@ -6,7 +6,7 @@ TLS Configuration | OAuth2 Proxy - + @@ -26,7 +26,7 @@ would be https://internal.yourcompany.com/.

An example Nginx via HSTS:

server {
listen 443 default ssl;
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=2592000;
location / {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}

The command line to run oauth2-proxy in this configuration would look like this:

./oauth2-proxy \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--provider=... \
--reverse-proxy=true \
--client-id=... \
--client-secret=...
Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/next/features/endpoints/index.html b/docs/next/features/endpoints/index.html index 9a0c6aaa..5e7cf553 100644 --- a/docs/next/features/endpoints/index.html +++ b/docs/next/features/endpoints/index.html @@ -6,7 +6,7 @@ Endpoints | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: Next

Endpoints

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns a 200 OK response, which is intended for use with health checks
  • /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by --metrics-address, disabled by default
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/sign_out - this URL is used to clear the session cookie
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
  • /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
  • /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx auth_request directive

Sign out

To sign the user out, redirect them to /oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):

/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page

Alternatively, include the redirect URL in the X-Auth-Request-Redirect header:

GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page
...

(The "sign_out_page" should be the end_session_endpoint from the metadata if your OIDC provider supports Session Management and Discovery.)

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/docs/next/index.html b/docs/next/index.html index 480f1b8d..64666c94 100644 --- a/docs/next/index.html +++ b/docs/next/index.html @@ -6,7 +6,7 @@ Installation | OAuth2 Proxy - + @@ -20,7 +20,7 @@
Version: Next

Installation

  1. Choose how to deploy:

    a. Download Prebuilt Binary (current release is v7.1.3)

    b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOPATH/bin

    c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

    d. Using a Kubernetes manifest (Helm)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

$ sha256sum -c sha256sum.txt
oauth2-proxy-x.y.z.linux-amd64: OK
  1. Select a Provider and Register an OAuth Application with a Provider
  2. Configure OAuth2 Proxy using config file, command line options, or environment variables
  3. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Edit this page
Copyright © 2021 OAuth2 Proxy.
- + diff --git a/index.html b/index.html index 3431903f..6065dce0 100644 --- a/index.html +++ b/index.html @@ -6,7 +6,7 @@ Welcome to OAuth2 Proxy | OAuth2 Proxy - + @@ -20,7 +20,7 @@ to validate accounts by email, domain or group.

CHANGELOG.

Sign In Page

Architecture

OAuth2 Proxy Architecture

Copyright © 2021 OAuth2 Proxy.
- + diff --git a/runtime~main.574cb04d.js b/runtime~main.fb9fd5a8.js similarity index 96% rename from runtime~main.574cb04d.js rename to runtime~main.fb9fd5a8.js index f4a328d3..edee508a 100644 --- a/runtime~main.574cb04d.js +++ b/runtime~main.fb9fd5a8.js @@ -1 +1 @@ -!function(e){function c(c){for(var a,n,o=c[0],d=c[1],b=c[2],u=0,l=[];u