From f54eab3408d1208a7103ef2ad678ffa794bee5ab Mon Sep 17 00:00:00 2001
From: gh-actions <actions@gihub.com>
Date: Thu, 17 Feb 2022 17:11:48 +0000
Subject: [PATCH] Deploy website - based on
263a5df820d5716b7ffb07a4653a79ffd49546a7
---
0f425520.3155874e.js => 0f425520.6799b1da.js | 2 +-
404.html | 4 ++--
docs/6.1.x/behaviour/index.html | 4 ++--
docs/6.1.x/community/security/index.html | 4 ++--
docs/6.1.x/configuration/oauth_provider/index.html | 4 ++--
docs/6.1.x/configuration/overview/index.html | 4 ++--
docs/6.1.x/configuration/session_storage/index.html | 4 ++--
docs/6.1.x/configuration/tls/index.html | 4 ++--
docs/6.1.x/features/endpoints/index.html | 4 ++--
docs/6.1.x/features/request_signatures/index.html | 4 ++--
docs/6.1.x/index.html | 4 ++--
docs/7.0.x/behaviour/index.html | 4 ++--
docs/7.0.x/community/security/index.html | 4 ++--
docs/7.0.x/configuration/alpha-config/index.html | 4 ++--
docs/7.0.x/configuration/oauth_provider/index.html | 4 ++--
docs/7.0.x/configuration/overview/index.html | 4 ++--
docs/7.0.x/configuration/session_storage/index.html | 4 ++--
docs/7.0.x/configuration/tls/index.html | 4 ++--
docs/7.0.x/features/endpoints/index.html | 4 ++--
docs/7.0.x/features/request_signatures/index.html | 4 ++--
docs/7.0.x/index.html | 4 ++--
docs/7.1.x/behaviour/index.html | 4 ++--
docs/7.1.x/community/security/index.html | 4 ++--
docs/7.1.x/configuration/alpha-config/index.html | 4 ++--
docs/7.1.x/configuration/oauth_provider/index.html | 4 ++--
docs/7.1.x/configuration/overview/index.html | 4 ++--
docs/7.1.x/configuration/session_storage/index.html | 4 ++--
docs/7.1.x/configuration/tls/index.html | 4 ++--
docs/7.1.x/features/endpoints/index.html | 4 ++--
docs/7.1.x/index.html | 4 ++--
docs/behaviour/index.html | 4 ++--
docs/community/security/index.html | 4 ++--
docs/configuration/alpha-config/index.html | 4 ++--
docs/configuration/oauth_provider/index.html | 4 ++--
docs/configuration/overview/index.html | 4 ++--
docs/configuration/session_storage/index.html | 4 ++--
docs/configuration/tls/index.html | 4 ++--
docs/features/endpoints/index.html | 4 ++--
docs/index.html | 4 ++--
docs/next/behaviour/index.html | 4 ++--
docs/next/community/security/index.html | 4 ++--
docs/next/configuration/alpha-config/index.html | 4 ++--
docs/next/configuration/oauth_provider/index.html | 4 ++--
docs/next/configuration/overview/index.html | 10 +++++-----
docs/next/configuration/session_storage/index.html | 4 ++--
docs/next/configuration/tls/index.html | 4 ++--
docs/next/features/endpoints/index.html | 10 +++++-----
docs/next/index.html | 4 ++--
efc9be4b.54e8580a.js | 1 +
efc9be4b.e5ba1330.js | 1 -
index.html | 4 ++--
runtime~main.5e8ccbcc.js => runtime~main.97af83ee.js | 2 +-
52 files changed, 105 insertions(+), 105 deletions(-)
rename 0f425520.3155874e.js => 0f425520.6799b1da.js (68%)
create mode 100644 efc9be4b.54e8580a.js
delete mode 100644 efc9be4b.e5ba1330.js
rename runtime~main.5e8ccbcc.js => runtime~main.97af83ee.js (61%)
diff --git a/0f425520.3155874e.js b/0f425520.6799b1da.js
similarity index 68%
rename from 0f425520.3155874e.js
rename to 0f425520.6799b1da.js
index 5c6c930a..267492ab 100644
--- a/0f425520.3155874e.js
+++ b/0f425520.6799b1da.js
@@ -1 +1 @@
-(window.webpackJsonp=window.webpackJsonp||[]).push([[6],{116:function(e,t,a){"use strict";a.d(t,"a",(function(){return p})),a.d(t,"b",(function(){return j}));var n=a(0),r=a.n(n);function b(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function l(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,n)}return a}function i(e){for(var t=1;t<arguments.length;t++){var a=null!=arguments[t]?arguments[t]:{};t%2?l(Object(a),!0).forEach((function(t){b(e,t,a[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):l(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))}))}return e}function c(e,t){if(null==e)return{};var a,n,r=function(e,t){if(null==e)return{};var a,n,r={},b=Object.keys(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||(r[a]=e[a]);return r}(e,t);if(Object.getOwnPropertySymbols){var b=Object.getOwnPropertySymbols(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(r[a]=e[a])}return r}var o=r.a.createContext({}),d=function(e){var t=r.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},p=function(e){var t=d(e.components);return r.a.createElement(o.Provider,{value:t},e.children)},s={inlineCode:"code",wrapper:function(e){var t=e.children;return r.a.createElement(r.a.Fragment,{},t)}},O=r.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,b=e.originalType,l=e.parentName,o=c(e,["components","mdxType","originalType","parentName"]),p=d(a),O=n,j=p["".concat(l,".").concat(O)]||p[O]||s[O]||b;return a?r.a.createElement(j,i(i({ref:t},o),{},{components:a})):r.a.createElement(j,i({ref:t},o))}));function j(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var b=a.length,l=new Array(b);l[0]=O;var i={};for(var c in t)hasOwnProperty.call(t,c)&&(i[c]=t[c]);i.originalType=e,i.mdxType="string"==typeof e?e:n,l[1]=i;for(var o=2;o<b;o++)l[o]=a[o];return r.a.createElement.apply(null,l)}return r.a.createElement.apply(null,a)}O.displayName="MDXCreateElement"},117:function(e,t,a){"use strict";function n(e){var t,a,r="";if("string"==typeof e||"number"==typeof e)r+=e;else if("object"==typeof e)if(Array.isArray(e))for(t=0;t<e.length;t++)e[t]&&(a=n(e[t]))&&(r&&(r+=" "),r+=a);else for(t in e)e[t]&&(r&&(r+=" "),r+=t);return r}t.a=function(){for(var e,t,a=0,r="";a<arguments.length;)(e=arguments[a++])&&(t=n(e))&&(r&&(r+=" "),r+=t);return r}},120:function(e,t,a){"use strict";var n=a(0),r=a(121);t.a=function(){var e=Object(n.useContext)(r.a);if(null==e)throw new Error("`useUserPreferencesContext` is used outside of `Layout` Component.");return e}},121:function(e,t,a){"use strict";var n=a(0),r=Object(n.createContext)(void 0);t.a=r},124:function(e,t,a){"use strict";var n=a(0),r=a.n(n),b=a(120),l=a(117),i=a(47),c=a.n(i),o=37,d=39;t.a=function(e){var t=e.block,a=e.children,i=e.defaultValue,p=e.values,s=e.groupId,O=e.className,j=Object(b.a)(),m=j.tabGroupChoices,u=j.setTabGroupChoices,g=Object(n.useState)(i),N=g[0],h=g[1],f=Object(n.useState)(!1),y=f[0],C=f[1];if(null!=s){var v=m[s];null!=v&&v!==N&&p.some((function(e){return e.value===v}))&&h(v)}var w=function(e){h(e),null!=s&&u(s,e)},k=[],_=function(e){e.metaKey||e.altKey||e.ctrlKey||C(!0)},x=function(){C(!1)};return Object(n.useEffect)((function(){return window.addEventListener("keydown",_),window.addEventListener("mousedown",x),function(){window.removeEventListener("keydown",_),window.removeEventListener("mousedown",x)}}),[]),r.a.createElement("div",null,r.a.createElement("ul",{role:"tablist","aria-orientation":"horizontal",className:Object(l.a)("tabs",{"tabs--block":t},O)},p.map((function(e){var t=e.value,a=e.label;return r.a.createElement("li",{role:"tab",tabIndex:0,"aria-selected":N===t,className:Object(l.a)("tabs__item",c.a.tabItem,{"tabs__item--active":N===t}),style:y?{}:{outline:"none"},key:t,ref:function(e){return k.push(e)},onKeyDown:function(e){!function(e,t,a){switch(a.keyCode){case d:!function(e,t){var a=e.indexOf(t)+1;e[a]?e[a].focus():e[0].focus()}(e,t);break;case o:!function(e,t){var a=e.indexOf(t)-1;e[a]?e[a].focus():e[e.length-1].focus()}(e,t)}}(k,e.target,e),_(e)},onFocus:function(){return w(t)},onClick:function(){w(t),C(!1)},onPointerDown:function(){return C(!1)}},a)}))),r.a.createElement("div",{role:"tabpanel",className:"margin-vert--md"},n.Children.toArray(a).filter((function(e){return e.props.value===N}))[0]))}},125:function(e,t,a){"use strict";var n=a(0),r=a.n(n);t.a=function(e){return r.a.createElement("div",null,e.children)}},61:function(e,t,a){"use strict";a.r(t),a.d(t,"frontMatter",(function(){return c})),a.d(t,"metadata",(function(){return o})),a.d(t,"rightToc",(function(){return d})),a.d(t,"default",(function(){return s}));var n=a(2),r=a(6),b=(a(0),a(116)),l=a(124),i=a(125),c={id:"overview",title:"Overview"},o={unversionedId:"configuration/overview",id:"configuration/overview",isDocsHomePage:!1,title:"Overview",description:"oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).",source:"@site/docs/configuration/overview.md",slug:"/configuration/overview",permalink:"/oauth2-proxy/docs/next/configuration/overview",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md",version:"current",sidebar:"docs",previous:{title:"Behaviour",permalink:"/oauth2-proxy/docs/next/behaviour"},next:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/next/configuration/oauth_provider"}},d=[{value:"Generating a Cookie Secret",id:"generating-a-cookie-secret",children:[]},{value:"Config File",id:"config-file",children:[]},{value:"Command Line Options",id:"command-line-options",children:[]},{value:"Upstreams Configuration",id:"upstreams-configuration",children:[]},{value:"Environment variables",id:"environment-variables",children:[]},{value:"Logging Configuration",id:"logging-configuration",children:[{value:"Auth Log Format",id:"auth-log-format",children:[]},{value:"Request Log Format",id:"request-log-format",children:[]},{value:"Standard Log Format",id:"standard-log-format",children:[]}]},{value:"Configuring for use with the Nginx <code>auth_request</code> directive",id:"configuring-for-use-with-the-nginx-auth_request-directive",children:[]},{value:"Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware",id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware",children:[{value:"ForwardAuth with 401 errors middleware",id:"forwardauth-with-401-errors-middleware",children:[]},{value:"ForwardAuth with static upstreams configuration",id:"forwardauth-with-static-upstreams-configuration",children:[]}]}],p={rightToc:d};function s(e){var t=e.components,a=Object(r.a)(e,["components"]);return Object(b.b)("wrapper",Object(n.a)({},p,a,{components:t,mdxType:"MDXLayout"}),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," can be configured via ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#command-line-options"}),"command line options"),", ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#environment-variables"}),"environment variables")," or ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file")," (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."),Object(b.b)("h3",{id:"generating-a-cookie-secret"},"Generating a Cookie Secret"),Object(b.b)("p",null,"To generate a strong cookie secret use one of the below commands:"),Object(b.b)(l.a,{defaultValue:"python",values:[{label:"Python",value:"python"},{label:"Bash",value:"bash"},{label:"OpenSSL",value:"openssl"},{label:"PowerShell",value:"powershell"},{label:"Terraform",value:"terraform"}],mdxType:"Tabs"},Object(b.b)(i.a,{value:"python",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),"python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'\n"))),Object(b.b)(i.a,{value:"bash",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),"cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | base64\n"))),Object(b.b)(i.a,{value:"openssl",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),"openssl rand -base64 32 | tr -- '+/' '-_'\n"))),Object(b.b)(i.a,{value:"powershell",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),'# Add System.Web assembly to session, just in case\nAdd-Type -AssemblyName System.Web\n[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(32,4))).Replace("+","-").Replace("/","_")\n'))),Object(b.b)(i.a,{value:"terraform",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),'# Valid 32 Byte Base64 URL encoding set that will decode to 24 []byte AES-192 secret\nresource "random_password" "cookie_secret" {\n length = 32\n override_special = "-_"\n}\n')))),Object(b.b)("h3",{id:"config-file"},"Config File"),Object(b.b)("p",null,"Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (","_","). If the argument can be specified multiple times, the config option should be plural (trailing s)."),Object(b.b)("p",null,"An example ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example"}),"oauth2-proxy.cfg")," config file is in the contrib directory. It can be used by specifying ",Object(b.b)("inlineCode",{parentName:"p"},"--config=/etc/oauth2-proxy.cfg")),Object(b.b)("h3",{id:"command-line-options"},"Command Line Options"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Option"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Type"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Default"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--acr-values")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"optional, see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues"}),"docs")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--approval-prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth approval_prompt"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"force"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log authentication attempts"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for authentication log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--authenticated-emails-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate against emails via file (one per line)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--azure-tenant")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"go to a tenant-specific or common (tenant-independent) endpoint."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"common"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--basic-auth-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the password to set when passing the HTTP Basic Auth header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-id")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client ID, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"123456.apps.googleusercontent.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the file with OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--config")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to config file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Optional cookie domains to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".yourcompany.com"),"). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-expire")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"expire timeframe for cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"168h0m0s")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-httponly")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HttpOnly cookie flag"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the name of the cookie that the oauth_proxy creates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"_oauth2_proxy"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"an optional cookie path to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"/poc/"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-refresh")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"refresh the cookie after this duration; ",Object(b.b)("inlineCode",{parentName:"td"},"0")," to disable; not supported by all providers","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote1"}),"1"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the seed string for secure cookies (optionally base64 encoded)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secure")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://owasp.org/www-community/controls/SecureFlag"}),"secure (HTTPS only) cookie flag")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-samesite")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set SameSite cookie attribute (",Object(b.b)("inlineCode",{parentName:"td"},'"lax"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"strict"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"none"'),", or ",Object(b.b)("inlineCode",{parentName:"td"},'""'),")."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--custom-templates-dir")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to custom html templates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--custom-sign-in-logo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),'path or a URL to an custom image for the sign_in page logo. Use \\"-\\" to disable default logo.'),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--display-htpasswd-form")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"display username / password login form if an htpasswd file is provided"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--email-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate emails with the specified domain (may be given multiple times). Use ",Object(b.b)("inlineCode",{parentName:"td"},"*")," to authenticate any email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--errors-to-info-log")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"redirects error-level logging to default log channel instead of stderr"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--extra-jwt-issuers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"if ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")," is set, a list of extra JWT ",Object(b.b)("inlineCode",{parentName:"td"},"issuer=audience")," (see a token's ",Object(b.b)("inlineCode",{parentName:"td"},"iss"),", ",Object(b.b)("inlineCode",{parentName:"td"},"aud")," fields) pairs (where the issuer URL has a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/openid-configuration")," or a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/jwks.json"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--exclude-logging-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"comma separated list of paths to exclude from logging, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"/ping,/path2"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (no paths excluded)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--flush-interval")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"period between flushing response buffers when streaming responses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"1s"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--force-https")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enforce https redirect"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"false"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--force-json-errors")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"force JSON errors instead of HTTP error pages or redirects"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"false"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--banner")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) banner string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default banner."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--footer")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) footer string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default footer."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-org")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this organisation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-team")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these teams (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to collaborators of this repository formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the token to use when verifying repository collaborators (must have push access to the repository)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"To allow users to login by username even if they do not belong to the specified org and team or collaborators"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these groups (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-projects")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these projects (may be given multiple times) formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo=accesslevel"),". Access level should be a value matching ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://docs.gitlab.com/ee/api/members.html#valid-access-levels"}),"Gitlab access levels"),", defaulted to 20 if absent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-admin-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the google admin to impersonate for api calls"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this google group (may be given multiple times)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-service-account-json")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the path to the service account json credentials"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--htpasswd-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"additionally authenticate against a htpasswd file. Entries must be created with ",Object(b.b)("inlineCode",{parentName:"td"},"htpasswd -B")," for bcrypt encryption"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--htpasswd-user-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the groups to be set on sessions for htpasswd users"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--http-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"[http://]<addr>:<port>")," or ",Object(b.b)("inlineCode",{parentName:"td"},"unix://<path>")," to listen on for HTTP clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"127.0.0.1:4180"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--https-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"<addr>:<port>")," to listen on for HTTPS clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'":443"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-compress")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Should rotated log files be compressed using gzip"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-filename")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File to log requests to, empty for ",Object(b.b)("inlineCode",{parentName:"td"},"stdout")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (stdout)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-local-time")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Use local time in log files and backup filenames instead of UTC"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true (local time)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-age")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of days to retain old log files"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"7")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-backups")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of old log files to retain; 0 to disable"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-size")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum size in megabytes of the log file before rotation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"100")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"private key in PEM format used to sign JWT, so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},'--jwt-key="${OAUTH2_PROXY_JWT_KEY}"'),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to the private key file in PEM format used to sign the JWT so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem"),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--login-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authentication endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-allow-unverified-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"don't fail if an email address in an id_token is not verified"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-issuer-verification")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-nonce")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip verifying the OIDC ID Token's nonce claim"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-issuer-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OpenID Connect issuer URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://accounts.google.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OIDC JWKS URI for token verification; required if OIDC discovery is disabled"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-email-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user's email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"email"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-groups-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user groups"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"groups"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-audience-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the audience"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"aud"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-extra-audience")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"additional audiences which are allowed to pass verification"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"[]"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")," this adds the X-Auth-Request-Access-Token header to the response"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OIDC IDToken to upstream via Authorization Bearer header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prefer-email-to-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-host-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass the request Host Header to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--profile-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Profile access endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"}),"OIDC prompt"),"; if present, ",Object(b.b)("inlineCode",{parentName:"td"},"approval-prompt")," is ignored"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth provider"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"google")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-ca-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-display-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Override the provider's name with the given string; used for the sign-in page"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(depends on provider)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the ping endpoint that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/ping"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-user-agent")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"a User-Agent that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (don't check user agent)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--metrics-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the address prometheus metrics will be scraped from"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-prefix")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the url root path that this proxy should be nested under (e.g. /",Object(b.b)("inlineCode",{parentName:"td"},"<oauth2>/sign_in"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/oauth2"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-websockets")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enables WebSocket proxying"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pubjwk-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"JWK pubkey access endpoint: required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Header used to determine the real IP of the client, requires ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"X-Real-IP")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Token redemption endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redirect-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Redirect URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://internalapp.yourcompany.com/oauth2/callback"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis cluster connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"URL of redis server for redis session storage (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis password. Applicable for all Redis configurations. Will override any password set in ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel master name. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis sentinel connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis cluster. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis via sentinels. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-id-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Request header to use as the request ID in logging"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"X-Request-Id")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for request log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--resource")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The resource that is protected (Azure AD only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--scope")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth scope specification"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-cookie-minimal")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-store-type")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"/oauth2-proxy/docs/next/configuration/session_storage"}),"Session data storage backend"),"; redis or cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"cookie")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token"),", X-Auth-Request-Access-Token is added to response headers."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set Authorization Bearer response header (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--show-debug-on-error")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--signature-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GAP-Signature request signature key (algorithm:secretkey)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--silence-ping-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"disable logging of requests to ping endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-preflight")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip authentication for OPTIONS requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-regex")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(DEPRECATED for ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route"),") bypass authentication for requests paths that match (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-strip-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strips ",Object(b.b)("inlineCode",{parentName:"td"},"X-Forwarded-*")," style authentication headers & ",Object(b.b)("inlineCode",{parentName:"td"},"Authorization")," header if they would be set by oauth2-proxy"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip requests that have verified JWT bearer tokens (the token must have ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields"}),Object(b.b)("inlineCode",{parentName:"a"},"aud"))," that matches this client id or one of the extras from ",Object(b.b)("inlineCode",{parentName:"td"},"extra-jwt-issuers"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-oidc-discovery")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass OIDC endpoint discovery. ",Object(b.b)("inlineCode",{parentName:"td"},"--login-url"),", ",Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")," must be configured in this case"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-provider-button")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip sign-in-page to directly reach the next step: oauth/start"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS providers"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-upstream-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS upstreams"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log standard runtime information"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for standard log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-cert-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to certificate file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to private key file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-min-version")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"minimum TLS version that is acceptable, either ",Object(b.b)("inlineCode",{parentName:"td"},'"TLS1.2"')," or ",Object(b.b)("inlineCode",{parentName:"td"},'"TLS1.3"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"TLS1.2"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--upstream")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the http url(s) of the upstream endpoint, file:// paths for static files or ",Object(b.b)("inlineCode",{parentName:"td"},"static://<status_code>")," for static response. Routing is based on the path"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--allowed-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this group (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--allowed-role")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--validate-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Access token validation endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--version")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"n/a"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"print version string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--whitelist-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allowed domains for redirection after authentication. Prefix domain with a ",Object(b.b)("inlineCode",{parentName:"td"},".")," to allow subdomains (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".example.com"),")","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote2"}),"2"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--trusted-ip")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," and optionally ",Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")," this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))))),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote1"},"1"),"]",": Only these providers support ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-refresh"),": GitLab, Google and OIDC"),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote2"},"2"),"]",": When using the ",Object(b.b)("inlineCode",{parentName:"p"},"whitelist-domain")," option, any domain prefixed with a ",Object(b.b)("inlineCode",{parentName:"p"},".")," will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:8080"),". To allow any port, use ",Object(b.b)("inlineCode",{parentName:"p"},"*"),": ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:*"),"."),Object(b.b)("p",null,"See below for provider specific options"),Object(b.b)("h3",{id:"upstreams-configuration"},"Upstreams Configuration"),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/")," for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/some/path/")," then it will only be requests that start with ",Object(b.b)("inlineCode",{parentName:"p"},"/some/path/")," which are forwarded to the upstream."),Object(b.b)("p",null,"Static file paths are configured as a file:// URL. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/")," will serve the files from that directory at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/var/www/static/"),", which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/#/static/")," will make ",Object(b.b)("inlineCode",{parentName:"p"},"/var/www/static/")," available at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/static/"),"."),Object(b.b)("p",null,"Multiple upstreams can either be configured by supplying a comma separated list to the ",Object(b.b)("inlineCode",{parentName:"p"},"--upstream")," parameter, supplying the parameter multiple times or providing a list in the ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),". When multiple upstreams are used routing to them will be based on the path they are set up with."),Object(b.b)("h3",{id:"environment-variables"},"Environment variables"),Object(b.b)("p",null,"Every command line argument can be specified as an environment variable by\nprefixing it with ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_"),", capitalising it, and replacing hyphens (",Object(b.b)("inlineCode",{parentName:"p"},"-"),")\nwith underscores (",Object(b.b)("inlineCode",{parentName:"p"},"_"),"). If the argument can be specified multiple times, the\nenvironment variable should be plural (trailing ",Object(b.b)("inlineCode",{parentName:"p"},"S"),")."),Object(b.b)("p",null,"This is particularly useful for storing secrets outside of a configuration file\nor the command line."),Object(b.b)("p",null,"For example, the ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-secret")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_COOKIE_SECRET"),",\nand the ",Object(b.b)("inlineCode",{parentName:"p"},"--email-domain")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_EMAIL_DOMAINS"),"."),Object(b.b)("h2",{id:"logging-configuration"},"Logging Configuration"),Object(b.b)("p",null,"By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the ",Object(b.b)("inlineCode",{parentName:"p"},"--logging-filename")," command."),Object(b.b)("p",null,"If logging to a file you can also configure the maximum file size (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-size"),"), age (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-age"),"), max backup logs (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-backups"),"), and if backup logs should be compressed (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-compress"),")."),Object(b.b)("p",null,"There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging"),", ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging"),", and ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging"),"."),Object(b.b)("p",null,"Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log."),Object(b.b)("p",null,"Logging of requests to the ",Object(b.b)("inlineCode",{parentName:"p"},"/ping")," endpoint (or using ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-user-agent"),") can be disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--silence-ping-logging")," reducing log volume. This flag appends the ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-path")," to ",Object(b.b)("inlineCode",{parentName:"p"},"--exclude-logging-paths"),"."),Object(b.b)("h3",{id:"auth-log-format"},"Auth Log Format"),Object(b.b)("p",null,"Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"<REMOTE_ADDRESS> - <REQUEST ID> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] [<STATUS>] <MESSAGE>\n")),Object(b.b)("p",null,"The status block will contain one of the below strings:"),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthSuccess")," If a user has authenticated successfully by any method"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthFailure")," If the user failed to authenticate explicitly"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthError")," If there was an unexpected error during authentication")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for auth logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authenticated via OAuth2"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the auth attempt.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestID"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"00010203-0405-4607-8809-0a0b0c0d0e0f"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request ID pulled from the ",Object(b.b)("inlineCode",{parentName:"td"},"--request-id-header"),". Random UUID if empty")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Status"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"AuthSuccess"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The status of the auth request. See above for details.")))),Object(b.b)("h3",{id:"request-log-format"},"Request Log Format"),Object(b.b)("p",null,"HTTP request logs will output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),'<REMOTE_ADDRESS> - <REQUEST ID> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>\n')),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\n")),Object(b.b)("p",null,"Available variables for request logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestDuration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0.001"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The time in seconds that a request took to process.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestID"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"00010203-0405-4607-8809-0a0b0c0d0e0f"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request ID pulled from the ",Object(b.b)("inlineCode",{parentName:"td"},"--request-id-header"),". Random UUID if empty")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestURI"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),'"/oauth2/auth"'),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The URI path of the request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"ResponseSize"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"12"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The size in bytes of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"StatusCode"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"200"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The HTTP status code of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The upstream data of the HTTP request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")))),Object(b.b)("h3",{id:"standard-log-format"},"Standard Log Format"),Object(b.b)("p",null,"All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>\n")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging-format")," flag. The default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[{{.Timestamp}}] [{{.File}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for standard logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"main.go:40"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The file and line number of the logging statement.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP: listening on 127.0.0.1:4180"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the log statement.")))),Object(b.b)("h2",{id:"configuring-for-use-with-the-nginx-auth_request-directive"},"Configuring for use with the Nginx ",Object(b.b)("inlineCode",{parentName:"h2"},"auth_request")," directive"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"}),"Nginx ",Object(b.b)("inlineCode",{parentName:"a"},"auth_request")," directive")," allows Nginx to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/auth")," endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-nginx"}),'server {\n listen 443 ssl;\n server_name ...;\n include ssl/ssl.conf;\n\n location /oauth2/ {\n proxy_pass http://127.0.0.1:4180;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Scheme $scheme;\n proxy_set_header X-Auth-Request-Redirect $request_uri;\n # or, if you are handling multiple domains:\n # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;\n }\n location = /oauth2/auth {\n proxy_pass http://127.0.0.1:4180;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Scheme $scheme;\n # nginx auth_request includes headers but not body\n proxy_set_header Content-Length "";\n proxy_pass_request_body off;\n }\n\n location / {\n auth_request /oauth2/auth;\n error_page 401 = /oauth2/sign_in;\n\n # pass information via X-User and X-Email headers to backend,\n # requires running with --set-xauthrequest flag\n auth_request_set $user $upstream_http_x_auth_request_user;\n auth_request_set $email $upstream_http_x_auth_request_email;\n proxy_set_header X-User $user;\n proxy_set_header X-Email $email;\n\n # if you enabled --pass-access-token, this will pass the token to the backend\n auth_request_set $token $upstream_http_x_auth_request_access_token;\n proxy_set_header X-Access-Token $token;\n\n # if you enabled --cookie-refresh, this is needed for it to work with auth_request\n auth_request_set $auth_cookie $upstream_http_set_cookie;\n add_header Set-Cookie $auth_cookie;\n\n # When using the --set-authorization-header flag, some provider\'s cookies can exceed the 4kb\n # limit and so the OAuth2 Proxy splits these into multiple parts.\n # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,\n # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.\n auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;\n\n # Extract the Cookie attributes from the first Set-Cookie header and append them\n # to the second part ($upstream_cookie_* variables only contain the raw cookie content)\n if ($auth_cookie ~* "(; .*)") {\n set $auth_cookie_name_0 $auth_cookie;\n set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";\n }\n\n # Send both Set-Cookie headers now if there was a second part\n if ($auth_cookie_name_upstream_1) {\n add_header Set-Cookie $auth_cookie_name_0;\n add_header Set-Cookie $auth_cookie_name_1;\n }\n\n proxy_pass http://backend/;\n # or "root /path/to/site;" or "fastcgi_pass ..." etc\n }\n}\n')),Object(b.b)("p",null,"When you use ingress-nginx in Kubernetes, you MUST use ",Object(b.b)("inlineCode",{parentName:"p"},"kubernetes/ingress-nginx")," (which includes the Lua module) and the following configuration snippet for your ",Object(b.b)("inlineCode",{parentName:"p"},"Ingress"),".\nVariables set with ",Object(b.b)("inlineCode",{parentName:"p"},"auth_request_set")," are not ",Object(b.b)("inlineCode",{parentName:"p"},"set"),"-able in plain nginx config when the location is processed via ",Object(b.b)("inlineCode",{parentName:"p"},"proxy_pass")," and then may only be processed by Lua.\nNote that ",Object(b.b)("inlineCode",{parentName:"p"},"nginxinc/kubernetes-ingress")," does not include the Lua module."),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'nginx.ingress.kubernetes.io/auth-response-headers: Authorization\nnginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri\nnginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth\nnginx.ingress.kubernetes.io/configuration-snippet: |\n auth_request_set $name_upstream_1 $upstream_cookie_name_1;\n\n access_by_lua_block {\n if ngx.var.name_upstream_1 ~= "" then\n ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")\n end\n }\n')),Object(b.b)("p",null,"It is recommended to use ",Object(b.b)("inlineCode",{parentName:"p"},"--session-store-type=redis")," when expecting large sessions/OIDC tokens (",Object(b.b)("em",{parentName:"p"},"e.g.")," with MS Azure)."),Object(b.b)("p",null,"You have to substitute ",Object(b.b)("em",{parentName:"p"},"name"),' with the actual cookie name you configured via --cookie-name parameter. If you don\'t set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".'),Object(b.b)("h2",{id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware"},"Configuring for use with the Traefik (v2) ",Object(b.b)("inlineCode",{parentName:"h2"},"ForwardAuth")," middleware"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"This option requires ",Object(b.b)("inlineCode",{parentName:"strong"},"--reverse-proxy")," option to be set.")),Object(b.b)("h3",{id:"forwardauth-with-401-errors-middleware"},"ForwardAuth with 401 errors middleware"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," allows Traefik to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/oauth2/auth")," endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n routers:\n a-service:\n rule: "Host(`a-service.example.com`)"\n service: a-service-backend\n middlewares:\n - oauth-errors\n - oauth-auth\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n oauth:\n rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n\n services:\n a-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.2:7555\n oauth-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.1:4180\n\n middlewares:\n auth-headers:\n headers:\n sslRedirect: true\n stsSeconds: 315360000\n browserXssFilter: true\n contentTypeNosniff: true\n forceSTSHeader: true\n sslHost: example.com\n stsIncludeSubdomains: true\n stsPreload: true\n frameDeny: true\n oauth-auth:\n forwardAuth:\n address: https://oauth.example.com/oauth2/auth\n trustForwardHeader: true\n oauth-errors:\n errors:\n status:\n - "401-403"\n service: oauth-backend\n query: "/oauth2/sign_in"\n')),Object(b.b)("h3",{id:"forwardauth-with-static-upstreams-configuration"},"ForwardAuth with static upstreams configuration"),Object(b.b)("p",null,"Redirect to sign_in functionality provided without the use of ",Object(b.b)("inlineCode",{parentName:"p"},"errors")," middleware with ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," pointing to oauth2-proxy service's ",Object(b.b)("inlineCode",{parentName:"p"},"/")," endpoint"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"Following options need to be set on ",Object(b.b)("inlineCode",{parentName:"strong"},"oauth2-proxy"),":")),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"--upstream=static://202"),": Configures a static response for authenticated sessions"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"--reverse-proxy=true"),": Enables the use of ",Object(b.b)("inlineCode",{parentName:"li"},"X-Forwarded-*")," headers to determine redirects correctly")),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n routers:\n a-service-route-1:\n rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"\n service: a-service-backend\n middlewares:\n - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n a-service-route-2:\n rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"\n service: a-service-backend\n middlewares:\n - oauth-auth-wo-redirect # unauthenticated session will return a 401\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n services-oauth2-route:\n rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n oauth2-proxy-route:\n rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n\n services:\n a-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.2:7555\n b-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.3:7555\n oauth-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.1:4180\n\n middlewares:\n auth-headers:\n headers:\n sslRedirect: true\n stsSeconds: 315360000\n browserXssFilter: true\n contentTypeNosniff: true\n forceSTSHeader: true\n sslHost: example.com\n stsIncludeSubdomains: true\n stsPreload: true\n frameDeny: true\n oauth-auth-redirect:\n forwardAuth:\n address: https://oauth.example.com/\n trustForwardHeader: true\n authResponseHeaders:\n - X-Auth-Request-Access-Token\n - Authorization\n oauth-auth-wo-redirect:\n forwardAuth:\n address: https://oauth.example.com/oauth2/auth\n trustForwardHeader: true\n authResponseHeaders:\n - X-Auth-Request-Access-Token\n - Authorization\n')),Object(b.b)("div",{className:"admonition admonition-note alert alert--secondary"},Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-heading"}),Object(b.b)("h5",{parentName:"div"},Object(b.b)("span",Object(n.a)({parentName:"h5"},{className:"admonition-icon"}),Object(b.b)("svg",Object(n.a)({parentName:"span"},{xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"}),Object(b.b)("path",Object(n.a)({parentName:"svg"},{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})))),"note")),Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-content"}),Object(b.b)("p",{parentName:"div"},"If you set up your OAuth2 provider to rotate your client secret, you can use the ",Object(b.b)("inlineCode",{parentName:"p"},"client-secret-file")," option to reload the secret when it is updated."))))}s.isMDXComponent=!0}}]);
\ No newline at end of file
+(window.webpackJsonp=window.webpackJsonp||[]).push([[6],{116:function(e,t,a){"use strict";a.d(t,"a",(function(){return p})),a.d(t,"b",(function(){return j}));var n=a(0),r=a.n(n);function b(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function l(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,n)}return a}function i(e){for(var t=1;t<arguments.length;t++){var a=null!=arguments[t]?arguments[t]:{};t%2?l(Object(a),!0).forEach((function(t){b(e,t,a[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):l(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))}))}return e}function c(e,t){if(null==e)return{};var a,n,r=function(e,t){if(null==e)return{};var a,n,r={},b=Object.keys(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||(r[a]=e[a]);return r}(e,t);if(Object.getOwnPropertySymbols){var b=Object.getOwnPropertySymbols(e);for(n=0;n<b.length;n++)a=b[n],t.indexOf(a)>=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(r[a]=e[a])}return r}var o=r.a.createContext({}),d=function(e){var t=r.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},p=function(e){var t=d(e.components);return r.a.createElement(o.Provider,{value:t},e.children)},s={inlineCode:"code",wrapper:function(e){var t=e.children;return r.a.createElement(r.a.Fragment,{},t)}},O=r.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,b=e.originalType,l=e.parentName,o=c(e,["components","mdxType","originalType","parentName"]),p=d(a),O=n,j=p["".concat(l,".").concat(O)]||p[O]||s[O]||b;return a?r.a.createElement(j,i(i({ref:t},o),{},{components:a})):r.a.createElement(j,i({ref:t},o))}));function j(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var b=a.length,l=new Array(b);l[0]=O;var i={};for(var c in t)hasOwnProperty.call(t,c)&&(i[c]=t[c]);i.originalType=e,i.mdxType="string"==typeof e?e:n,l[1]=i;for(var o=2;o<b;o++)l[o]=a[o];return r.a.createElement.apply(null,l)}return r.a.createElement.apply(null,a)}O.displayName="MDXCreateElement"},117:function(e,t,a){"use strict";function n(e){var t,a,r="";if("string"==typeof e||"number"==typeof e)r+=e;else if("object"==typeof e)if(Array.isArray(e))for(t=0;t<e.length;t++)e[t]&&(a=n(e[t]))&&(r&&(r+=" "),r+=a);else for(t in e)e[t]&&(r&&(r+=" "),r+=t);return r}t.a=function(){for(var e,t,a=0,r="";a<arguments.length;)(e=arguments[a++])&&(t=n(e))&&(r&&(r+=" "),r+=t);return r}},120:function(e,t,a){"use strict";var n=a(0),r=a(121);t.a=function(){var e=Object(n.useContext)(r.a);if(null==e)throw new Error("`useUserPreferencesContext` is used outside of `Layout` Component.");return e}},121:function(e,t,a){"use strict";var n=a(0),r=Object(n.createContext)(void 0);t.a=r},124:function(e,t,a){"use strict";var n=a(0),r=a.n(n),b=a(120),l=a(117),i=a(47),c=a.n(i),o=37,d=39;t.a=function(e){var t=e.block,a=e.children,i=e.defaultValue,p=e.values,s=e.groupId,O=e.className,j=Object(b.a)(),m=j.tabGroupChoices,u=j.setTabGroupChoices,g=Object(n.useState)(i),N=g[0],h=g[1],f=Object(n.useState)(!1),y=f[0],C=f[1];if(null!=s){var v=m[s];null!=v&&v!==N&&p.some((function(e){return e.value===v}))&&h(v)}var w=function(e){h(e),null!=s&&u(s,e)},k=[],_=function(e){e.metaKey||e.altKey||e.ctrlKey||C(!0)},x=function(){C(!1)};return Object(n.useEffect)((function(){return window.addEventListener("keydown",_),window.addEventListener("mousedown",x),function(){window.removeEventListener("keydown",_),window.removeEventListener("mousedown",x)}}),[]),r.a.createElement("div",null,r.a.createElement("ul",{role:"tablist","aria-orientation":"horizontal",className:Object(l.a)("tabs",{"tabs--block":t},O)},p.map((function(e){var t=e.value,a=e.label;return r.a.createElement("li",{role:"tab",tabIndex:0,"aria-selected":N===t,className:Object(l.a)("tabs__item",c.a.tabItem,{"tabs__item--active":N===t}),style:y?{}:{outline:"none"},key:t,ref:function(e){return k.push(e)},onKeyDown:function(e){!function(e,t,a){switch(a.keyCode){case d:!function(e,t){var a=e.indexOf(t)+1;e[a]?e[a].focus():e[0].focus()}(e,t);break;case o:!function(e,t){var a=e.indexOf(t)-1;e[a]?e[a].focus():e[e.length-1].focus()}(e,t)}}(k,e.target,e),_(e)},onFocus:function(){return w(t)},onClick:function(){w(t),C(!1)},onPointerDown:function(){return C(!1)}},a)}))),r.a.createElement("div",{role:"tabpanel",className:"margin-vert--md"},n.Children.toArray(a).filter((function(e){return e.props.value===N}))[0]))}},125:function(e,t,a){"use strict";var n=a(0),r=a.n(n);t.a=function(e){return r.a.createElement("div",null,e.children)}},61:function(e,t,a){"use strict";a.r(t),a.d(t,"frontMatter",(function(){return c})),a.d(t,"metadata",(function(){return o})),a.d(t,"rightToc",(function(){return d})),a.d(t,"default",(function(){return s}));var n=a(2),r=a(6),b=(a(0),a(116)),l=a(124),i=a(125),c={id:"overview",title:"Overview"},o={unversionedId:"configuration/overview",id:"configuration/overview",isDocsHomePage:!1,title:"Overview",description:"oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).",source:"@site/docs/configuration/overview.md",slug:"/configuration/overview",permalink:"/oauth2-proxy/docs/next/configuration/overview",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md",version:"current",sidebar:"docs",previous:{title:"Behaviour",permalink:"/oauth2-proxy/docs/next/behaviour"},next:{title:"OAuth Provider Configuration",permalink:"/oauth2-proxy/docs/next/configuration/oauth_provider"}},d=[{value:"Generating a Cookie Secret",id:"generating-a-cookie-secret",children:[]},{value:"Config File",id:"config-file",children:[]},{value:"Command Line Options",id:"command-line-options",children:[]},{value:"Upstreams Configuration",id:"upstreams-configuration",children:[]},{value:"Environment variables",id:"environment-variables",children:[]},{value:"Logging Configuration",id:"logging-configuration",children:[{value:"Auth Log Format",id:"auth-log-format",children:[]},{value:"Request Log Format",id:"request-log-format",children:[]},{value:"Standard Log Format",id:"standard-log-format",children:[]}]},{value:"Configuring for use with the Nginx <code>auth_request</code> directive",id:"configuring-for-use-with-the-nginx-auth_request-directive",children:[]},{value:"Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware",id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware",children:[{value:"ForwardAuth with 401 errors middleware",id:"forwardauth-with-401-errors-middleware",children:[]},{value:"ForwardAuth with static upstreams configuration",id:"forwardauth-with-static-upstreams-configuration",children:[]}]}],p={rightToc:d};function s(e){var t=e.components,a=Object(r.a)(e,["components"]);return Object(b.b)("wrapper",Object(n.a)({},p,a,{components:t,mdxType:"MDXLayout"}),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," can be configured via ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#command-line-options"}),"command line options"),", ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#environment-variables"}),"environment variables")," or ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file")," (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."),Object(b.b)("h3",{id:"generating-a-cookie-secret"},"Generating a Cookie Secret"),Object(b.b)("p",null,"To generate a strong cookie secret use one of the below commands:"),Object(b.b)(l.a,{defaultValue:"python",values:[{label:"Python",value:"python"},{label:"Bash",value:"bash"},{label:"OpenSSL",value:"openssl"},{label:"PowerShell",value:"powershell"},{label:"Terraform",value:"terraform"}],mdxType:"Tabs"},Object(b.b)(i.a,{value:"python",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),"python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'\n"))),Object(b.b)(i.a,{value:"bash",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),"cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | base64\n"))),Object(b.b)(i.a,{value:"openssl",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),"openssl rand -base64 32 | tr -- '+/' '-_'\n"))),Object(b.b)(i.a,{value:"powershell",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),'# Add System.Web assembly to session, just in case\nAdd-Type -AssemblyName System.Web\n[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(32,4))).Replace("+","-").Replace("/","_")\n'))),Object(b.b)(i.a,{value:"terraform",mdxType:"TabItem"},Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-shell"}),'# Valid 32 Byte Base64 URL encoding set that will decode to 24 []byte AES-192 secret\nresource "random_password" "cookie_secret" {\n length = 32\n override_special = "-_"\n}\n')))),Object(b.b)("h3",{id:"config-file"},"Config File"),Object(b.b)("p",null,"Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (","_","). If the argument can be specified multiple times, the config option should be plural (trailing s)."),Object(b.b)("p",null,"An example ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example"}),"oauth2-proxy.cfg")," config file is in the contrib directory. It can be used by specifying ",Object(b.b)("inlineCode",{parentName:"p"},"--config=/etc/oauth2-proxy.cfg")),Object(b.b)("h3",{id:"command-line-options"},"Command Line Options"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Option"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Type"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Default"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--acr-values")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"optional, see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues"}),"docs")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--approval-prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth approval_prompt"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"force"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log authentication attempts"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--auth-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for authentication log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--authenticated-emails-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate against emails via file (one per line)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--azure-tenant")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"go to a tenant-specific or common (tenant-independent) endpoint."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"common"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--basic-auth-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the password to set when passing the HTTP Basic Auth header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-id")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client ID, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"123456.apps.googleusercontent.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--client-secret-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the file with OAuth Client Secret"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--config")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to config file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Optional cookie domains to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".yourcompany.com"),"). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-expire")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"expire timeframe for cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"168h0m0s")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-httponly")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HttpOnly cookie flag"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the name of the cookie that the oauth_proxy creates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"_oauth2_proxy"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"an optional cookie path to force cookies to (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"/poc/"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-refresh")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"refresh the cookie after this duration; ",Object(b.b)("inlineCode",{parentName:"td"},"0")," to disable; not supported by all providers","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote1"}),"1"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secret")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the seed string for secure cookies (optionally base64 encoded)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-secure")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://owasp.org/www-community/controls/SecureFlag"}),"secure (HTTPS only) cookie flag")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--cookie-samesite")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set SameSite cookie attribute (",Object(b.b)("inlineCode",{parentName:"td"},'"lax"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"strict"'),", ",Object(b.b)("inlineCode",{parentName:"td"},'"none"'),", or ",Object(b.b)("inlineCode",{parentName:"td"},'""'),")."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--custom-templates-dir")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to custom html templates"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--custom-sign-in-logo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),'path or a URL to an custom image for the sign_in page logo. Use \\"-\\" to disable default logo.'),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--display-htpasswd-form")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"display username / password login form if an htpasswd file is provided"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--email-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"authenticate emails with the specified domain (may be given multiple times). Use ",Object(b.b)("inlineCode",{parentName:"td"},"*")," to authenticate any email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--errors-to-info-log")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"redirects error-level logging to default log channel instead of stderr"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--extra-jwt-issuers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"if ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")," is set, a list of extra JWT ",Object(b.b)("inlineCode",{parentName:"td"},"issuer=audience")," (see a token's ",Object(b.b)("inlineCode",{parentName:"td"},"iss"),", ",Object(b.b)("inlineCode",{parentName:"td"},"aud")," fields) pairs (where the issuer URL has a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/openid-configuration")," or a ",Object(b.b)("inlineCode",{parentName:"td"},".well-known/jwks.json"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--exclude-logging-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"comma separated list of paths to exclude from logging, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"/ping,/path2"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (no paths excluded)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--flush-interval")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"duration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"period between flushing response buffers when streaming responses"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"1s"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--force-https")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enforce https redirect"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"false"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--force-json-errors")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"force JSON errors instead of HTTP error pages or redirects"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"false"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--banner")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) banner string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default banner."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--footer")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"custom (html) footer string. Use ",Object(b.b)("inlineCode",{parentName:"td"},'"-"')," to disable default footer."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-org")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this organisation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-team")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these teams (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to collaborators of this repository formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the token to use when verifying repository collaborators (must have push access to the repository)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--github-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"To allow users to login by username even if they do not belong to the specified org and team or collaborators"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these groups (slug), separated by a comma"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--gitlab-projects")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of any of these projects (may be given multiple times) formatted as ",Object(b.b)("inlineCode",{parentName:"td"},"orgname/repo=accesslevel"),". Access level should be a value matching ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://docs.gitlab.com/ee/api/members.html#valid-access-levels"}),"Gitlab access levels"),", defaulted to 20 if absent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-admin-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the google admin to impersonate for api calls"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this google group (may be given multiple times)."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--google-service-account-json")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the path to the service account json credentials"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--htpasswd-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"additionally authenticate against a htpasswd file. Entries must be created with ",Object(b.b)("inlineCode",{parentName:"td"},"htpasswd -B")," for bcrypt encryption"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--htpasswd-user-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the groups to be set on sessions for htpasswd users"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--http-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"[http://]<addr>:<port>")," or ",Object(b.b)("inlineCode",{parentName:"td"},"unix://<path>")," to listen on for HTTP clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"127.0.0.1:4180"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--https-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"<addr>:<port>")," to listen on for HTTPS clients"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'":443"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-compress")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Should rotated log files be compressed using gzip"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-filename")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File to log requests to, empty for ",Object(b.b)("inlineCode",{parentName:"td"},"stdout")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (stdout)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-local-time")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Use local time in log files and backup filenames instead of UTC"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true (local time)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-age")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of days to retain old log files"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"7")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-backups")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum number of old log files to retain; 0 to disable"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--logging-max-size")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"int"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Maximum size in megabytes of the log file before rotation"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"100")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"private key in PEM format used to sign JWT, so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},'--jwt-key="${OAUTH2_PROXY_JWT_KEY}"'),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to the private key file in PEM format used to sign the JWT so that you can say something like ",Object(b.b)("inlineCode",{parentName:"td"},"--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem"),": required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--login-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authentication endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-allow-unverified-email")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"don't fail if an email address in an id_token is not verified"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-issuer-verification")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--insecure-oidc-skip-nonce")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip verifying the OIDC ID Token's nonce claim"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-issuer-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OpenID Connect issuer URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://accounts.google.com"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OIDC JWKS URI for token verification; required if OIDC discovery is disabled"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-email-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user's email"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"email"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-groups-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the user groups"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"groups"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-audience-claim")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"which OIDC claim contains the audience"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"aud"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--oidc-extra-audience")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"additional audiences which are allowed to pass verification"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"[]"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")," this adds the X-Auth-Request-Access-Token header to the response"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass OIDC IDToken to upstream via Authorization Bearer header"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prefer-email-to-user")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-basic-auth")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-host-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass the request Host Header to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pass-user-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--profile-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Profile access endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--prompt")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"}),"OIDC prompt"),"; if present, ",Object(b.b)("inlineCode",{parentName:"td"},"approval-prompt")," is ignored"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth provider"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"google")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-ca-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--provider-display-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Override the provider's name with the given string; used for the sign-in page"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(depends on provider)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-path")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the ping endpoint that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/ping"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ping-user-agent")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"a User-Agent that can be used for basic health checks"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""')," (don't check user agent)")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--metrics-address")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the address prometheus metrics will be scraped from"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'""'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-prefix")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the url root path that this proxy should be nested under (e.g. /",Object(b.b)("inlineCode",{parentName:"td"},"<oauth2>/sign_in"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"/oauth2"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--proxy-websockets")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"enables WebSocket proxying"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--pubjwk-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"JWK pubkey access endpoint: required by login.gov"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Header used to determine the real IP of the client, requires ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"X-Real-IP")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Token redemption endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redirect-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the OAuth Redirect URL, e.g. ",Object(b.b)("inlineCode",{parentName:"td"},'"https://internalapp.yourcompany.com/oauth2/callback"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis cluster connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"URL of redis server for redis session storage (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis password. Applicable for all Redis configurations. Will override any password set in ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-connection-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-password")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Redis sentinel master name. Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"List of Redis sentinel connection URLs (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},"redis://HOST[:PORT]"),"). Used in conjunction with ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-cluster")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis cluster. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-cluster-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--redis-use-sentinel")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Connect to redis via sentinels. Must set ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-master-name")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--redis-sentinel-connection-urls")," to use this feature"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-id-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Request header to use as the request ID in logging"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"X-Request-Id")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--request-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for request log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--resource")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The resource that is protected (Azure AD only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--scope")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"OAuth scope specification"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-cookie-minimal")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--session-store-type")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"/oauth2-proxy/docs/next/configuration/session_storage"}),"Session data storage backend"),"; redis or cookie"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"cookie")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-xauthrequest")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with ",Object(b.b)("inlineCode",{parentName:"td"},"--pass-access-token"),", X-Auth-Request-Access-Token is added to response headers."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-authorization-header")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set Authorization Bearer response header (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--set-basic-auth")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"set HTTP Basic Auth information in response (useful in Nginx auth_request mode)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--show-debug-on-error")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--signature-key")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GAP-Signature request signature key (algorithm:secretkey)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--silence-ping-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"disable logging of requests to ping endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-preflight")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip authentication for OPTIONS requests"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-regex")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"(DEPRECATED for ",Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route"),") bypass authentication for requests paths that match (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-route")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-auth-strip-headers")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"strips ",Object(b.b)("inlineCode",{parentName:"td"},"X-Forwarded-*")," style authentication headers & ",Object(b.b)("inlineCode",{parentName:"td"},"Authorization")," header if they would be set by oauth2-proxy"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-jwt-bearer-tokens")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip requests that have verified JWT bearer tokens (the token must have ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields"}),Object(b.b)("inlineCode",{parentName:"a"},"aud"))," that matches this client id or one of the extras from ",Object(b.b)("inlineCode",{parentName:"td"},"extra-jwt-issuers"),")"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-oidc-discovery")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bypass OIDC endpoint discovery. ",Object(b.b)("inlineCode",{parentName:"td"},"--login-url"),", ",Object(b.b)("inlineCode",{parentName:"td"},"--redeem-url")," and ",Object(b.b)("inlineCode",{parentName:"td"},"--oidc-jwks-url")," must be configured in this case"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--skip-provider-button")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"will skip sign-in-page to directly reach the next step: oauth/start"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS providers"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--ssl-upstream-insecure-skip-verify")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"skip validation of certificates presented when using HTTPS upstreams"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"false")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"bool"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Log standard runtime information"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"true")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--standard-logging-format")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Template for standard log lines"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"see ",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#logging-configuration"}),"Logging Configuration"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-cert-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to certificate file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-key-file")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"path to private key file"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--tls-min-version")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"minimum TLS version that is acceptable, either ",Object(b.b)("inlineCode",{parentName:"td"},'"TLS1.2"')," or ",Object(b.b)("inlineCode",{parentName:"td"},'"TLS1.3"')),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},'"TLS1.2"'))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--upstream")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"the http url(s) of the upstream endpoint, file:// paths for static files or ",Object(b.b)("inlineCode",{parentName:"td"},"static://<status_code>")," for static response. Routing is based on the path"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--allowed-group")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to members of this group (may be given multiple times)"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--allowed-role")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--validate-url")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Access token validation endpoint"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--version")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"n/a"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"print version string"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--whitelist-domain")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"allowed domains for redirection after authentication. Prefix domain with a ",Object(b.b)("inlineCode",{parentName:"td"},".")," or a ",Object(b.b)("inlineCode",{parentName:"td"},"*.")," to allow subdomains (e.g. ",Object(b.b)("inlineCode",{parentName:"td"},".example.com"),", ",Object(b.b)("inlineCode",{parentName:"td"},"*.example.com"),")","\xa0","[",Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"#footnote2"}),"2"),"]"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("inlineCode",{parentName:"td"},"--trusted-ip")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"string ","|"," list"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with ",Object(b.b)("inlineCode",{parentName:"td"},"--reverse-proxy")," and optionally ",Object(b.b)("inlineCode",{parentName:"td"},"--real-client-ip-header")," this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them."),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}))))),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote1"},"1"),"]",": Only these providers support ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-refresh"),": GitLab, Google and OIDC"),Object(b.b)("p",null,"[",Object(b.b)("a",{name:"footnote2"},"2"),"]",": When using the ",Object(b.b)("inlineCode",{parentName:"p"},"whitelist-domain")," option, any domain prefixed with a ",Object(b.b)("inlineCode",{parentName:"p"},".")," or a ",Object(b.b)("inlineCode",{parentName:"p"},"*.")," will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:8080"),". To allow any port, use ",Object(b.b)("inlineCode",{parentName:"p"},"*"),": ",Object(b.b)("inlineCode",{parentName:"p"},"example.com:*"),"."),Object(b.b)("p",null,"See below for provider specific options"),Object(b.b)("h3",{id:"upstreams-configuration"},"Upstreams Configuration"),Object(b.b)("p",null,Object(b.b)("inlineCode",{parentName:"p"},"oauth2-proxy")," supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/")," for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide ",Object(b.b)("inlineCode",{parentName:"p"},"http://127.0.0.1:8080/some/path/")," then it will only be requests that start with ",Object(b.b)("inlineCode",{parentName:"p"},"/some/path/")," which are forwarded to the upstream."),Object(b.b)("p",null,"Static file paths are configured as a file:// URL. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/")," will serve the files from that directory at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/var/www/static/"),", which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. ",Object(b.b)("inlineCode",{parentName:"p"},"file:///var/www/static/#/static/")," will make ",Object(b.b)("inlineCode",{parentName:"p"},"/var/www/static/")," available at ",Object(b.b)("inlineCode",{parentName:"p"},"http://[oauth2-proxy url]/static/"),"."),Object(b.b)("p",null,"Multiple upstreams can either be configured by supplying a comma separated list to the ",Object(b.b)("inlineCode",{parentName:"p"},"--upstream")," parameter, supplying the parameter multiple times or providing a list in the ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"#config-file"}),"config file"),". When multiple upstreams are used routing to them will be based on the path they are set up with."),Object(b.b)("h3",{id:"environment-variables"},"Environment variables"),Object(b.b)("p",null,"Every command line argument can be specified as an environment variable by\nprefixing it with ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_"),", capitalising it, and replacing hyphens (",Object(b.b)("inlineCode",{parentName:"p"},"-"),")\nwith underscores (",Object(b.b)("inlineCode",{parentName:"p"},"_"),"). If the argument can be specified multiple times, the\nenvironment variable should be plural (trailing ",Object(b.b)("inlineCode",{parentName:"p"},"S"),")."),Object(b.b)("p",null,"This is particularly useful for storing secrets outside of a configuration file\nor the command line."),Object(b.b)("p",null,"For example, the ",Object(b.b)("inlineCode",{parentName:"p"},"--cookie-secret")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_COOKIE_SECRET"),",\nand the ",Object(b.b)("inlineCode",{parentName:"p"},"--email-domain")," flag becomes ",Object(b.b)("inlineCode",{parentName:"p"},"OAUTH2_PROXY_EMAIL_DOMAINS"),"."),Object(b.b)("h2",{id:"logging-configuration"},"Logging Configuration"),Object(b.b)("p",null,"By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the ",Object(b.b)("inlineCode",{parentName:"p"},"--logging-filename")," command."),Object(b.b)("p",null,"If logging to a file you can also configure the maximum file size (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-size"),"), age (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-age"),"), max backup logs (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-max-backups"),"), and if backup logs should be compressed (",Object(b.b)("inlineCode",{parentName:"p"},"--logging-compress"),")."),Object(b.b)("p",null,"There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging"),", ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging"),", and ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging"),"."),Object(b.b)("p",null,"Each type of logging has its own configurable format and variables. By default these formats are similar to the Apache Combined Log."),Object(b.b)("p",null,"Logging of requests to the ",Object(b.b)("inlineCode",{parentName:"p"},"/ping")," endpoint (or using ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-user-agent"),") can be disabled with ",Object(b.b)("inlineCode",{parentName:"p"},"--silence-ping-logging")," reducing log volume. This flag appends the ",Object(b.b)("inlineCode",{parentName:"p"},"--ping-path")," to ",Object(b.b)("inlineCode",{parentName:"p"},"--exclude-logging-paths"),"."),Object(b.b)("h3",{id:"auth-log-format"},"Auth Log Format"),Object(b.b)("p",null,"Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"<REMOTE_ADDRESS> - <REQUEST ID> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] [<STATUS>] <MESSAGE>\n")),Object(b.b)("p",null,"The status block will contain one of the below strings:"),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthSuccess")," If a user has authenticated successfully by any method"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthFailure")," If the user failed to authenticate explicitly"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"AuthError")," If there was an unexpected error during authentication")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--auth-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for auth logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Authenticated via OAuth2"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the auth attempt.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestID"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"00010203-0405-4607-8809-0a0b0c0d0e0f"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request ID pulled from the ",Object(b.b)("inlineCode",{parentName:"td"},"--request-id-header"),". Random UUID if empty")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Status"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"AuthSuccess"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The status of the auth request. See above for details.")))),Object(b.b)("h3",{id:"request-log-format"},"Request Log Format"),Object(b.b)("p",null,"HTTP request logs will output by default in the below format:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),'<REMOTE_ADDRESS> - <REQUEST ID> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>\n')),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--request-logging-format")," flag.\nThe default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\n")),Object(b.b)("p",null,"Available variables for request logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Client"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"74.125.224.72"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Host"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"domain.com"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The value of the Host header.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Protocol"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP/1.0"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request protocol.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestDuration"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"0.001"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The time in seconds that a request took to process.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestID"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"00010203-0405-4607-8809-0a0b0c0d0e0f"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request ID pulled from the ",Object(b.b)("inlineCode",{parentName:"td"},"--request-id-header"),". Random UUID if empty")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestMethod"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"GET"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The request method.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"RequestURI"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),'"/oauth2/auth"'),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The URI path of the request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"ResponseSize"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"12"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The size in bytes of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"StatusCode"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"200"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The HTTP status code of the response.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Upstream"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The upstream data of the HTTP request.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"UserAgent"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"-"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The full user agent as reported by the requesting client.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Username"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),Object(b.b)("a",Object(n.a)({parentName:"td"},{href:"mailto:username@email.com"}),"username@email.com")),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The email or username of the auth request.")))),Object(b.b)("h3",{id:"standard-log-format"},"Standard Log Format"),Object(b.b)("p",null,"All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[19/Mar/2015:17:20:19 -0400] [main.go:40] <MESSAGE>\n")),Object(b.b)("p",null,"If you require a different format than that, you can configure it with the ",Object(b.b)("inlineCode",{parentName:"p"},"--standard-logging-format")," flag. The default format is configured as follows:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{}),"[{{.Timestamp}}] [{{.File}}] {{.Message}}\n")),Object(b.b)("p",null,"Available variables for standard logging:"),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Variable"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Example"),Object(b.b)("th",Object(n.a)({parentName:"tr"},{align:null}),"Description"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Timestamp"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"19/Mar/2015:17:20:19 -0400"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The date and time of the logging event.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"File"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"main.go:40"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The file and line number of the logging statement.")),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"Message"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"HTTP: listening on 127.0.0.1:4180"),Object(b.b)("td",Object(n.a)({parentName:"tr"},{align:null}),"The details of the log statement.")))),Object(b.b)("h2",{id:"configuring-for-use-with-the-nginx-auth_request-directive"},"Configuring for use with the Nginx ",Object(b.b)("inlineCode",{parentName:"h2"},"auth_request")," directive"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"}),"Nginx ",Object(b.b)("inlineCode",{parentName:"a"},"auth_request")," directive")," allows Nginx to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/auth")," endpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-nginx"}),'server {\n listen 443 ssl;\n server_name ...;\n include ssl/ssl.conf;\n\n location /oauth2/ {\n proxy_pass http://127.0.0.1:4180;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Scheme $scheme;\n proxy_set_header X-Auth-Request-Redirect $request_uri;\n # or, if you are handling multiple domains:\n # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;\n }\n location = /oauth2/auth {\n proxy_pass http://127.0.0.1:4180;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Scheme $scheme;\n # nginx auth_request includes headers but not body\n proxy_set_header Content-Length "";\n proxy_pass_request_body off;\n }\n\n location / {\n auth_request /oauth2/auth;\n error_page 401 = /oauth2/sign_in;\n\n # pass information via X-User and X-Email headers to backend,\n # requires running with --set-xauthrequest flag\n auth_request_set $user $upstream_http_x_auth_request_user;\n auth_request_set $email $upstream_http_x_auth_request_email;\n proxy_set_header X-User $user;\n proxy_set_header X-Email $email;\n\n # if you enabled --pass-access-token, this will pass the token to the backend\n auth_request_set $token $upstream_http_x_auth_request_access_token;\n proxy_set_header X-Access-Token $token;\n\n # if you enabled --cookie-refresh, this is needed for it to work with auth_request\n auth_request_set $auth_cookie $upstream_http_set_cookie;\n add_header Set-Cookie $auth_cookie;\n\n # When using the --set-authorization-header flag, some provider\'s cookies can exceed the 4kb\n # limit and so the OAuth2 Proxy splits these into multiple parts.\n # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,\n # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.\n auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;\n\n # Extract the Cookie attributes from the first Set-Cookie header and append them\n # to the second part ($upstream_cookie_* variables only contain the raw cookie content)\n if ($auth_cookie ~* "(; .*)") {\n set $auth_cookie_name_0 $auth_cookie;\n set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";\n }\n\n # Send both Set-Cookie headers now if there was a second part\n if ($auth_cookie_name_upstream_1) {\n add_header Set-Cookie $auth_cookie_name_0;\n add_header Set-Cookie $auth_cookie_name_1;\n }\n\n proxy_pass http://backend/;\n # or "root /path/to/site;" or "fastcgi_pass ..." etc\n }\n}\n')),Object(b.b)("p",null,"When you use ingress-nginx in Kubernetes, you MUST use ",Object(b.b)("inlineCode",{parentName:"p"},"kubernetes/ingress-nginx")," (which includes the Lua module) and the following configuration snippet for your ",Object(b.b)("inlineCode",{parentName:"p"},"Ingress"),".\nVariables set with ",Object(b.b)("inlineCode",{parentName:"p"},"auth_request_set")," are not ",Object(b.b)("inlineCode",{parentName:"p"},"set"),"-able in plain nginx config when the location is processed via ",Object(b.b)("inlineCode",{parentName:"p"},"proxy_pass")," and then may only be processed by Lua.\nNote that ",Object(b.b)("inlineCode",{parentName:"p"},"nginxinc/kubernetes-ingress")," does not include the Lua module."),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'nginx.ingress.kubernetes.io/auth-response-headers: Authorization\nnginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri\nnginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth\nnginx.ingress.kubernetes.io/configuration-snippet: |\n auth_request_set $name_upstream_1 $upstream_cookie_name_1;\n\n access_by_lua_block {\n if ngx.var.name_upstream_1 ~= "" then\n ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")\n end\n }\n')),Object(b.b)("p",null,"It is recommended to use ",Object(b.b)("inlineCode",{parentName:"p"},"--session-store-type=redis")," when expecting large sessions/OIDC tokens (",Object(b.b)("em",{parentName:"p"},"e.g.")," with MS Azure)."),Object(b.b)("p",null,"You have to substitute ",Object(b.b)("em",{parentName:"p"},"name"),' with the actual cookie name you configured via --cookie-name parameter. If you don\'t set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".'),Object(b.b)("h2",{id:"configuring-for-use-with-the-traefik-v2-forwardauth-middleware"},"Configuring for use with the Traefik (v2) ",Object(b.b)("inlineCode",{parentName:"h2"},"ForwardAuth")," middleware"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"This option requires ",Object(b.b)("inlineCode",{parentName:"strong"},"--reverse-proxy")," option to be set.")),Object(b.b)("h3",{id:"forwardauth-with-401-errors-middleware"},"ForwardAuth with 401 errors middleware"),Object(b.b)("p",null,"The ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," allows Traefik to authenticate requests via the oauth2-proxy's ",Object(b.b)("inlineCode",{parentName:"p"},"/oauth2/auth")," endpoint on every request, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the whole request through. For example, on Dynamic File (YAML) Configuration:"),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n routers:\n a-service:\n rule: "Host(`a-service.example.com`)"\n service: a-service-backend\n middlewares:\n - oauth-errors\n - oauth-auth\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n oauth:\n rule: "Host(`a-service.example.com`, `oauth.example.com`) && PathPrefix(`/oauth2/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n\n services:\n a-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.2:7555\n oauth-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.1:4180\n\n middlewares:\n auth-headers:\n headers:\n sslRedirect: true\n stsSeconds: 315360000\n browserXssFilter: true\n contentTypeNosniff: true\n forceSTSHeader: true\n sslHost: example.com\n stsIncludeSubdomains: true\n stsPreload: true\n frameDeny: true\n oauth-auth:\n forwardAuth:\n address: https://oauth.example.com/oauth2/auth\n trustForwardHeader: true\n oauth-errors:\n errors:\n status:\n - "401-403"\n service: oauth-backend\n query: "/oauth2/sign_in"\n')),Object(b.b)("h3",{id:"forwardauth-with-static-upstreams-configuration"},"ForwardAuth with static upstreams configuration"),Object(b.b)("p",null,"Redirect to sign_in functionality provided without the use of ",Object(b.b)("inlineCode",{parentName:"p"},"errors")," middleware with ",Object(b.b)("a",Object(n.a)({parentName:"p"},{href:"https://doc.traefik.io/traefik/middlewares/forwardauth/"}),"Traefik v2 ",Object(b.b)("inlineCode",{parentName:"a"},"ForwardAuth")," middleware")," pointing to oauth2-proxy service's ",Object(b.b)("inlineCode",{parentName:"p"},"/")," endpoint"),Object(b.b)("p",null,Object(b.b)("strong",{parentName:"p"},"Following options need to be set on ",Object(b.b)("inlineCode",{parentName:"strong"},"oauth2-proxy"),":")),Object(b.b)("ul",null,Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"--upstream=static://202"),": Configures a static response for authenticated sessions"),Object(b.b)("li",{parentName:"ul"},Object(b.b)("inlineCode",{parentName:"li"},"--reverse-proxy=true"),": Enables the use of ",Object(b.b)("inlineCode",{parentName:"li"},"X-Forwarded-*")," headers to determine redirects correctly")),Object(b.b)("pre",null,Object(b.b)("code",Object(n.a)({parentName:"pre"},{className:"language-yaml"}),'http:\n routers:\n a-service-route-1:\n rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/`)"\n service: a-service-backend\n middlewares:\n - oauth-auth-redirect # redirects all unauthenticated to oauth2 signin\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n a-service-route-2:\n rule: "Host(`a-service.example.com`) && PathPrefix(`/no-auto-redirect`)"\n service: a-service-backend\n middlewares:\n - oauth-auth-wo-redirect # unauthenticated session will return a 401\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n services-oauth2-route:\n rule: "Host(`a-service.example.com`, `b-service.example.com`) && PathPrefix(`/oauth2/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n oauth2-proxy-route:\n rule: "Host(`oauth.example.com`) && PathPrefix(`/`)"\n middlewares:\n - auth-headers\n service: oauth-backend\n tls:\n certResolver: default\n domains:\n - main: "example.com"\n sans:\n - "*.example.com"\n\n services:\n a-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.2:7555\n b-service-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.3:7555\n oauth-backend:\n loadBalancer:\n servers:\n - url: http://172.16.0.1:4180\n\n middlewares:\n auth-headers:\n headers:\n sslRedirect: true\n stsSeconds: 315360000\n browserXssFilter: true\n contentTypeNosniff: true\n forceSTSHeader: true\n sslHost: example.com\n stsIncludeSubdomains: true\n stsPreload: true\n frameDeny: true\n oauth-auth-redirect:\n forwardAuth:\n address: https://oauth.example.com/\n trustForwardHeader: true\n authResponseHeaders:\n - X-Auth-Request-Access-Token\n - Authorization\n oauth-auth-wo-redirect:\n forwardAuth:\n address: https://oauth.example.com/oauth2/auth\n trustForwardHeader: true\n authResponseHeaders:\n - X-Auth-Request-Access-Token\n - Authorization\n')),Object(b.b)("div",{className:"admonition admonition-note alert alert--secondary"},Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-heading"}),Object(b.b)("h5",{parentName:"div"},Object(b.b)("span",Object(n.a)({parentName:"h5"},{className:"admonition-icon"}),Object(b.b)("svg",Object(n.a)({parentName:"span"},{xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"}),Object(b.b)("path",Object(n.a)({parentName:"svg"},{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})))),"note")),Object(b.b)("div",Object(n.a)({parentName:"div"},{className:"admonition-content"}),Object(b.b)("p",{parentName:"div"},"If you set up your OAuth2 provider to rotate your client secret, you can use the ",Object(b.b)("inlineCode",{parentName:"p"},"client-secret-file")," option to reload the secret when it is updated."))))}s.isMDXComponent=!0}}]);
\ No newline at end of file
diff --git a/404.html b/404.html
index 34d6e4a9..85b883d5 100644
--- a/404.html
+++ b/404.html
@@ -6,14 +6,14 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Page Not Found | OAuth2 Proxy</title><meta data-react-helmet="true" property="og:title" content="Page Not Found | OAuth2 Proxy"><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_tag" content="default"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.2.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item menu__list-item--collapsed"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="container margin-vert--xl"><div class="row"><div class="col col--6 col--offset-3"><h1 class="hero__title">Page Not Found</h1><p>We could not find what you were looking for.</p><p>Please contact the owner of the site that linked you to the original URL and let them know their link is broken.</p></div></div></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
</body>
</html>
\ No newline at end of file
diff --git a/docs/6.1.x/behaviour/index.html b/docs/6.1.x/behaviour/index.html
index 7bee9a50..5f4e6513 100644
--- a/docs/6.1.x/behaviour/index.html
+++ b/docs/6.1.x/behaviour/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Behaviour | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Behaviour | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/behaviour"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/behaviour"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">Installation</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/6.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/tls">TLS Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>6.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/behaviour">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 6.1.x</span></div><header><h1 class="docTitle_1Lrw">Behaviour</h1></header><div class="markdown"><ol><li>Any request passing through the proxy (and not matched by <code>--skip-auth-regex</code>) is checked for the proxy's session cookie (<code>--cookie-name</code>) (or, if allowed, a JWT token - see <code>--skip-jwt-bearer-tokens</code>).</li><li>If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with <code>Accept: application/json</code>, in which case 401 Unauthorized is returned)</li><li>After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set</li><li>The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)</li></ol><p>Notice that the proxy also provides a number of useful <a href="/oauth2-proxy/docs/6.1.x/features/endpoints">endpoints</a>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/behaviour.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Installation</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/overview"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Overview »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/6.1.x/community/security/index.html b/docs/6.1.x/community/security/index.html
index 17acf674..1d533a48 100644
--- a/docs/6.1.x/community/security/index.html
+++ b/docs/6.1.x/community/security/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -38,7 +38,7 @@ merging fixes until all patches are ready.
We may also backport the fix to previous releases,
but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/features/request_signatures"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Request Signatures</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/6.1.x/configuration/oauth_provider/index.html b/docs/6.1.x/configuration/oauth_provider/index.html
index 307afefa..81d10f25 100644
--- a/docs/6.1.x/configuration/oauth_provider/index.html
+++ b/docs/6.1.x/configuration/oauth_provider/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -55,7 +55,7 @@ to setup the client id and client secret. Your "Redirection URI" will
<a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#microsoft-azure-ad-provider" class="table-of-contents__link">Microsoft Azure AD Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/6.1.x/configuration/overview/index.html b/docs/6.1.x/configuration/overview/index.html
index d757e1a2..17fa7a60 100644
--- a/docs/6.1.x/configuration/overview/index.html
+++ b/docs/6.1.x/configuration/overview/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Overview | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Overview | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/overview"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/overview"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -39,7 +39,7 @@ Variables set with <code>auth_request_set</code> are not <code>set</code>-able i
Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua module.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-yaml codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token key atrule">nginx.ingress.kubernetes.io/auth-response-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/auth-signin</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//$host/oauth2/start</span><span class="token punctuation" style="color:rgb(199, 146, 234)">?</span><span class="token plain">rd=$escaped_request_uri</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/auth-url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//$host/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">nginx.ingress.kubernetes.io/configuration-snippet</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">|</span><span class="token scalar string" style="color:rgb(195, 232, 141)"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token scalar string" style="color:rgb(195, 232, 141)"> auth_request_set $name_upstream_1 $upstream_cookie_name_1;</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> access_by_lua_block </span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> if ngx.var.name_upstream_1 ~= "" then</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ngx.header</span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token string" style="color:rgb(195, 232, 141)">"Set-Cookie"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token plain"> = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">match("(; .*)")</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> end</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span></div></div></div></div></div><p>It is recommended to use <code>--session-store-type=redis</code> when expecting large sessions/OIDC tokens (<em>e.g.</em> with MS Azure).</p><p>You have to substitute <em>name</em> with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".</p><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/6.1.x/configuration/session_storage/index.html b/docs/6.1.x/configuration/session_storage/index.html
index 17eb011e..4702f611 100644
--- a/docs/6.1.x/configuration/session_storage/index.html
+++ b/docs/6.1.x/configuration/session_storage/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -35,7 +35,7 @@ disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnc
and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
<code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/6.1.x/configuration/tls/index.html b/docs/6.1.x/configuration/tls/index.html
index 51f12ea9..da3d5cac 100644
--- a/docs/6.1.x/configuration/tls/index.html
+++ b/docs/6.1.x/configuration/tls/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -26,7 +26,7 @@ would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx
via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">"yourcompany.com"</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/6.1.x/features/endpoints/index.html b/docs/6.1.x/features/endpoints/index.html
index ef7d648d..fcb4c99d 100644
--- a/docs/6.1.x/features/endpoints/index.html
+++ b/docs/6.1.x/features/endpoints/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Endpoints | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Endpoints | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/features/endpoints"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/features/endpoints"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/tls">TLS Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>6.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/features/endpoints">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 6.1.x</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user's email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/6.1.x/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The "sign_out_page" should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/6.1.x/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« TLS Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/features/request_signatures"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Request Signatures »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/6.1.x/features/request_signatures/index.html b/docs/6.1.x/features/request_signatures/index.html
index 000886e3..82d5d550 100644
--- a/docs/6.1.x/features/request_signatures/index.html
+++ b/docs/6.1.x/features/request_signatures/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Request Signatures | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Request Signatures | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/features/request_signatures"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/features/request_signatures"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -27,7 +27,7 @@ following:</p><ul><li><a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/R
Requests</a></li><li><a href="http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/" target="_blank" rel="noopener noreferrer">rc3.org: Using HMAC to authenticate Web service
requests</a></li></ul></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/features/request_signatures.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Endpoints</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/6.1.x/index.html b/docs/6.1.x/index.html
index 57e3bb31..0ec5b8fd 100644
--- a/docs/6.1.x/index.html
+++ b/docs/6.1.x/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Installation | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="6.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-6.1.x"><meta data-react-helmet="true" property="og:title" content="Installation | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/6.1.x/"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/6.1.x/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/configuration/tls">TLS Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/6.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>6.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 6.1.x</span></div><header><h1 class="docTitle_1Lrw">Installation</h1></header><div class="markdown"><ol><li><p>Choose how to deploy:</p><p>a. Download <a href="https://github.com/oauth2-proxy/oauth2-proxy/releases" target="_blank" rel="noopener noreferrer">Prebuilt Binary</a> (current release is <code>v6.1.1</code>)</p><p>b. Build with <code>$ go get github.com/oauth2-proxy/oauth2-proxy</code> which will put the binary in <code>$GOPATH/bin</code></p><p>c. Using the prebuilt docker image <a href="https://quay.io/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer">quay.io/oauth2-proxy/oauth2-proxy</a> (AMD64, ARMv6 and ARM64 tags available)</p></li></ol><p>Prebuilt binaries can be validated by extracting the file and verifying it against the <code>sha256sum.txt</code> checksum file provided for each release starting with version <code>v3.0.0</code>.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">$ sha256sum -c sha256sum.txt 2>&1 | grep OK</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy-x.y.z.linux-amd64: OK</span></div></div></div></div></div><ol start="2"><li><a href="/oauth2-proxy/docs/6.1.x/configuration/oauth_provider">Select a Provider and Register an OAuth Application with a Provider</a></li><li><a href="/oauth2-proxy/docs/6.1.x/configuration/overview">Configure OAuth2 Proxy using config file, command line options, or environment variables</a></li><li><a href="/oauth2-proxy/docs/6.1.x/configuration/tls">Configure SSL or Deploy behind a SSL endpoint</a> (example provided for Nginx)</li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/installation.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/6.1.x/behaviour"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Behaviour »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/behaviour/index.html b/docs/7.0.x/behaviour/index.html
index 279595ef..63793540 100644
--- a/docs/7.0.x/behaviour/index.html
+++ b/docs/7.0.x/behaviour/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Behaviour | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Behaviour | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/behaviour"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/behaviour"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/">Installation</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/7.0.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>7.0.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/behaviour">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.0.x</span></div><header><h1 class="docTitle_1Lrw">Behaviour</h1></header><div class="markdown"><ol><li>Any request passing through the proxy (and not matched by <code>--skip-auth-regex</code>) is checked for the proxy's session cookie (<code>--cookie-name</code>) (or, if allowed, a JWT token - see <code>--skip-jwt-bearer-tokens</code>).</li><li>If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with <code>Accept: application/json</code>, in which case 401 Unauthorized is returned)</li><li>After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set</li><li>The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)</li></ol><p>Notice that the proxy also provides a number of useful <a href="/oauth2-proxy/docs/7.0.x/features/endpoints">endpoints</a>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/behaviour.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Installation</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/overview"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Overview »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/community/security/index.html b/docs/7.0.x/community/security/index.html
index 42d90df9..2f2c2c45 100644
--- a/docs/7.0.x/community/security/index.html
+++ b/docs/7.0.x/community/security/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -38,7 +38,7 @@ merging fixes until all patches are ready.
We may also backport the fix to previous releases,
but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/features/request_signatures"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Request Signatures</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/configuration/alpha-config/index.html b/docs/7.0.x/configuration/alpha-config/index.html
index 6933ff3e..84cdee52 100644
--- a/docs/7.0.x/configuration/alpha-config/index.html
+++ b/docs/7.0.x/configuration/alpha-config/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Alpha Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Alpha Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/alpha-config"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/alpha-config"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -44,7 +44,7 @@ make up the header value</p><table><thead><tr><th>Field</th><th>Type</th><th>Des
Only one source within the struct should be defined at any time.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream"></a>Upstream<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#upstreams">Upstreams</a>)</p><p>Upstream represents the configuration for an upstream server.
Requests will be proxied to this upstream if the path matches the request path.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the upstream.<br>This value is required for all upstreams.</td></tr><tr><td><code>path</code></td><td><em>string</em></td><td>Path is used to map requests to the upstream server.<br>The closest match will take precedence and all Paths must be unique.</td></tr><tr><td><code>uri</code></td><td><em>string</em></td><td>The URI of the upstream server. This may be an HTTP(S) server of a File<br>based URL. It may include a path, in which case all requests will be served<br>under that path.<br>Eg:<br>- http://localhost:8080<br>- <a href="https://service.localhost" target="_blank" rel="noopener noreferrer">https://service.localhost</a><br>- <a href="https://service.localhost/path" target="_blank" rel="noopener noreferrer">https://service.localhost/path</a><br>- file://host/path<br>If the URI's path is "/base" and the incoming request was for "/dir",<br>the upstream request will be for "/base/dir".</td></tr><tr><td><code>insecureSkipTLSVerify</code></td><td><em>bool</em></td><td>InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br>This option is insecure and will allow potential Man-In-The-Middle attacks<br>betweem OAuth2 Proxy and the usptream server.<br>Defaults to false.</td></tr><tr><td><code>static</code></td><td><em>bool</em></td><td>Static will make all requests to this upstream have a static response.<br>The response will have a body of "Authenticated" and a response code<br>matching StaticCode.<br>If StaticCode is not set, the response will return a 200 response.</td></tr><tr><td><code>staticCode</code></td><td><em>int</em></td><td>StaticCode determines the response code for the Static response.<br>This option can only be used with Static enabled.</td></tr><tr><td><code>flushInterval</code></td><td><em><a href="#duration">Duration</a></em></td><td>FlushInterval is the period between flushing the response buffer when<br>streaming response from the upstream.<br>Defaults to 1 second.</td></tr><tr><td><code>passHostHeader</code></td><td><em>bool</em></td><td>PassHostHeader determines whether the request host header should be proxied<br>to the upstream server.<br>Defaults to true.</td></tr><tr><td><code>proxyWebSockets</code></td><td><em>bool</em></td><td>ProxyWebSockets enables proxying of websockets to upstream servers<br>Defaults to true.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstreams"></a>Upstreams<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstreams" title="Direct link to heading">#</a></h3><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream-alias"></a>(<a href="#upstream">[]Upstream</a> alias)<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream-alias" title="Direct link to heading">#</a></h4><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Upstreams is a collection of definitions for upstream servers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/alpha_config.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« TLS Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#using-alpha-configuration" class="table-of-contents__link">Using Alpha Configuration</a><ul><li><a href="#converting-configuration-to-the-new-structure" class="table-of-contents__link">Converting configuration to the new structure</a></li></ul></li><li><a href="#removed-options" class="table-of-contents__link">Removed options</a></li><li><a href="#configuration-reference" class="table-of-contents__link">Configuration Reference</a><ul><li><a href="#alphaoptions" class="table-of-contents__link">AlphaOptions</a></li><li><a href="#claimsource" class="table-of-contents__link">ClaimSource</a></li><li><a href="#duration" class="table-of-contents__link">Duration</a></li><li><a href="#header" class="table-of-contents__link">Header</a></li><li><a href="#headervalue" class="table-of-contents__link">HeaderValue</a></li><li><a href="#secretsource" class="table-of-contents__link">SecretSource</a></li><li><a href="#upstream" class="table-of-contents__link">Upstream</a></li><li><a href="#upstreams" class="table-of-contents__link">Upstreams</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/configuration/oauth_provider/index.html b/docs/7.0.x/configuration/oauth_provider/index.html
index 9a49bf5c..3e369b16 100644
--- a/docs/7.0.x/configuration/oauth_provider/index.html
+++ b/docs/7.0.x/configuration/oauth_provider/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -59,7 +59,7 @@ to setup the client id and client secret. Your "Redirection URI" will
<a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#microsoft-azure-ad-provider" class="table-of-contents__link">Microsoft Azure AD Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/configuration/overview/index.html b/docs/7.0.x/configuration/overview/index.html
index 25af6a70..927605dc 100644
--- a/docs/7.0.x/configuration/overview/index.html
+++ b/docs/7.0.x/configuration/overview/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Overview | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Overview | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/overview"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/overview"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -43,7 +43,7 @@ Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua modu
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">services</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">a-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">b-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.3</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">4180</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-auth-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-auth-wo-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div></div></div></div></div><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li><li><a href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" class="table-of-contents__link">Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware</a><ul><li><a href="#forwardauth-with-401-errors-middleware" class="table-of-contents__link">ForwardAuth with 401 errors middleware</a></li><li><a href="#forwardauth-with-static-upstreams-configuration" class="table-of-contents__link">ForwardAuth with static upstreams configuration</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/configuration/session_storage/index.html b/docs/7.0.x/configuration/session_storage/index.html
index 66f3f690..b22f3976 100644
--- a/docs/7.0.x/configuration/session_storage/index.html
+++ b/docs/7.0.x/configuration/session_storage/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -35,7 +35,7 @@ disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnc
and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
<code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/configuration/tls/index.html b/docs/7.0.x/configuration/tls/index.html
index 0fd72cb1..349c3b34 100644
--- a/docs/7.0.x/configuration/tls/index.html
+++ b/docs/7.0.x/configuration/tls/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -26,7 +26,7 @@ would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx
via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">"yourcompany.com"</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/alpha-config"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Alpha Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/features/endpoints/index.html b/docs/7.0.x/features/endpoints/index.html
index ecdbb3af..2bd1c888 100644
--- a/docs/7.0.x/features/endpoints/index.html
+++ b/docs/7.0.x/features/endpoints/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Endpoints | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Endpoints | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/features/endpoints"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/features/endpoints"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/7.0.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>7.0.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/features/endpoints">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.0.x</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user's email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/7.0.x/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The "sign_out_page" should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/7.0.x/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/configuration/alpha-config"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Alpha Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/features/request_signatures"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Request Signatures »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/features/request_signatures/index.html b/docs/7.0.x/features/request_signatures/index.html
index 609184b8..3dc70248 100644
--- a/docs/7.0.x/features/request_signatures/index.html
+++ b/docs/7.0.x/features/request_signatures/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Request Signatures | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Request Signatures | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:description" content="If signature_key is defined, proxied requests will be signed with the"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/features/request_signatures"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/features/request_signatures"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -27,7 +27,7 @@ following:</p><ul><li><a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/R
Requests</a></li><li><a href="http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/" target="_blank" rel="noopener noreferrer">rc3.org: Using HMAC to authenticate Web service
requests</a></li></ul></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/features/request_signatures.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Endpoints</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.0.x/index.html b/docs/7.0.x/index.html
index 752c8e81..006ac92f 100644
--- a/docs/7.0.x/index.html
+++ b/docs/7.0.x/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Installation | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Installation | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.0.x/"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/7.0.x/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/features/endpoints">Endpoints</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/features/request_signatures">Request Signatures</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.0.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>7.0.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.0.x</span></div><header><h1 class="docTitle_1Lrw">Installation</h1></header><div class="markdown"><ol><li><p>Choose how to deploy:</p><p>a. Download <a href="https://github.com/oauth2-proxy/oauth2-proxy/releases" target="_blank" rel="noopener noreferrer">Prebuilt Binary</a> (current release is <code>v7.0.1</code>)</p><p>b. Build with <code>$ go get github.com/oauth2-proxy/oauth2-proxy/v7</code> which will put the binary in <code>$GOPATH/bin</code></p><p>c. Using the prebuilt docker image <a href="https://quay.io/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer">quay.io/oauth2-proxy/oauth2-proxy</a> (AMD64, ARMv6 and ARM64 tags available)</p></li></ol><p>Prebuilt binaries can be validated by extracting the file and verifying it against the <code>sha256sum.txt</code> checksum file provided for each release starting with version <code>v3.0.0</code>.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">$ sha256sum -c sha256sum.txt 2>&1 | grep OK</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy-x.y.z.linux-amd64: OK</span></div></div></div></div></div><ol start="2"><li><a href="/oauth2-proxy/docs/7.0.x/configuration/oauth_provider">Select a Provider and Register an OAuth Application with a Provider</a></li><li><a href="/oauth2-proxy/docs/7.0.x/configuration/overview">Configure OAuth2 Proxy using config file, command line options, or environment variables</a></li><li><a href="/oauth2-proxy/docs/7.0.x/configuration/tls">Configure SSL or Deploy behind a SSL endpoint</a> (example provided for Nginx)</li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/installation.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.0.x/behaviour"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Behaviour »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/behaviour/index.html b/docs/7.1.x/behaviour/index.html
index c107df99..a2f77539 100644
--- a/docs/7.1.x/behaviour/index.html
+++ b/docs/7.1.x/behaviour/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Behaviour | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="Behaviour | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/behaviour"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/behaviour"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/">Installation</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/7.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>7.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/behaviour">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.1.x</span></div><header><h1 class="docTitle_1Lrw">Behaviour</h1></header><div class="markdown"><ol><li>Any request passing through the proxy (and not matched by <code>--skip-auth-regex</code>) is checked for the proxy's session cookie (<code>--cookie-name</code>) (or, if allowed, a JWT token - see <code>--skip-jwt-bearer-tokens</code>).</li><li>If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with <code>Accept: application/json</code>, in which case 401 Unauthorized is returned)</li><li>After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set</li><li>The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)</li></ol><p>Notice that the proxy also provides a number of useful <a href="/oauth2-proxy/docs/7.1.x/features/endpoints">endpoints</a>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/behaviour.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Installation</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/overview"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Overview »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/community/security/index.html b/docs/7.1.x/community/security/index.html
index e7cecec3..2a508467 100644
--- a/docs/7.1.x/community/security/index.html
+++ b/docs/7.1.x/community/security/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -38,7 +38,7 @@ merging fixes until all patches are ready.
We may also backport the fix to previous releases,
but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Endpoints</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/configuration/alpha-config/index.html b/docs/7.1.x/configuration/alpha-config/index.html
index babde6fe..e111bdb7 100644
--- a/docs/7.1.x/configuration/alpha-config/index.html
+++ b/docs/7.1.x/configuration/alpha-config/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Alpha Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="Alpha Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/alpha-config"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/alpha-config"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -44,7 +44,7 @@ make up the header value</p><table><thead><tr><th>Field</th><th>Type</th><th>Des
Only one source within the struct should be defined at any time.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="server"></a>Server<a aria-hidden="true" tabindex="-1" class="hash-link" href="#server" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Server represents the configuration for an HTTP(S) server</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>BindAddress</code></td><td><em>string</em></td><td>BindAddress is the address on which to serve traffic.<br>Leave blank or set to "-" to disable.</td></tr><tr><td><code>SecureBindAddress</code></td><td><em>string</em></td><td>SecureBindAddress is the address on which to serve secure traffic.<br>Leave blank or set to "-" to disable.</td></tr><tr><td><code>TLS</code></td><td><em><a href="#tls">TLS</a></em></td><td>TLS contains the information for loading the certificate and key for the<br>secure traffic.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="tls"></a>TLS<a aria-hidden="true" tabindex="-1" class="hash-link" href="#tls" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#server">Server</a>)</p><p>TLS contains the information for loading a TLS certifcate and key.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>Key</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>Key is the TLS key data to use.<br>Typically this will come from a file.</td></tr><tr><td><code>Cert</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>Cert is the TLS certificate data to use.<br>Typically this will come from a file.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream"></a>Upstream<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#upstreams">Upstreams</a>)</p><p>Upstream represents the configuration for an upstream server.
Requests will be proxied to this upstream if the path matches the request path.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the upstream.<br>This value is required for all upstreams.</td></tr><tr><td><code>path</code></td><td><em>string</em></td><td>Path is used to map requests to the upstream server.<br>The closest match will take precedence and all Paths must be unique.</td></tr><tr><td><code>uri</code></td><td><em>string</em></td><td>The URI of the upstream server. This may be an HTTP(S) server of a File<br>based URL. It may include a path, in which case all requests will be served<br>under that path.<br>Eg:<br>- http://localhost:8080<br>- <a href="https://service.localhost" target="_blank" rel="noopener noreferrer">https://service.localhost</a><br>- <a href="https://service.localhost/path" target="_blank" rel="noopener noreferrer">https://service.localhost/path</a><br>- file://host/path<br>If the URI's path is "/base" and the incoming request was for "/dir",<br>the upstream request will be for "/base/dir".</td></tr><tr><td><code>insecureSkipTLSVerify</code></td><td><em>bool</em></td><td>InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br>This option is insecure and will allow potential Man-In-The-Middle attacks<br>betweem OAuth2 Proxy and the usptream server.<br>Defaults to false.</td></tr><tr><td><code>static</code></td><td><em>bool</em></td><td>Static will make all requests to this upstream have a static response.<br>The response will have a body of "Authenticated" and a response code<br>matching StaticCode.<br>If StaticCode is not set, the response will return a 200 response.</td></tr><tr><td><code>staticCode</code></td><td><em>int</em></td><td>StaticCode determines the response code for the Static response.<br>This option can only be used with Static enabled.</td></tr><tr><td><code>flushInterval</code></td><td><em><a href="#duration">Duration</a></em></td><td>FlushInterval is the period between flushing the response buffer when<br>streaming response from the upstream.<br>Defaults to 1 second.</td></tr><tr><td><code>passHostHeader</code></td><td><em>bool</em></td><td>PassHostHeader determines whether the request host header should be proxied<br>to the upstream server.<br>Defaults to true.</td></tr><tr><td><code>proxyWebSockets</code></td><td><em>bool</em></td><td>ProxyWebSockets enables proxying of websockets to upstream servers<br>Defaults to true.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstreams"></a>Upstreams<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstreams" title="Direct link to heading">#</a></h3><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream-alias"></a>(<a href="#upstream">[]Upstream</a> alias)<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream-alias" title="Direct link to heading">#</a></h4><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Upstreams is a collection of definitions for upstream servers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/configuration/alpha_config.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« TLS Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#using-alpha-configuration" class="table-of-contents__link">Using Alpha Configuration</a><ul><li><a href="#converting-configuration-to-the-new-structure" class="table-of-contents__link">Converting configuration to the new structure</a></li></ul></li><li><a href="#removed-options" class="table-of-contents__link">Removed options</a></li><li><a href="#configuration-reference" class="table-of-contents__link">Configuration Reference</a><ul><li><a href="#alphaoptions" class="table-of-contents__link">AlphaOptions</a></li><li><a href="#claimsource" class="table-of-contents__link">ClaimSource</a></li><li><a href="#duration" class="table-of-contents__link">Duration</a></li><li><a href="#header" class="table-of-contents__link">Header</a></li><li><a href="#headervalue" class="table-of-contents__link">HeaderValue</a></li><li><a href="#secretsource" class="table-of-contents__link">SecretSource</a></li><li><a href="#server" class="table-of-contents__link">Server</a></li><li><a href="#tls" class="table-of-contents__link">TLS</a></li><li><a href="#upstream" class="table-of-contents__link">Upstream</a></li><li><a href="#upstreams" class="table-of-contents__link">Upstreams</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/configuration/oauth_provider/index.html b/docs/7.1.x/configuration/oauth_provider/index.html
index ad1a2985..2c5d6cb0 100644
--- a/docs/7.1.x/configuration/oauth_provider/index.html
+++ b/docs/7.1.x/configuration/oauth_provider/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -59,7 +59,7 @@ to setup the client id and client secret. Your "Redirection URI" will
<a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#microsoft-azure-ad-provider" class="table-of-contents__link">Microsoft Azure AD Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/configuration/overview/index.html b/docs/7.1.x/configuration/overview/index.html
index 6a93fb32..6b1111ab 100644
--- a/docs/7.1.x/configuration/overview/index.html
+++ b/docs/7.1.x/configuration/overview/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Overview | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="Overview | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/overview"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/overview"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -43,7 +43,7 @@ Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua modu
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">services</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">a-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">b-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.3</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">4180</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-auth-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-auth-wo-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div></div></div></div></div><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li><li><a href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" class="table-of-contents__link">Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware</a><ul><li><a href="#forwardauth-with-401-errors-middleware" class="table-of-contents__link">ForwardAuth with 401 errors middleware</a></li><li><a href="#forwardauth-with-static-upstreams-configuration" class="table-of-contents__link">ForwardAuth with static upstreams configuration</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/configuration/session_storage/index.html b/docs/7.1.x/configuration/session_storage/index.html
index fb633979..9fa8f996 100644
--- a/docs/7.1.x/configuration/session_storage/index.html
+++ b/docs/7.1.x/configuration/session_storage/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -35,7 +35,7 @@ disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnc
and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
<code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/configuration/tls/index.html b/docs/7.1.x/configuration/tls/index.html
index 0843b19b..035f7b82 100644
--- a/docs/7.1.x/configuration/tls/index.html
+++ b/docs/7.1.x/configuration/tls/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -26,7 +26,7 @@ would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx
via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">"yourcompany.com"</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/alpha-config"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Alpha Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/features/endpoints/index.html b/docs/7.1.x/features/endpoints/index.html
index 93b766a2..4a277d76 100644
--- a/docs/7.1.x/features/endpoints/index.html
+++ b/docs/7.1.x/features/endpoints/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Endpoints | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="Endpoints | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/features/endpoints"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/features/endpoints"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/7.1.x/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>7.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/features/endpoints">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.1.x</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by <code>--metrics-address</code>, disabled by default</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user's email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/7.1.x/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The "sign_out_page" should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/7.1.x/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/configuration/alpha-config"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Alpha Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/7.1.x/index.html b/docs/7.1.x/index.html
index 8edf69b5..63375792 100644
--- a/docs/7.1.x/index.html
+++ b/docs/7.1.x/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Installation | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.1.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.1.x"><meta data-react-helmet="true" property="og:title" content="Installation | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/7.1.x/"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/7.1.x/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/7.1.x/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is documentation for OAuth2 Proxy <strong>7.1.x</strong>, which is no longer actively maintained.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.1.x</span></div><header><h1 class="docTitle_1Lrw">Installation</h1></header><div class="markdown"><ol><li><p>Choose how to deploy:</p><p>a. Download <a href="https://github.com/oauth2-proxy/oauth2-proxy/releases" target="_blank" rel="noopener noreferrer">Prebuilt Binary</a> (current release is <code>v7.1.3</code>)</p><p>b. Build with <code>$ go get github.com/oauth2-proxy/oauth2-proxy/v7</code> which will put the binary in <code>$GOPATH/bin</code></p><p>c. Using the prebuilt docker image <a href="https://quay.io/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer">quay.io/oauth2-proxy/oauth2-proxy</a> (AMD64, ARMv6 and ARM64 tags available)</p><p>d. Using a <a href="https://github.com/oauth2-proxy/manifests" target="_blank" rel="noopener noreferrer">Kubernetes manifest</a> (Helm)</p></li></ol><p>Prebuilt binaries can be validated by extracting the file and verifying it against the <code>sha256sum.txt</code> checksum file provided for each release starting with version <code>v3.0.0</code>.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">$ sha256sum -c sha256sum.txt 2>&1 | grep OK</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy-x.y.z.linux-amd64: OK</span></div></div></div></div></div><ol start="2"><li><a href="/oauth2-proxy/docs/7.1.x/configuration/oauth_provider">Select a Provider and Register an OAuth Application with a Provider</a></li><li><a href="/oauth2-proxy/docs/7.1.x/configuration/overview">Configure OAuth2 Proxy using config file, command line options, or environment variables</a></li><li><a href="/oauth2-proxy/docs/7.1.x/configuration/tls">Configure SSL or Deploy behind a SSL endpoint</a> (example provided for Nginx)</li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.1.x/installation.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/7.1.x/behaviour"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Behaviour »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/behaviour/index.html b/docs/behaviour/index.html
index 3ff79e5c..03136c45 100644
--- a/docs/behaviour/index.html
+++ b/docs/behaviour/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Behaviour | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="Behaviour | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/behaviour"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/behaviour"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.2.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">Installation</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.2.x</span></div><header><h1 class="docTitle_1Lrw">Behaviour</h1></header><div class="markdown"><ol><li>Any request passing through the proxy (and not matched by <code>--skip-auth-regex</code>) is checked for the proxy's session cookie (<code>--cookie-name</code>) (or, if allowed, a JWT token - see <code>--skip-jwt-bearer-tokens</code>).</li><li>If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with <code>Accept: application/json</code>, in which case 401 Unauthorized is returned)</li><li>After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set</li><li>The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)</li></ol><p>Notice that the proxy also provides a number of useful <a href="/oauth2-proxy/docs/features/endpoints">endpoints</a>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/behaviour.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Installation</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/overview"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Overview »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/community/security/index.html b/docs/community/security/index.html
index ba9852d1..3efbd27e 100644
--- a/docs/community/security/index.html
+++ b/docs/community/security/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -38,7 +38,7 @@ merging fixes until all patches are ready.
We may also backport the fix to previous releases,
but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/features/endpoints"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Endpoints</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/configuration/alpha-config/index.html b/docs/configuration/alpha-config/index.html
index b9d1f96f..2e81e9c8 100644
--- a/docs/configuration/alpha-config/index.html
+++ b/docs/configuration/alpha-config/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Alpha Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="Alpha Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/alpha-config"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/alpha-config"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -44,7 +44,7 @@ make up the header value</p><table><thead><tr><th>Field</th><th>Type</th><th>Des
Only one source within the struct should be defined at any time.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="server"></a>Server<a aria-hidden="true" tabindex="-1" class="hash-link" href="#server" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Server represents the configuration for an HTTP(S) server</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>BindAddress</code></td><td><em>string</em></td><td>BindAddress is the address on which to serve traffic.<br>Leave blank or set to "-" to disable.</td></tr><tr><td><code>SecureBindAddress</code></td><td><em>string</em></td><td>SecureBindAddress is the address on which to serve secure traffic.<br>Leave blank or set to "-" to disable.</td></tr><tr><td><code>TLS</code></td><td><em><a href="#tls">TLS</a></em></td><td>TLS contains the information for loading the certificate and key for the<br>secure traffic.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="tls"></a>TLS<a aria-hidden="true" tabindex="-1" class="hash-link" href="#tls" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#server">Server</a>)</p><p>TLS contains the information for loading a TLS certifcate and key.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>Key</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>Key is the TLS key data to use.<br>Typically this will come from a file.</td></tr><tr><td><code>Cert</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>Cert is the TLS certificate data to use.<br>Typically this will come from a file.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream"></a>Upstream<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#upstreamconfig">UpstreamConfig</a>)</p><p>Upstream represents the configuration for an upstream server.
Requests will be proxied to this upstream if the path matches the request path.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the upstream.<br>This value is required for all upstreams.</td></tr><tr><td><code>path</code></td><td><em>string</em></td><td>Path is used to map requests to the upstream server.<br>The closest match will take precedence and all Paths must be unique.<br>Path can also take a pattern when used with RewriteTarget.<br>Path segments can be captured and matched using regular experessions.<br>Eg:<br>- <code>^/foo$</code>: Match only the explicit path <code>/foo</code><br>- <code>^/bar/$</code>: Match any path prefixed with <code>/bar/</code><br>- <code>^/baz/(.*)$</code>: Match any path prefixed with <code>/baz</code> and capture the remaining path for use with RewriteTarget</td></tr><tr><td><code>rewriteTarget</code></td><td><em>string</em></td><td>RewriteTarget allows users to rewrite the request path before it is sent to<br>the upstream server.<br>Use the Path to capture segments for reuse within the rewrite target.<br>Eg: With a Path of <code>^/baz/(.*)</code>, a RewriteTarget of <code>/foo/$1</code> would rewrite<br>the request <code>/baz/abc/123</code> to <code>/foo/abc/123</code> before proxying to the<br>upstream server.</td></tr><tr><td><code>uri</code></td><td><em>string</em></td><td>The URI of the upstream server. This may be an HTTP(S) server of a File<br>based URL. It may include a path, in which case all requests will be served<br>under that path.<br>Eg:<br>- http://localhost:8080<br>- <a href="https://service.localhost" target="_blank" rel="noopener noreferrer">https://service.localhost</a><br>- <a href="https://service.localhost/path" target="_blank" rel="noopener noreferrer">https://service.localhost/path</a><br>- file://host/path<br>If the URI's path is "/base" and the incoming request was for "/dir",<br>the upstream request will be for "/base/dir".</td></tr><tr><td><code>insecureSkipTLSVerify</code></td><td><em>bool</em></td><td>InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br>This option is insecure and will allow potential Man-In-The-Middle attacks<br>betweem OAuth2 Proxy and the usptream server.<br>Defaults to false.</td></tr><tr><td><code>static</code></td><td><em>bool</em></td><td>Static will make all requests to this upstream have a static response.<br>The response will have a body of "Authenticated" and a response code<br>matching StaticCode.<br>If StaticCode is not set, the response will return a 200 response.</td></tr><tr><td><code>staticCode</code></td><td><em>int</em></td><td>StaticCode determines the response code for the Static response.<br>This option can only be used with Static enabled.</td></tr><tr><td><code>flushInterval</code></td><td><em><a href="#duration">Duration</a></em></td><td>FlushInterval is the period between flushing the response buffer when<br>streaming response from the upstream.<br>Defaults to 1 second.</td></tr><tr><td><code>passHostHeader</code></td><td><em>bool</em></td><td>PassHostHeader determines whether the request host header should be proxied<br>to the upstream server.<br>Defaults to true.</td></tr><tr><td><code>proxyWebSockets</code></td><td><em>bool</em></td><td>ProxyWebSockets enables proxying of websockets to upstream servers<br>Defaults to true.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstreamconfig"></a>UpstreamConfig<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstreamconfig" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>UpstreamConfig is a collection of definitions for upstream servers.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>proxyRawPath</code></td><td><em>bool</em></td><td>ProxyRawPath will pass the raw url path to upstream allowing for url's<br>like: "/%2F/" which would otherwise be redirected to "/"</td></tr><tr><td><code>upstreams</code></td><td><em><a href="#upstream">[]Upstream</a></em></td><td>Upstreams represents the configuration for the upstream servers.<br>Requests will be proxied to this upstream if the path matches the request path.</td></tr></tbody></table></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/configuration/alpha_config.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« TLS Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#using-alpha-configuration" class="table-of-contents__link">Using Alpha Configuration</a><ul><li><a href="#converting-configuration-to-the-new-structure" class="table-of-contents__link">Converting configuration to the new structure</a></li></ul></li><li><a href="#removed-options" class="table-of-contents__link">Removed options</a></li><li><a href="#configuration-reference" class="table-of-contents__link">Configuration Reference</a><ul><li><a href="#adfsoptions" class="table-of-contents__link">ADFSOptions</a></li><li><a href="#alphaoptions" class="table-of-contents__link">AlphaOptions</a></li><li><a href="#azureoptions" class="table-of-contents__link">AzureOptions</a></li><li><a href="#bitbucketoptions" class="table-of-contents__link">BitbucketOptions</a></li><li><a href="#claimsource" class="table-of-contents__link">ClaimSource</a></li><li><a href="#duration" class="table-of-contents__link">Duration</a></li><li><a href="#githuboptions" class="table-of-contents__link">GitHubOptions</a></li><li><a href="#gitlaboptions" class="table-of-contents__link">GitLabOptions</a></li><li><a href="#googleoptions" class="table-of-contents__link">GoogleOptions</a></li><li><a href="#header" class="table-of-contents__link">Header</a></li><li><a href="#headervalue" class="table-of-contents__link">HeaderValue</a></li><li><a href="#keycloakoptions" class="table-of-contents__link">KeycloakOptions</a></li><li><a href="#logingovoptions" class="table-of-contents__link">LoginGovOptions</a></li><li><a href="#oidcoptions" class="table-of-contents__link">OIDCOptions</a></li><li><a href="#provider" class="table-of-contents__link">Provider</a></li><li><a href="#providers" class="table-of-contents__link">Providers</a></li><li><a href="#secretsource" class="table-of-contents__link">SecretSource</a></li><li><a href="#server" class="table-of-contents__link">Server</a></li><li><a href="#tls" class="table-of-contents__link">TLS</a></li><li><a href="#upstream" class="table-of-contents__link">Upstream</a></li><li><a href="#upstreamconfig" class="table-of-contents__link">UpstreamConfig</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/configuration/oauth_provider/index.html b/docs/configuration/oauth_provider/index.html
index 0fe20404..86abdea8 100644
--- a/docs/configuration/oauth_provider/index.html
+++ b/docs/configuration/oauth_provider/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -59,7 +59,7 @@ to setup the client id and client secret. Your "Redirection URI" will
<a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#adfs-auth-provider" class="table-of-contents__link">ADFS Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#keycloak-oidc-auth-provider" class="table-of-contents__link">Keycloak OIDC Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/configuration/overview/index.html b/docs/configuration/overview/index.html
index 279a48c1..baf75826 100644
--- a/docs/configuration/overview/index.html
+++ b/docs/configuration/overview/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Overview | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="Overview | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -43,7 +43,7 @@ Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua modu
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">services</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">a-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">b-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.3</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">4180</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-auth-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-auth-wo-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div></div></div></div></div><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li><li><a href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" class="table-of-contents__link">Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware</a><ul><li><a href="#forwardauth-with-401-errors-middleware" class="table-of-contents__link">ForwardAuth with 401 errors middleware</a></li><li><a href="#forwardauth-with-static-upstreams-configuration" class="table-of-contents__link">ForwardAuth with static upstreams configuration</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/configuration/session_storage/index.html b/docs/configuration/session_storage/index.html
index fd838761..73d08a2a 100644
--- a/docs/configuration/session_storage/index.html
+++ b/docs/configuration/session_storage/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -35,7 +35,7 @@ disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnc
and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
<code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/configuration/tls/index.html b/docs/configuration/tls/index.html
index c098b786..f94719c0 100644
--- a/docs/configuration/tls/index.html
+++ b/docs/configuration/tls/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -26,7 +26,7 @@ would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx
via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">"yourcompany.com"</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/alpha-config"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Alpha Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/features/endpoints/index.html b/docs/features/endpoints/index.html
index 771f76d4..2bc82c52 100644
--- a/docs/features/endpoints/index.html
+++ b/docs/features/endpoints/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Endpoints | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="Endpoints | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.2.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.2.x</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by <code>--metrics-address</code>, disabled by default</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user's email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The "sign_out_page" should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/configuration/alpha-config"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Alpha Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/index.html b/docs/index.html
index 3be6e853..3fcc623b 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Installation | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.2.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.2.x"><meta data-react-helmet="true" property="og:title" content="Installation | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.2.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: 7.2.x</span></div><header><h1 class="docTitle_1Lrw">Installation</h1></header><div class="markdown"><ol><li><p>Choose how to deploy:</p><p>a. Download <a href="https://github.com/oauth2-proxy/oauth2-proxy/releases" target="_blank" rel="noopener noreferrer">Prebuilt Binary</a> (current release is <code>v7.2.1</code>)</p><p>b. Build with <code>$ go get github.com/oauth2-proxy/oauth2-proxy/v7</code> which will put the binary in <code>$GOPATH/bin</code></p><p>c. Using the prebuilt docker image <a href="https://quay.io/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer">quay.io/oauth2-proxy/oauth2-proxy</a> (AMD64, ARMv6 and ARM64 tags available)</p><p>d. Using a <a href="https://github.com/oauth2-proxy/manifests" target="_blank" rel="noopener noreferrer">Kubernetes manifest</a> (Helm)</p></li></ol><p>Prebuilt binaries can be validated by extracting the file and verifying it against the <code>sha256sum.txt</code> checksum file provided for each release starting with version <code>v3.0.0</code>.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">$ sha256sum -c sha256sum.txt</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy-x.y.z.linux-amd64: OK</span></div></div></div></div></div><ol start="2"><li><a href="/oauth2-proxy/docs/configuration/oauth_provider">Select a Provider and Register an OAuth Application with a Provider</a></li><li><a href="/oauth2-proxy/docs/configuration/overview">Configure OAuth2 Proxy using config file, command line options, or environment variables</a></li><li><a href="/oauth2-proxy/docs/configuration/tls">Configure SSL or Deploy behind a SSL endpoint</a> (example provided for Nginx)</li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.2.x/installation.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/behaviour"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Behaviour »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/next/behaviour/index.html b/docs/next/behaviour/index.html
index 7c61d5c5..58dd117e 100644
--- a/docs/next/behaviour/index.html
+++ b/docs/next/behaviour/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Behaviour | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Behaviour | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:description" content="1. Any request passing through the proxy (and not matched by --skip-auth-regex) is checked for the proxy's session cookie (--cookie-name) (or, if allowed, a JWT token - see --skip-jwt-bearer-tokens)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/behaviour"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/behaviour"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/behaviour">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/behaviour">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/behaviour">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/behaviour">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/behaviour">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Behaviour</h1></header><div class="markdown"><ol><li>Any request passing through the proxy (and not matched by <code>--skip-auth-regex</code>) is checked for the proxy's session cookie (<code>--cookie-name</code>) (or, if allowed, a JWT token - see <code>--skip-jwt-bearer-tokens</code>).</li><li>If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with <code>Accept: application/json</code>, in which case 401 Unauthorized is returned)</li><li>After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set</li><li>The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)</li></ol><p>Notice that the proxy also provides a number of useful <a href="/oauth2-proxy/docs/next/features/endpoints">endpoints</a>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/behaviour.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Installation</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/overview"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Overview »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/next/community/security/index.html b/docs/next/community/security/index.html
index eeb4ec9d..7af64462 100644
--- a/docs/next/community/security/index.html
+++ b/docs/next/community/security/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -38,7 +38,7 @@ merging fixes until all patches are ready.
We may also backport the fix to previous releases,
but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/features/endpoints"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Endpoints</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/next/configuration/alpha-config/index.html b/docs/next/configuration/alpha-config/index.html
index 34406ae6..20ffdb37 100644
--- a/docs/next/configuration/alpha-config/index.html
+++ b/docs/next/configuration/alpha-config/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Alpha Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Alpha Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:description" content="This page contains documentation for alpha features."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/alpha-config"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/alpha-config"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -48,7 +48,7 @@ Only one source within the struct should be defined at any time.</p><table><thea
as well as an optional minimal TLS version that is acceptable.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>Key</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>Key is the TLS key data to use.<br>Typically this will come from a file.</td></tr><tr><td><code>Cert</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>Cert is the TLS certificate data to use.<br>Typically this will come from a file.</td></tr><tr><td><code>MinVersion</code></td><td><em>string</em></td><td>MinVersion is the minimal TLS version that is acceptable.<br>E.g. Set to "TLS1.3" to select TLS version 1.3</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstream"></a>Upstream<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstream" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#upstreamconfig">UpstreamConfig</a>)</p><p>Upstream represents the configuration for an upstream server.
Requests will be proxied to this upstream if the path matches the request path.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the upstream.<br>This value is required for all upstreams.</td></tr><tr><td><code>path</code></td><td><em>string</em></td><td>Path is used to map requests to the upstream server.<br>The closest match will take precedence and all Paths must be unique.<br>Path can also take a pattern when used with RewriteTarget.<br>Path segments can be captured and matched using regular experessions.<br>Eg:<br>- <code>^/foo$</code>: Match only the explicit path <code>/foo</code><br>- <code>^/bar/$</code>: Match any path prefixed with <code>/bar/</code><br>- <code>^/baz/(.*)$</code>: Match any path prefixed with <code>/baz</code> and capture the remaining path for use with RewriteTarget</td></tr><tr><td><code>rewriteTarget</code></td><td><em>string</em></td><td>RewriteTarget allows users to rewrite the request path before it is sent to<br>the upstream server.<br>Use the Path to capture segments for reuse within the rewrite target.<br>Eg: With a Path of <code>^/baz/(.*)</code>, a RewriteTarget of <code>/foo/$1</code> would rewrite<br>the request <code>/baz/abc/123</code> to <code>/foo/abc/123</code> before proxying to the<br>upstream server.</td></tr><tr><td><code>uri</code></td><td><em>string</em></td><td>The URI of the upstream server. This may be an HTTP(S) server of a File<br>based URL. It may include a path, in which case all requests will be served<br>under that path.<br>Eg:<br>- http://localhost:8080<br>- <a href="https://service.localhost" target="_blank" rel="noopener noreferrer">https://service.localhost</a><br>- <a href="https://service.localhost/path" target="_blank" rel="noopener noreferrer">https://service.localhost/path</a><br>- file://host/path<br>If the URI's path is "/base" and the incoming request was for "/dir",<br>the upstream request will be for "/base/dir".</td></tr><tr><td><code>insecureSkipTLSVerify</code></td><td><em>bool</em></td><td>InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br>This option is insecure and will allow potential Man-In-The-Middle attacks<br>betweem OAuth2 Proxy and the usptream server.<br>Defaults to false.</td></tr><tr><td><code>static</code></td><td><em>bool</em></td><td>Static will make all requests to this upstream have a static response.<br>The response will have a body of "Authenticated" and a response code<br>matching StaticCode.<br>If StaticCode is not set, the response will return a 200 response.</td></tr><tr><td><code>staticCode</code></td><td><em>int</em></td><td>StaticCode determines the response code for the Static response.<br>This option can only be used with Static enabled.</td></tr><tr><td><code>flushInterval</code></td><td><em><a href="#duration">Duration</a></em></td><td>FlushInterval is the period between flushing the response buffer when<br>streaming response from the upstream.<br>Defaults to 1 second.</td></tr><tr><td><code>passHostHeader</code></td><td><em>bool</em></td><td>PassHostHeader determines whether the request host header should be proxied<br>to the upstream server.<br>Defaults to true.</td></tr><tr><td><code>proxyWebSockets</code></td><td><em>bool</em></td><td>ProxyWebSockets enables proxying of websockets to upstream servers<br>Defaults to true.</td></tr></tbody></table><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstreamconfig"></a>UpstreamConfig<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstreamconfig" title="Direct link to heading">#</a></h3><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>UpstreamConfig is a collection of definitions for upstream servers.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>proxyRawPath</code></td><td><em>bool</em></td><td>ProxyRawPath will pass the raw url path to upstream allowing for url's<br>like: "/%2F/" which would otherwise be redirected to "/"</td></tr><tr><td><code>upstreams</code></td><td><em><a href="#upstream">[]Upstream</a></em></td><td>Upstreams represents the configuration for the upstream servers.<br>Requests will be proxied to this upstream if the path matches the request path.</td></tr></tbody></table></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/alpha_config.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« TLS Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#using-alpha-configuration" class="table-of-contents__link">Using Alpha Configuration</a><ul><li><a href="#converting-configuration-to-the-new-structure" class="table-of-contents__link">Converting configuration to the new structure</a></li></ul></li><li><a href="#removed-options" class="table-of-contents__link">Removed options</a></li><li><a href="#configuration-reference" class="table-of-contents__link">Configuration Reference</a><ul><li><a href="#adfsoptions" class="table-of-contents__link">ADFSOptions</a></li><li><a href="#alphaoptions" class="table-of-contents__link">AlphaOptions</a></li><li><a href="#azureoptions" class="table-of-contents__link">AzureOptions</a></li><li><a href="#bitbucketoptions" class="table-of-contents__link">BitbucketOptions</a></li><li><a href="#claimsource" class="table-of-contents__link">ClaimSource</a></li><li><a href="#duration" class="table-of-contents__link">Duration</a></li><li><a href="#githuboptions" class="table-of-contents__link">GitHubOptions</a></li><li><a href="#gitlaboptions" class="table-of-contents__link">GitLabOptions</a></li><li><a href="#googleoptions" class="table-of-contents__link">GoogleOptions</a></li><li><a href="#header" class="table-of-contents__link">Header</a></li><li><a href="#headervalue" class="table-of-contents__link">HeaderValue</a></li><li><a href="#keycloakoptions" class="table-of-contents__link">KeycloakOptions</a></li><li><a href="#logingovoptions" class="table-of-contents__link">LoginGovOptions</a></li><li><a href="#oidcoptions" class="table-of-contents__link">OIDCOptions</a></li><li><a href="#provider" class="table-of-contents__link">Provider</a></li><li><a href="#providertype" class="table-of-contents__link">ProviderType</a></li><li><a href="#providers" class="table-of-contents__link">Providers</a></li><li><a href="#secretsource" class="table-of-contents__link">SecretSource</a></li><li><a href="#server" class="table-of-contents__link">Server</a></li><li><a href="#tls" class="table-of-contents__link">TLS</a></li><li><a href="#upstream" class="table-of-contents__link">Upstream</a></li><li><a href="#upstreamconfig" class="table-of-contents__link">UpstreamConfig</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/next/configuration/oauth_provider/index.html b/docs/next/configuration/oauth_provider/index.html
index 5074ee02..1fd9b7bd 100644
--- a/docs/next/configuration/oauth_provider/index.html
+++ b/docs/next/configuration/oauth_provider/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">OAuth Provider Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="OAuth Provider Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:description" content="You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/oauth_provider"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/oauth_provider"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -59,7 +59,7 @@ to setup the client id and client secret. Your "Redirection URI" will
<a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go" target="_blank" rel="noopener noreferrer"><code>providers.New()</code></a> to allow <code>oauth2-proxy</code> to use the
new <code>Provider</code>.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/auth.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Overview</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/session_storage"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Session Storage »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#google-auth-provider" class="table-of-contents__link">Google Auth Provider</a></li><li><a href="#azure-auth-provider" class="table-of-contents__link">Azure Auth Provider</a></li><li><a href="#adfs-auth-provider" class="table-of-contents__link">ADFS Auth Provider</a></li><li><a href="#facebook-auth-provider" class="table-of-contents__link">Facebook Auth Provider</a></li><li><a href="#github-auth-provider" class="table-of-contents__link">GitHub Auth Provider</a></li><li><a href="#keycloak-auth-provider" class="table-of-contents__link">Keycloak Auth Provider</a></li><li><a href="#keycloak-oidc-auth-provider" class="table-of-contents__link">Keycloak OIDC Auth Provider</a></li><li><a href="#gitlab-auth-provider" class="table-of-contents__link">GitLab Auth Provider</a></li><li><a href="#linkedin-auth-provider" class="table-of-contents__link">LinkedIn Auth Provider</a></li><li><a href="#microsoft-azure-ad-provider" class="table-of-contents__link">Microsoft Azure AD Provider</a></li><li><a href="#openid-connect-provider" class="table-of-contents__link">OpenID Connect Provider</a></li><li><a href="#logingov-provider" class="table-of-contents__link">login.gov Provider</a></li><li><a href="#nextcloud-provider" class="table-of-contents__link">Nextcloud Provider</a></li><li><a href="#digitalocean-auth-provider" class="table-of-contents__link">DigitalOcean Auth Provider</a></li><li><a href="#bitbucket-auth-provider" class="table-of-contents__link">Bitbucket Auth Provider</a></li><li><a href="#gitea-auth-provider" class="table-of-contents__link">Gitea Auth Provider</a></li><li><a href="#email-authentication" class="table-of-contents__link">Email Authentication</a></li><li><a href="#adding-a-new-provider" class="table-of-contents__link">Adding a new Provider</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/next/configuration/overview/index.html b/docs/next/configuration/overview/index.html
index c40c8530..f1ef3aca 100644
--- a/docs/next/configuration/overview/index.html
+++ b/docs/next/configuration/overview/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Overview | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Overview | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:description" content="oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings)."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/overview"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/overview"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -14,11 +14,11 @@
<link rel="preload" href="/oauth2-proxy/60.0c644c35.js" as="script">
<link rel="preload" href="/oauth2-proxy/935f2afb.1429e449.js" as="script">
<link rel="preload" href="/oauth2-proxy/17896441.3f09010b.js" as="script">
-<link rel="preload" href="/oauth2-proxy/0f425520.3155874e.js" as="script">
+<link rel="preload" href="/oauth2-proxy/0f425520.6799b1da.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
-<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/configuration/overview">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/configuration/overview">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/configuration/overview">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/configuration/overview">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/configuration/overview">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/configuration/overview">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/configuration/overview">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/configuration/overview">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/configuration/overview">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/configuration/overview">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/configuration/overview">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Overview</h1></header><div class="markdown"><p><code>oauth2-proxy</code> can be configured via <a href="#command-line-options">command line options</a>, <a href="#environment-variables">environment variables</a> or <a href="#config-file">config file</a> (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="generating-a-cookie-secret"></a>Generating a Cookie Secret<a aria-hidden="true" tabindex="-1" class="hash-link" href="#generating-a-cookie-secret" title="Direct link to heading">#</a></h3><p>To generate a strong cookie secret use one of the below commands:</p><div><ul role="tablist" aria-orientation="horizontal" class="tabs"><li role="tab" tabindex="0" aria-selected="true" class="tabs__item tabItem_1w39 tabs__item--active" style="outline:none">Python</li><li role="tab" tabindex="0" aria-selected="false" class="tabs__item tabItem_1w39" style="outline:none">Bash</li><li role="tab" tabindex="0" aria-selected="false" class="tabs__item tabItem_1w39" style="outline:none">OpenSSL</li><li role="tab" tabindex="0" aria-selected="false" class="tabs__item tabItem_1w39" style="outline:none">PowerShell</li><li role="tab" tabindex="0" aria-selected="false" class="tabs__item tabItem_1w39" style="outline:none">Terraform</li></ul><div role="tabpanel" class="margin-vert--md"><div><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-shell codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">python -c </span><span class="token string" style="color:rgb(195, 232, 141)">'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'</span></div></div></div></div></div></div></div></div><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="config-file"></a>Config File<a aria-hidden="true" tabindex="-1" class="hash-link" href="#config-file" title="Direct link to heading">#</a></h3><p>Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (_). If the argument can be specified multiple times, the config option should be plural (trailing s).</p><p>An example <a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example" target="_blank" rel="noopener noreferrer">oauth2-proxy.cfg</a> config file is in the contrib directory. It can be used by specifying <code>--config=/etc/oauth2-proxy.cfg</code></p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="command-line-options"></a>Command Line Options<a aria-hidden="true" tabindex="-1" class="hash-link" href="#command-line-options" title="Direct link to heading">#</a></h3><table><thead><tr><th>Option</th><th>Type</th><th>Description</th><th>Default</th></tr></thead><tbody><tr><td><code>--acr-values</code></td><td>string</td><td>optional, see <a href="https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues" target="_blank" rel="noopener noreferrer">docs</a></td><td><code>""</code></td></tr><tr><td><code>--approval-prompt</code></td><td>string</td><td>OAuth approval_prompt</td><td><code>"force"</code></td></tr><tr><td><code>--auth-logging</code></td><td>bool</td><td>Log authentication attempts</td><td>true</td></tr><tr><td><code>--auth-logging-format</code></td><td>string</td><td>Template for authentication log lines</td><td>see <a href="#logging-configuration">Logging Configuration</a></td></tr><tr><td><code>--authenticated-emails-file</code></td><td>string</td><td>authenticate against emails via file (one per line)</td><td></td></tr><tr><td><code>--azure-tenant</code></td><td>string</td><td>go to a tenant-specific or common (tenant-independent) endpoint.</td><td><code>"common"</code></td></tr><tr><td><code>--basic-auth-password</code></td><td>string</td><td>the password to set when passing the HTTP Basic Auth header</td><td></td></tr><tr><td><code>--client-id</code></td><td>string</td><td>the OAuth Client ID, e.g. <code>"123456.apps.googleusercontent.com"</code></td><td></td></tr><tr><td><code>--client-secret</code></td><td>string</td><td>the OAuth Client Secret</td><td></td></tr><tr><td><code>--client-secret-file</code></td><td>string</td><td>the file with OAuth Client Secret</td><td></td></tr><tr><td><code>--config</code></td><td>string</td><td>path to config file</td><td></td></tr><tr><td><code>--cookie-domain</code></td><td>string | list</td><td>Optional cookie domains to force cookies to (e.g. <code>.yourcompany.com</code>). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).</td><td></td></tr><tr><td><code>--cookie-expire</code></td><td>duration</td><td>expire timeframe for cookie</td><td>168h0m0s</td></tr><tr><td><code>--cookie-httponly</code></td><td>bool</td><td>set HttpOnly cookie flag</td><td>true</td></tr><tr><td><code>--cookie-name</code></td><td>string</td><td>the name of the cookie that the oauth_proxy creates</td><td><code>"_oauth2_proxy"</code></td></tr><tr><td><code>--cookie-path</code></td><td>string</td><td>an optional cookie path to force cookies to (e.g. <code>/poc/</code>)</td><td><code>"/"</code></td></tr><tr><td><code>--cookie-refresh</code></td><td>duration</td><td>refresh the cookie after this duration; <code>0</code> to disable; not supported by all providers [<a href="#footnote1">1</a>]</td><td></td></tr><tr><td><code>--cookie-secret</code></td><td>string</td><td>the seed string for secure cookies (optionally base64 encoded)</td><td></td></tr><tr><td><code>--cookie-secure</code></td><td>bool</td><td>set <a href="https://owasp.org/www-community/controls/SecureFlag" target="_blank" rel="noopener noreferrer">secure (HTTPS only) cookie flag</a></td><td>true</td></tr><tr><td><code>--cookie-samesite</code></td><td>string</td><td>set SameSite cookie attribute (<code>"lax"</code>, <code>"strict"</code>, <code>"none"</code>, or <code>""</code>).</td><td><code>""</code></td></tr><tr><td><code>--custom-templates-dir</code></td><td>string</td><td>path to custom html templates</td><td></td></tr><tr><td><code>--custom-sign-in-logo</code></td><td>string</td><td>path or a URL to an custom image for the sign_in page logo. Use \"-\" to disable default logo.</td><td></td></tr><tr><td><code>--display-htpasswd-form</code></td><td>bool</td><td>display username / password login form if an htpasswd file is provided</td><td>true</td></tr><tr><td><code>--email-domain</code></td><td>string | list</td><td>authenticate emails with the specified domain (may be given multiple times). Use <code>*</code> to authenticate any email</td><td></td></tr><tr><td><code>--errors-to-info-log</code></td><td>bool</td><td>redirects error-level logging to default log channel instead of stderr</td><td></td></tr><tr><td><code>--extra-jwt-issuers</code></td><td>string</td><td>if <code>--skip-jwt-bearer-tokens</code> is set, a list of extra JWT <code>issuer=audience</code> (see a token's <code>iss</code>, <code>aud</code> fields) pairs (where the issuer URL has a <code>.well-known/openid-configuration</code> or a <code>.well-known/jwks.json</code>)</td><td></td></tr><tr><td><code>--exclude-logging-path</code></td><td>string</td><td>comma separated list of paths to exclude from logging, e.g. <code>"/ping,/path2"</code></td><td><code>""</code> (no paths excluded)</td></tr><tr><td><code>--flush-interval</code></td><td>duration</td><td>period between flushing response buffers when streaming responses</td><td><code>"1s"</code></td></tr><tr><td><code>--force-https</code></td><td>bool</td><td>enforce https redirect</td><td><code>false</code></td></tr><tr><td><code>--force-json-errors</code></td><td>bool</td><td>force JSON errors instead of HTTP error pages or redirects</td><td><code>false</code></td></tr><tr><td><code>--banner</code></td><td>string</td><td>custom (html) banner string. Use <code>"-"</code> to disable default banner.</td><td></td></tr><tr><td><code>--footer</code></td><td>string</td><td>custom (html) footer string. Use <code>"-"</code> to disable default footer.</td><td></td></tr><tr><td><code>--github-org</code></td><td>string</td><td>restrict logins to members of this organisation</td><td></td></tr><tr><td><code>--github-team</code></td><td>string</td><td>restrict logins to members of any of these teams (slug), separated by a comma</td><td></td></tr><tr><td><code>--github-repo</code></td><td>string</td><td>restrict logins to collaborators of this repository formatted as <code>orgname/repo</code></td><td></td></tr><tr><td><code>--github-token</code></td><td>string</td><td>the token to use when verifying repository collaborators (must have push access to the repository)</td><td></td></tr><tr><td><code>--github-user</code></td><td>string | list</td><td>To allow users to login by username even if they do not belong to the specified org and team or collaborators</td><td></td></tr><tr><td><code>--gitlab-group</code></td><td>string | list</td><td>restrict logins to members of any of these groups (slug), separated by a comma</td><td></td></tr><tr><td><code>--gitlab-projects</code></td><td>string | list</td><td>restrict logins to members of any of these projects (may be given multiple times) formatted as <code>orgname/repo=accesslevel</code>. Access level should be a value matching <a href="https://docs.gitlab.com/ee/api/members.html#valid-access-levels" target="_blank" rel="noopener noreferrer">Gitlab access levels</a>, defaulted to 20 if absent</td><td></td></tr><tr><td><code>--google-admin-email</code></td><td>string</td><td>the google admin to impersonate for api calls</td><td></td></tr><tr><td><code>--google-group</code></td><td>string</td><td>restrict logins to members of this google group (may be given multiple times).</td><td></td></tr><tr><td><code>--google-service-account-json</code></td><td>string</td><td>the path to the service account json credentials</td><td></td></tr><tr><td><code>--htpasswd-file</code></td><td>string</td><td>additionally authenticate against a htpasswd file. Entries must be created with <code>htpasswd -B</code> for bcrypt encryption</td><td></td></tr><tr><td><code>--htpasswd-user-group</code></td><td>string | list</td><td>the groups to be set on sessions for htpasswd users</td><td></td></tr><tr><td><code>--http-address</code></td><td>string</td><td><code>[http://]<addr>:<port></code> or <code>unix://<path></code> to listen on for HTTP clients</td><td><code>"127.0.0.1:4180"</code></td></tr><tr><td><code>--https-address</code></td><td>string</td><td><code><addr>:<port></code> to listen on for HTTPS clients</td><td><code>":443"</code></td></tr><tr><td><code>--logging-compress</code></td><td>bool</td><td>Should rotated log files be compressed using gzip</td><td>false</td></tr><tr><td><code>--logging-filename</code></td><td>string</td><td>File to log requests to, empty for <code>stdout</code></td><td><code>""</code> (stdout)</td></tr><tr><td><code>--logging-local-time</code></td><td>bool</td><td>Use local time in log files and backup filenames instead of UTC</td><td>true (local time)</td></tr><tr><td><code>--logging-max-age</code></td><td>int</td><td>Maximum number of days to retain old log files</td><td>7</td></tr><tr><td><code>--logging-max-backups</code></td><td>int</td><td>Maximum number of old log files to retain; 0 to disable</td><td>0</td></tr><tr><td><code>--logging-max-size</code></td><td>int</td><td>Maximum size in megabytes of the log file before rotation</td><td>100</td></tr><tr><td><code>--jwt-key</code></td><td>string</td><td>private key in PEM format used to sign JWT, so that you can say something like <code>--jwt-key="${OAUTH2_PROXY_JWT_KEY}"</code>: required by login.gov</td><td></td></tr><tr><td><code>--jwt-key-file</code></td><td>string</td><td>path to the private key file in PEM format used to sign the JWT so that you can say something like <code>--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem</code>: required by login.gov</td><td></td></tr><tr><td><code>--login-url</code></td><td>string</td><td>Authentication endpoint</td><td></td></tr><tr><td><code>--insecure-oidc-allow-unverified-email</code></td><td>bool</td><td>don't fail if an email address in an id_token is not verified</td><td>false</td></tr><tr><td><code>--insecure-oidc-skip-issuer-verification</code></td><td>bool</td><td>allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)</td><td>false</td></tr><tr><td><code>--insecure-oidc-skip-nonce</code></td><td>bool</td><td>skip verifying the OIDC ID Token's nonce claim</td><td>true</td></tr><tr><td><code>--oidc-issuer-url</code></td><td>string</td><td>the OpenID Connect issuer URL, e.g. <code>"https://accounts.google.com"</code></td><td></td></tr><tr><td><code>--oidc-jwks-url</code></td><td>string</td><td>OIDC JWKS URI for token verification; required if OIDC discovery is disabled</td><td></td></tr><tr><td><code>--oidc-email-claim</code></td><td>string</td><td>which OIDC claim contains the user's email</td><td><code>"email"</code></td></tr><tr><td><code>--oidc-groups-claim</code></td><td>string</td><td>which OIDC claim contains the user groups</td><td><code>"groups"</code></td></tr><tr><td><code>--oidc-audience-claim</code></td><td>string</td><td>which OIDC claim contains the audience</td><td><code>"aud"</code></td></tr><tr><td><code>--oidc-extra-audience</code></td><td>string | list</td><td>additional audiences which are allowed to pass verification</td><td><code>"[]"</code></td></tr><tr><td><code>--pass-access-token</code></td><td>bool</td><td>pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with <code>--set-xauthrequest</code> this adds the X-Auth-Request-Access-Token header to the response</td><td>false</td></tr><tr><td><code>--pass-authorization-header</code></td><td>bool</td><td>pass OIDC IDToken to upstream via Authorization Bearer header</td><td>false</td></tr><tr><td><code>--pass-basic-auth</code></td><td>bool</td><td>pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream</td><td>true</td></tr><tr><td><code>--prefer-email-to-user</code></td><td>bool</td><td>Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with <code>--pass-basic-auth</code> and <code>--pass-user-headers</code></td><td>false</td></tr><tr><td><code>--pass-host-header</code></td><td>bool</td><td>pass the request Host Header to upstream</td><td>true</td></tr><tr><td><code>--pass-user-headers</code></td><td>bool</td><td>pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream</td><td>true</td></tr><tr><td><code>--profile-url</code></td><td>string</td><td>Profile access endpoint</td><td></td></tr><tr><td><code>--prompt</code></td><td>string</td><td><a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank" rel="noopener noreferrer">OIDC prompt</a>; if present, <code>approval-prompt</code> is ignored</td><td><code>""</code></td></tr><tr><td><code>--provider</code></td><td>string</td><td>OAuth provider</td><td>google</td></tr><tr><td><code>--provider-ca-file</code></td><td>string | list</td><td>Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.</td><td></td></tr><tr><td><code>--provider-display-name</code></td><td>string</td><td>Override the provider's name with the given string; used for the sign-in page</td><td>(depends on provider)</td></tr><tr><td><code>--ping-path</code></td><td>string</td><td>the ping endpoint that can be used for basic health checks</td><td><code>"/ping"</code></td></tr><tr><td><code>--ping-user-agent</code></td><td>string</td><td>a User-Agent that can be used for basic health checks</td><td><code>""</code> (don't check user agent)</td></tr><tr><td><code>--metrics-address</code></td><td>string</td><td>the address prometheus metrics will be scraped from</td><td><code>""</code></td></tr><tr><td><code>--proxy-prefix</code></td><td>string</td><td>the url root path that this proxy should be nested under (e.g. /<code><oauth2>/sign_in</code>)</td><td><code>"/oauth2"</code></td></tr><tr><td><code>--proxy-websockets</code></td><td>bool</td><td>enables WebSocket proxying</td><td>true</td></tr><tr><td><code>--pubjwk-url</code></td><td>string</td><td>JWK pubkey access endpoint: required by login.gov</td><td></td></tr><tr><td><code>--real-client-ip-header</code></td><td>string</td><td>Header used to determine the real IP of the client, requires <code>--reverse-proxy</code> to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)</td><td>X-Real-IP</td></tr><tr><td><code>--redeem-url</code></td><td>string</td><td>Token redemption endpoint</td><td></td></tr><tr><td><code>--redirect-url</code></td><td>string</td><td>the OAuth Redirect URL, e.g. <code>"https://internalapp.yourcompany.com/oauth2/callback"</code></td><td></td></tr><tr><td><code>--redis-cluster-connection-urls</code></td><td>string | list</td><td>List of Redis cluster connection URLs (e.g. <code>redis://HOST[:PORT]</code>). Used in conjunction with <code>--redis-use-cluster</code></td><td></td></tr><tr><td><code>--redis-connection-url</code></td><td>string</td><td>URL of redis server for redis session storage (e.g. <code>redis://HOST[:PORT]</code>)</td><td></td></tr><tr><td><code>--redis-password</code></td><td>string</td><td>Redis password. Applicable for all Redis configurations. Will override any password set in <code>--redis-connection-url</code></td><td></td></tr><tr><td><code>--redis-sentinel-password</code></td><td>string</td><td>Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use <code>--redis-password</code></td><td></td></tr><tr><td><code>--redis-sentinel-master-name</code></td><td>string</td><td>Redis sentinel master name. Used in conjunction with <code>--redis-use-sentinel</code></td><td></td></tr><tr><td><code>--redis-sentinel-connection-urls</code></td><td>string | list</td><td>List of Redis sentinel connection URLs (e.g. <code>redis://HOST[:PORT]</code>). Used in conjunction with <code>--redis-use-sentinel</code></td><td></td></tr><tr><td><code>--redis-use-cluster</code></td><td>bool</td><td>Connect to redis cluster. Must set <code>--redis-cluster-connection-urls</code> to use this feature</td><td>false</td></tr><tr><td><code>--redis-use-sentinel</code></td><td>bool</td><td>Connect to redis via sentinels. Must set <code>--redis-sentinel-master-name</code> and <code>--redis-sentinel-connection-urls</code> to use this feature</td><td>false</td></tr><tr><td><code>--request-id-header</code></td><td>string</td><td>Request header to use as the request ID in logging</td><td>X-Request-Id</td></tr><tr><td><code>--request-logging</code></td><td>bool</td><td>Log requests</td><td>true</td></tr><tr><td><code>--request-logging-format</code></td><td>string</td><td>Template for request log lines</td><td>see <a href="#logging-configuration">Logging Configuration</a></td></tr><tr><td><code>--resource</code></td><td>string</td><td>The resource that is protected (Azure AD only)</td><td></td></tr><tr><td><code>--reverse-proxy</code></td><td>bool</td><td>are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection</td><td>false</td></tr><tr><td><code>--scope</code></td><td>string</td><td>OAuth scope specification</td><td></td></tr><tr><td><code>--session-cookie-minimal</code></td><td>bool</td><td>strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)</td><td>false</td></tr><tr><td><code>--session-store-type</code></td><td>string</td><td><a href="/oauth2-proxy/docs/next/configuration/session_storage">Session data storage backend</a>; redis or cookie</td><td>cookie</td></tr><tr><td><code>--set-xauthrequest</code></td><td>bool</td><td>set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with <code>--pass-access-token</code>, X-Auth-Request-Access-Token is added to response headers.</td><td>false</td></tr><tr><td><code>--set-authorization-header</code></td><td>bool</td><td>set Authorization Bearer response header (useful in Nginx auth_request mode)</td><td>false</td></tr><tr><td><code>--set-basic-auth</code></td><td>bool</td><td>set HTTP Basic Auth information in response (useful in Nginx auth_request mode)</td><td>false</td></tr><tr><td><code>--show-debug-on-error</code></td><td>bool</td><td>show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)</td><td>false</td></tr><tr><td><code>--signature-key</code></td><td>string</td><td>GAP-Signature request signature key (algorithm:secretkey)</td><td></td></tr><tr><td><code>--silence-ping-logging</code></td><td>bool</td><td>disable logging of requests to ping endpoint</td><td>false</td></tr><tr><td><code>--skip-auth-preflight</code></td><td>bool</td><td>will skip authentication for OPTIONS requests</td><td>false</td></tr><tr><td><code>--skip-auth-regex</code></td><td>string | list</td><td>(DEPRECATED for <code>--skip-auth-route</code>) bypass authentication for requests paths that match (may be given multiple times)</td><td></td></tr><tr><td><code>--skip-auth-route</code></td><td>string | list</td><td>bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods</td><td></td></tr><tr><td><code>--skip-auth-strip-headers</code></td><td>bool</td><td>strips <code>X-Forwarded-*</code> style authentication headers & <code>Authorization</code> header if they would be set by oauth2-proxy</td><td>true</td></tr><tr><td><code>--skip-jwt-bearer-tokens</code></td><td>bool</td><td>will skip requests that have verified JWT bearer tokens (the token must have <a href="https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields" target="_blank" rel="noopener noreferrer"><code>aud</code></a> that matches this client id or one of the extras from <code>extra-jwt-issuers</code>)</td><td>false</td></tr><tr><td><code>--skip-oidc-discovery</code></td><td>bool</td><td>bypass OIDC endpoint discovery. <code>--login-url</code>, <code>--redeem-url</code> and <code>--oidc-jwks-url</code> must be configured in this case</td><td>false</td></tr><tr><td><code>--skip-provider-button</code></td><td>bool</td><td>will skip sign-in-page to directly reach the next step: oauth/start</td><td>false</td></tr><tr><td><code>--ssl-insecure-skip-verify</code></td><td>bool</td><td>skip validation of certificates presented when using HTTPS providers</td><td>false</td></tr><tr><td><code>--ssl-upstream-insecure-skip-verify</code></td><td>bool</td><td>skip validation of certificates presented when using HTTPS upstreams</td><td>false</td></tr><tr><td><code>--standard-logging</code></td><td>bool</td><td>Log standard runtime information</td><td>true</td></tr><tr><td><code>--standard-logging-format</code></td><td>string</td><td>Template for standard log lines</td><td>see <a href="#logging-configuration">Logging Configuration</a></td></tr><tr><td><code>--tls-cert-file</code></td><td>string</td><td>path to certificate file</td><td></td></tr><tr><td><code>--tls-key-file</code></td><td>string</td><td>path to private key file</td><td></td></tr><tr><td><code>--tls-min-version</code></td><td>string</td><td>minimum TLS version that is acceptable, either <code>"TLS1.2"</code> or <code>"TLS1.3"</code></td><td><code>"TLS1.2"</code></td></tr><tr><td><code>--upstream</code></td><td>string | list</td><td>the http url(s) of the upstream endpoint, file:// paths for static files or <code>static://<status_code></code> for static response. Routing is based on the path</td><td></td></tr><tr><td><code>--allowed-group</code></td><td>string | list</td><td>restrict logins to members of this group (may be given multiple times)</td><td></td></tr><tr><td><code>--allowed-role</code></td><td>string | list</td><td>restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider.</td><td></td></tr><tr><td><code>--validate-url</code></td><td>string</td><td>Access token validation endpoint</td><td></td></tr><tr><td><code>--version</code></td><td>n/a</td><td>print version string</td><td></td></tr><tr><td><code>--whitelist-domain</code></td><td>string | list</td><td>allowed domains for redirection after authentication. Prefix domain with a <code>.</code> to allow subdomains (e.g. <code>.example.com</code>) [<a href="#footnote2">2</a>]</td><td></td></tr><tr><td><code>--trusted-ip</code></td><td>string | list</td><td>list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with <code>--reverse-proxy</code> and optionally <code>--real-client-ip-header</code> this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them.</td><td></td></tr></tbody></table><p>[<a name="footnote1">1</a>]: Only these providers support <code>--cookie-refresh</code>: GitLab, Google and OIDC</p><p>[<a name="footnote2">2</a>]: When using the <code>whitelist-domain</code> option, any domain prefixed with a <code>.</code> will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: <code>example.com:8080</code>. To allow any port, use <code>*</code>: <code>example.com:*</code>.</p><p>See below for provider specific options</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstreams-configuration"></a>Upstreams Configuration<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstreams-configuration" title="Direct link to heading">#</a></h3><p><code>oauth2-proxy</code> supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as <code>http://127.0.0.1:8080/</code> for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide <code>http://127.0.0.1:8080/some/path/</code> then it will only be requests that start with <code>/some/path/</code> which are forwarded to the upstream.</p><p>Static file paths are configured as a file:// URL. <code>file:///var/www/static/</code> will serve the files from that directory at <code>http://[oauth2-proxy url]/var/www/static/</code>, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. <code>file:///var/www/static/#/static/</code> will make <code>/var/www/static/</code> available at <code>http://[oauth2-proxy url]/static/</code>.</p><p>Multiple upstreams can either be configured by supplying a comma separated list to the <code>--upstream</code> parameter, supplying the parameter multiple times or providing a list in the <a href="#config-file">config file</a>. When multiple upstreams are used routing to them will be based on the path they are set up with.</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="environment-variables"></a>Environment variables<a aria-hidden="true" tabindex="-1" class="hash-link" href="#environment-variables" title="Direct link to heading">#</a></h3><p>Every command line argument can be specified as an environment variable by
+<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/configuration/overview">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/configuration/overview">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/configuration/overview">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/configuration/overview">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/configuration/overview">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/configuration/overview">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/configuration/overview">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/configuration/overview">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/configuration/overview">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/configuration/overview">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/configuration/overview">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Overview</h1></header><div class="markdown"><p><code>oauth2-proxy</code> can be configured via <a href="#command-line-options">command line options</a>, <a href="#environment-variables">environment variables</a> or <a href="#config-file">config file</a> (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="generating-a-cookie-secret"></a>Generating a Cookie Secret<a aria-hidden="true" tabindex="-1" class="hash-link" href="#generating-a-cookie-secret" title="Direct link to heading">#</a></h3><p>To generate a strong cookie secret use one of the below commands:</p><div><ul role="tablist" aria-orientation="horizontal" class="tabs"><li role="tab" tabindex="0" aria-selected="true" class="tabs__item tabItem_1w39 tabs__item--active" style="outline:none">Python</li><li role="tab" tabindex="0" aria-selected="false" class="tabs__item tabItem_1w39" style="outline:none">Bash</li><li role="tab" tabindex="0" aria-selected="false" class="tabs__item tabItem_1w39" style="outline:none">OpenSSL</li><li role="tab" tabindex="0" aria-selected="false" class="tabs__item tabItem_1w39" style="outline:none">PowerShell</li><li role="tab" tabindex="0" aria-selected="false" class="tabs__item tabItem_1w39" style="outline:none">Terraform</li></ul><div role="tabpanel" class="margin-vert--md"><div><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-shell codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">python -c </span><span class="token string" style="color:rgb(195, 232, 141)">'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'</span></div></div></div></div></div></div></div></div><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="config-file"></a>Config File<a aria-hidden="true" tabindex="-1" class="hash-link" href="#config-file" title="Direct link to heading">#</a></h3><p>Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (_). If the argument can be specified multiple times, the config option should be plural (trailing s).</p><p>An example <a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example" target="_blank" rel="noopener noreferrer">oauth2-proxy.cfg</a> config file is in the contrib directory. It can be used by specifying <code>--config=/etc/oauth2-proxy.cfg</code></p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="command-line-options"></a>Command Line Options<a aria-hidden="true" tabindex="-1" class="hash-link" href="#command-line-options" title="Direct link to heading">#</a></h3><table><thead><tr><th>Option</th><th>Type</th><th>Description</th><th>Default</th></tr></thead><tbody><tr><td><code>--acr-values</code></td><td>string</td><td>optional, see <a href="https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues" target="_blank" rel="noopener noreferrer">docs</a></td><td><code>""</code></td></tr><tr><td><code>--approval-prompt</code></td><td>string</td><td>OAuth approval_prompt</td><td><code>"force"</code></td></tr><tr><td><code>--auth-logging</code></td><td>bool</td><td>Log authentication attempts</td><td>true</td></tr><tr><td><code>--auth-logging-format</code></td><td>string</td><td>Template for authentication log lines</td><td>see <a href="#logging-configuration">Logging Configuration</a></td></tr><tr><td><code>--authenticated-emails-file</code></td><td>string</td><td>authenticate against emails via file (one per line)</td><td></td></tr><tr><td><code>--azure-tenant</code></td><td>string</td><td>go to a tenant-specific or common (tenant-independent) endpoint.</td><td><code>"common"</code></td></tr><tr><td><code>--basic-auth-password</code></td><td>string</td><td>the password to set when passing the HTTP Basic Auth header</td><td></td></tr><tr><td><code>--client-id</code></td><td>string</td><td>the OAuth Client ID, e.g. <code>"123456.apps.googleusercontent.com"</code></td><td></td></tr><tr><td><code>--client-secret</code></td><td>string</td><td>the OAuth Client Secret</td><td></td></tr><tr><td><code>--client-secret-file</code></td><td>string</td><td>the file with OAuth Client Secret</td><td></td></tr><tr><td><code>--config</code></td><td>string</td><td>path to config file</td><td></td></tr><tr><td><code>--cookie-domain</code></td><td>string | list</td><td>Optional cookie domains to force cookies to (e.g. <code>.yourcompany.com</code>). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).</td><td></td></tr><tr><td><code>--cookie-expire</code></td><td>duration</td><td>expire timeframe for cookie</td><td>168h0m0s</td></tr><tr><td><code>--cookie-httponly</code></td><td>bool</td><td>set HttpOnly cookie flag</td><td>true</td></tr><tr><td><code>--cookie-name</code></td><td>string</td><td>the name of the cookie that the oauth_proxy creates</td><td><code>"_oauth2_proxy"</code></td></tr><tr><td><code>--cookie-path</code></td><td>string</td><td>an optional cookie path to force cookies to (e.g. <code>/poc/</code>)</td><td><code>"/"</code></td></tr><tr><td><code>--cookie-refresh</code></td><td>duration</td><td>refresh the cookie after this duration; <code>0</code> to disable; not supported by all providers [<a href="#footnote1">1</a>]</td><td></td></tr><tr><td><code>--cookie-secret</code></td><td>string</td><td>the seed string for secure cookies (optionally base64 encoded)</td><td></td></tr><tr><td><code>--cookie-secure</code></td><td>bool</td><td>set <a href="https://owasp.org/www-community/controls/SecureFlag" target="_blank" rel="noopener noreferrer">secure (HTTPS only) cookie flag</a></td><td>true</td></tr><tr><td><code>--cookie-samesite</code></td><td>string</td><td>set SameSite cookie attribute (<code>"lax"</code>, <code>"strict"</code>, <code>"none"</code>, or <code>""</code>).</td><td><code>""</code></td></tr><tr><td><code>--custom-templates-dir</code></td><td>string</td><td>path to custom html templates</td><td></td></tr><tr><td><code>--custom-sign-in-logo</code></td><td>string</td><td>path or a URL to an custom image for the sign_in page logo. Use \"-\" to disable default logo.</td><td></td></tr><tr><td><code>--display-htpasswd-form</code></td><td>bool</td><td>display username / password login form if an htpasswd file is provided</td><td>true</td></tr><tr><td><code>--email-domain</code></td><td>string | list</td><td>authenticate emails with the specified domain (may be given multiple times). Use <code>*</code> to authenticate any email</td><td></td></tr><tr><td><code>--errors-to-info-log</code></td><td>bool</td><td>redirects error-level logging to default log channel instead of stderr</td><td></td></tr><tr><td><code>--extra-jwt-issuers</code></td><td>string</td><td>if <code>--skip-jwt-bearer-tokens</code> is set, a list of extra JWT <code>issuer=audience</code> (see a token's <code>iss</code>, <code>aud</code> fields) pairs (where the issuer URL has a <code>.well-known/openid-configuration</code> or a <code>.well-known/jwks.json</code>)</td><td></td></tr><tr><td><code>--exclude-logging-path</code></td><td>string</td><td>comma separated list of paths to exclude from logging, e.g. <code>"/ping,/path2"</code></td><td><code>""</code> (no paths excluded)</td></tr><tr><td><code>--flush-interval</code></td><td>duration</td><td>period between flushing response buffers when streaming responses</td><td><code>"1s"</code></td></tr><tr><td><code>--force-https</code></td><td>bool</td><td>enforce https redirect</td><td><code>false</code></td></tr><tr><td><code>--force-json-errors</code></td><td>bool</td><td>force JSON errors instead of HTTP error pages or redirects</td><td><code>false</code></td></tr><tr><td><code>--banner</code></td><td>string</td><td>custom (html) banner string. Use <code>"-"</code> to disable default banner.</td><td></td></tr><tr><td><code>--footer</code></td><td>string</td><td>custom (html) footer string. Use <code>"-"</code> to disable default footer.</td><td></td></tr><tr><td><code>--github-org</code></td><td>string</td><td>restrict logins to members of this organisation</td><td></td></tr><tr><td><code>--github-team</code></td><td>string</td><td>restrict logins to members of any of these teams (slug), separated by a comma</td><td></td></tr><tr><td><code>--github-repo</code></td><td>string</td><td>restrict logins to collaborators of this repository formatted as <code>orgname/repo</code></td><td></td></tr><tr><td><code>--github-token</code></td><td>string</td><td>the token to use when verifying repository collaborators (must have push access to the repository)</td><td></td></tr><tr><td><code>--github-user</code></td><td>string | list</td><td>To allow users to login by username even if they do not belong to the specified org and team or collaborators</td><td></td></tr><tr><td><code>--gitlab-group</code></td><td>string | list</td><td>restrict logins to members of any of these groups (slug), separated by a comma</td><td></td></tr><tr><td><code>--gitlab-projects</code></td><td>string | list</td><td>restrict logins to members of any of these projects (may be given multiple times) formatted as <code>orgname/repo=accesslevel</code>. Access level should be a value matching <a href="https://docs.gitlab.com/ee/api/members.html#valid-access-levels" target="_blank" rel="noopener noreferrer">Gitlab access levels</a>, defaulted to 20 if absent</td><td></td></tr><tr><td><code>--google-admin-email</code></td><td>string</td><td>the google admin to impersonate for api calls</td><td></td></tr><tr><td><code>--google-group</code></td><td>string</td><td>restrict logins to members of this google group (may be given multiple times).</td><td></td></tr><tr><td><code>--google-service-account-json</code></td><td>string</td><td>the path to the service account json credentials</td><td></td></tr><tr><td><code>--htpasswd-file</code></td><td>string</td><td>additionally authenticate against a htpasswd file. Entries must be created with <code>htpasswd -B</code> for bcrypt encryption</td><td></td></tr><tr><td><code>--htpasswd-user-group</code></td><td>string | list</td><td>the groups to be set on sessions for htpasswd users</td><td></td></tr><tr><td><code>--http-address</code></td><td>string</td><td><code>[http://]<addr>:<port></code> or <code>unix://<path></code> to listen on for HTTP clients</td><td><code>"127.0.0.1:4180"</code></td></tr><tr><td><code>--https-address</code></td><td>string</td><td><code><addr>:<port></code> to listen on for HTTPS clients</td><td><code>":443"</code></td></tr><tr><td><code>--logging-compress</code></td><td>bool</td><td>Should rotated log files be compressed using gzip</td><td>false</td></tr><tr><td><code>--logging-filename</code></td><td>string</td><td>File to log requests to, empty for <code>stdout</code></td><td><code>""</code> (stdout)</td></tr><tr><td><code>--logging-local-time</code></td><td>bool</td><td>Use local time in log files and backup filenames instead of UTC</td><td>true (local time)</td></tr><tr><td><code>--logging-max-age</code></td><td>int</td><td>Maximum number of days to retain old log files</td><td>7</td></tr><tr><td><code>--logging-max-backups</code></td><td>int</td><td>Maximum number of old log files to retain; 0 to disable</td><td>0</td></tr><tr><td><code>--logging-max-size</code></td><td>int</td><td>Maximum size in megabytes of the log file before rotation</td><td>100</td></tr><tr><td><code>--jwt-key</code></td><td>string</td><td>private key in PEM format used to sign JWT, so that you can say something like <code>--jwt-key="${OAUTH2_PROXY_JWT_KEY}"</code>: required by login.gov</td><td></td></tr><tr><td><code>--jwt-key-file</code></td><td>string</td><td>path to the private key file in PEM format used to sign the JWT so that you can say something like <code>--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem</code>: required by login.gov</td><td></td></tr><tr><td><code>--login-url</code></td><td>string</td><td>Authentication endpoint</td><td></td></tr><tr><td><code>--insecure-oidc-allow-unverified-email</code></td><td>bool</td><td>don't fail if an email address in an id_token is not verified</td><td>false</td></tr><tr><td><code>--insecure-oidc-skip-issuer-verification</code></td><td>bool</td><td>allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)</td><td>false</td></tr><tr><td><code>--insecure-oidc-skip-nonce</code></td><td>bool</td><td>skip verifying the OIDC ID Token's nonce claim</td><td>true</td></tr><tr><td><code>--oidc-issuer-url</code></td><td>string</td><td>the OpenID Connect issuer URL, e.g. <code>"https://accounts.google.com"</code></td><td></td></tr><tr><td><code>--oidc-jwks-url</code></td><td>string</td><td>OIDC JWKS URI for token verification; required if OIDC discovery is disabled</td><td></td></tr><tr><td><code>--oidc-email-claim</code></td><td>string</td><td>which OIDC claim contains the user's email</td><td><code>"email"</code></td></tr><tr><td><code>--oidc-groups-claim</code></td><td>string</td><td>which OIDC claim contains the user groups</td><td><code>"groups"</code></td></tr><tr><td><code>--oidc-audience-claim</code></td><td>string</td><td>which OIDC claim contains the audience</td><td><code>"aud"</code></td></tr><tr><td><code>--oidc-extra-audience</code></td><td>string | list</td><td>additional audiences which are allowed to pass verification</td><td><code>"[]"</code></td></tr><tr><td><code>--pass-access-token</code></td><td>bool</td><td>pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with <code>--set-xauthrequest</code> this adds the X-Auth-Request-Access-Token header to the response</td><td>false</td></tr><tr><td><code>--pass-authorization-header</code></td><td>bool</td><td>pass OIDC IDToken to upstream via Authorization Bearer header</td><td>false</td></tr><tr><td><code>--pass-basic-auth</code></td><td>bool</td><td>pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream</td><td>true</td></tr><tr><td><code>--prefer-email-to-user</code></td><td>bool</td><td>Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with <code>--pass-basic-auth</code> and <code>--pass-user-headers</code></td><td>false</td></tr><tr><td><code>--pass-host-header</code></td><td>bool</td><td>pass the request Host Header to upstream</td><td>true</td></tr><tr><td><code>--pass-user-headers</code></td><td>bool</td><td>pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream</td><td>true</td></tr><tr><td><code>--profile-url</code></td><td>string</td><td>Profile access endpoint</td><td></td></tr><tr><td><code>--prompt</code></td><td>string</td><td><a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank" rel="noopener noreferrer">OIDC prompt</a>; if present, <code>approval-prompt</code> is ignored</td><td><code>""</code></td></tr><tr><td><code>--provider</code></td><td>string</td><td>OAuth provider</td><td>google</td></tr><tr><td><code>--provider-ca-file</code></td><td>string | list</td><td>Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.</td><td></td></tr><tr><td><code>--provider-display-name</code></td><td>string</td><td>Override the provider's name with the given string; used for the sign-in page</td><td>(depends on provider)</td></tr><tr><td><code>--ping-path</code></td><td>string</td><td>the ping endpoint that can be used for basic health checks</td><td><code>"/ping"</code></td></tr><tr><td><code>--ping-user-agent</code></td><td>string</td><td>a User-Agent that can be used for basic health checks</td><td><code>""</code> (don't check user agent)</td></tr><tr><td><code>--metrics-address</code></td><td>string</td><td>the address prometheus metrics will be scraped from</td><td><code>""</code></td></tr><tr><td><code>--proxy-prefix</code></td><td>string</td><td>the url root path that this proxy should be nested under (e.g. /<code><oauth2>/sign_in</code>)</td><td><code>"/oauth2"</code></td></tr><tr><td><code>--proxy-websockets</code></td><td>bool</td><td>enables WebSocket proxying</td><td>true</td></tr><tr><td><code>--pubjwk-url</code></td><td>string</td><td>JWK pubkey access endpoint: required by login.gov</td><td></td></tr><tr><td><code>--real-client-ip-header</code></td><td>string</td><td>Header used to determine the real IP of the client, requires <code>--reverse-proxy</code> to be set (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP)</td><td>X-Real-IP</td></tr><tr><td><code>--redeem-url</code></td><td>string</td><td>Token redemption endpoint</td><td></td></tr><tr><td><code>--redirect-url</code></td><td>string</td><td>the OAuth Redirect URL, e.g. <code>"https://internalapp.yourcompany.com/oauth2/callback"</code></td><td></td></tr><tr><td><code>--redis-cluster-connection-urls</code></td><td>string | list</td><td>List of Redis cluster connection URLs (e.g. <code>redis://HOST[:PORT]</code>). Used in conjunction with <code>--redis-use-cluster</code></td><td></td></tr><tr><td><code>--redis-connection-url</code></td><td>string</td><td>URL of redis server for redis session storage (e.g. <code>redis://HOST[:PORT]</code>)</td><td></td></tr><tr><td><code>--redis-password</code></td><td>string</td><td>Redis password. Applicable for all Redis configurations. Will override any password set in <code>--redis-connection-url</code></td><td></td></tr><tr><td><code>--redis-sentinel-password</code></td><td>string</td><td>Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use <code>--redis-password</code></td><td></td></tr><tr><td><code>--redis-sentinel-master-name</code></td><td>string</td><td>Redis sentinel master name. Used in conjunction with <code>--redis-use-sentinel</code></td><td></td></tr><tr><td><code>--redis-sentinel-connection-urls</code></td><td>string | list</td><td>List of Redis sentinel connection URLs (e.g. <code>redis://HOST[:PORT]</code>). Used in conjunction with <code>--redis-use-sentinel</code></td><td></td></tr><tr><td><code>--redis-use-cluster</code></td><td>bool</td><td>Connect to redis cluster. Must set <code>--redis-cluster-connection-urls</code> to use this feature</td><td>false</td></tr><tr><td><code>--redis-use-sentinel</code></td><td>bool</td><td>Connect to redis via sentinels. Must set <code>--redis-sentinel-master-name</code> and <code>--redis-sentinel-connection-urls</code> to use this feature</td><td>false</td></tr><tr><td><code>--request-id-header</code></td><td>string</td><td>Request header to use as the request ID in logging</td><td>X-Request-Id</td></tr><tr><td><code>--request-logging</code></td><td>bool</td><td>Log requests</td><td>true</td></tr><tr><td><code>--request-logging-format</code></td><td>string</td><td>Template for request log lines</td><td>see <a href="#logging-configuration">Logging Configuration</a></td></tr><tr><td><code>--resource</code></td><td>string</td><td>The resource that is protected (Azure AD only)</td><td></td></tr><tr><td><code>--reverse-proxy</code></td><td>bool</td><td>are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection</td><td>false</td></tr><tr><td><code>--scope</code></td><td>string</td><td>OAuth scope specification</td><td></td></tr><tr><td><code>--session-cookie-minimal</code></td><td>bool</td><td>strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)</td><td>false</td></tr><tr><td><code>--session-store-type</code></td><td>string</td><td><a href="/oauth2-proxy/docs/next/configuration/session_storage">Session data storage backend</a>; redis or cookie</td><td>cookie</td></tr><tr><td><code>--set-xauthrequest</code></td><td>bool</td><td>set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with <code>--pass-access-token</code>, X-Auth-Request-Access-Token is added to response headers.</td><td>false</td></tr><tr><td><code>--set-authorization-header</code></td><td>bool</td><td>set Authorization Bearer response header (useful in Nginx auth_request mode)</td><td>false</td></tr><tr><td><code>--set-basic-auth</code></td><td>bool</td><td>set HTTP Basic Auth information in response (useful in Nginx auth_request mode)</td><td>false</td></tr><tr><td><code>--show-debug-on-error</code></td><td>bool</td><td>show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)</td><td>false</td></tr><tr><td><code>--signature-key</code></td><td>string</td><td>GAP-Signature request signature key (algorithm:secretkey)</td><td></td></tr><tr><td><code>--silence-ping-logging</code></td><td>bool</td><td>disable logging of requests to ping endpoint</td><td>false</td></tr><tr><td><code>--skip-auth-preflight</code></td><td>bool</td><td>will skip authentication for OPTIONS requests</td><td>false</td></tr><tr><td><code>--skip-auth-regex</code></td><td>string | list</td><td>(DEPRECATED for <code>--skip-auth-route</code>) bypass authentication for requests paths that match (may be given multiple times)</td><td></td></tr><tr><td><code>--skip-auth-route</code></td><td>string | list</td><td>bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods</td><td></td></tr><tr><td><code>--skip-auth-strip-headers</code></td><td>bool</td><td>strips <code>X-Forwarded-*</code> style authentication headers & <code>Authorization</code> header if they would be set by oauth2-proxy</td><td>true</td></tr><tr><td><code>--skip-jwt-bearer-tokens</code></td><td>bool</td><td>will skip requests that have verified JWT bearer tokens (the token must have <a href="https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields" target="_blank" rel="noopener noreferrer"><code>aud</code></a> that matches this client id or one of the extras from <code>extra-jwt-issuers</code>)</td><td>false</td></tr><tr><td><code>--skip-oidc-discovery</code></td><td>bool</td><td>bypass OIDC endpoint discovery. <code>--login-url</code>, <code>--redeem-url</code> and <code>--oidc-jwks-url</code> must be configured in this case</td><td>false</td></tr><tr><td><code>--skip-provider-button</code></td><td>bool</td><td>will skip sign-in-page to directly reach the next step: oauth/start</td><td>false</td></tr><tr><td><code>--ssl-insecure-skip-verify</code></td><td>bool</td><td>skip validation of certificates presented when using HTTPS providers</td><td>false</td></tr><tr><td><code>--ssl-upstream-insecure-skip-verify</code></td><td>bool</td><td>skip validation of certificates presented when using HTTPS upstreams</td><td>false</td></tr><tr><td><code>--standard-logging</code></td><td>bool</td><td>Log standard runtime information</td><td>true</td></tr><tr><td><code>--standard-logging-format</code></td><td>string</td><td>Template for standard log lines</td><td>see <a href="#logging-configuration">Logging Configuration</a></td></tr><tr><td><code>--tls-cert-file</code></td><td>string</td><td>path to certificate file</td><td></td></tr><tr><td><code>--tls-key-file</code></td><td>string</td><td>path to private key file</td><td></td></tr><tr><td><code>--tls-min-version</code></td><td>string</td><td>minimum TLS version that is acceptable, either <code>"TLS1.2"</code> or <code>"TLS1.3"</code></td><td><code>"TLS1.2"</code></td></tr><tr><td><code>--upstream</code></td><td>string | list</td><td>the http url(s) of the upstream endpoint, file:// paths for static files or <code>static://<status_code></code> for static response. Routing is based on the path</td><td></td></tr><tr><td><code>--allowed-group</code></td><td>string | list</td><td>restrict logins to members of this group (may be given multiple times)</td><td></td></tr><tr><td><code>--allowed-role</code></td><td>string | list</td><td>restrict logins to users with this role (may be given multiple times). Only works with the keycloak-oidc provider.</td><td></td></tr><tr><td><code>--validate-url</code></td><td>string</td><td>Access token validation endpoint</td><td></td></tr><tr><td><code>--version</code></td><td>n/a</td><td>print version string</td><td></td></tr><tr><td><code>--whitelist-domain</code></td><td>string | list</td><td>allowed domains for redirection after authentication. Prefix domain with a <code>.</code> or a <code>*.</code> to allow subdomains (e.g. <code>.example.com</code>, <code>*.example.com</code>) [<a href="#footnote2">2</a>]</td><td></td></tr><tr><td><code>--trusted-ip</code></td><td>string | list</td><td>list of IPs or CIDR ranges to allow to bypass authentication (may be given multiple times). When combined with <code>--reverse-proxy</code> and optionally <code>--real-client-ip-header</code> this will evaluate the trust of the IP stored in an HTTP header by a reverse proxy rather than the layer-3/4 remote address. WARNING: trusting IPs has inherent security flaws, especially when obtaining the IP address from an HTTP header (reverse-proxy mode). Use this option only if you understand the risks and how to manage them.</td><td></td></tr></tbody></table><p>[<a name="footnote1">1</a>]: Only these providers support <code>--cookie-refresh</code>: GitLab, Google and OIDC</p><p>[<a name="footnote2">2</a>]: When using the <code>whitelist-domain</code> option, any domain prefixed with a <code>.</code> or a <code>*.</code> will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: <code>example.com:8080</code>. To allow any port, use <code>*</code>: <code>example.com:*</code>.</p><p>See below for provider specific options</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="upstreams-configuration"></a>Upstreams Configuration<a aria-hidden="true" tabindex="-1" class="hash-link" href="#upstreams-configuration" title="Direct link to heading">#</a></h3><p><code>oauth2-proxy</code> supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as <code>http://127.0.0.1:8080/</code> for the upstream parameter. This will forward all authenticated requests to the upstream server. If you instead provide <code>http://127.0.0.1:8080/some/path/</code> then it will only be requests that start with <code>/some/path/</code> which are forwarded to the upstream.</p><p>Static file paths are configured as a file:// URL. <code>file:///var/www/static/</code> will serve the files from that directory at <code>http://[oauth2-proxy url]/var/www/static/</code>, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. <code>file:///var/www/static/#/static/</code> will make <code>/var/www/static/</code> available at <code>http://[oauth2-proxy url]/static/</code>.</p><p>Multiple upstreams can either be configured by supplying a comma separated list to the <code>--upstream</code> parameter, supplying the parameter multiple times or providing a list in the <a href="#config-file">config file</a>. When multiple upstreams are used routing to them will be based on the path they are set up with.</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="environment-variables"></a>Environment variables<a aria-hidden="true" tabindex="-1" class="hash-link" href="#environment-variables" title="Direct link to heading">#</a></h3><p>Every command line argument can be specified as an environment variable by
prefixing it with <code>OAUTH2_PROXY_</code>, capitalising it, and replacing hyphens (<code>-</code>)
with underscores (<code>_</code>). If the argument can be specified multiple times, the
environment variable should be plural (trailing <code>S</code>).</p><p>This is particularly useful for storing secrets outside of a configuration file
@@ -43,7 +43,7 @@ Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua modu
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">services</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">a-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.2</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">b-service-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.3</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">7555</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-backend</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">loadBalancer</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">servers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">url</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> http</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//172.16.0.1</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token number" style="color:rgb(247, 140, 108)">4180</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">middlewares</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">auth-headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">headers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">sslRedirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsSeconds</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token number" style="color:rgb(247, 140, 108)">315360000</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">browserXssFilter</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">contentTypeNosniff</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forceSTSHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">sslHost</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> example.com</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsIncludeSubdomains</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">stsPreload</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">frameDeny</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-auth-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">oauth-auth-wo-redirect</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">forwardAuth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">address</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> https</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain">//oauth.example.com/oauth2/auth</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">trustForwardHeader</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token boolean important" style="color:rgb(255, 88, 116)">true</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">authResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> X</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Auth</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Request</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Access</span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain">Token</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> Authorization</span></div></div></div></div></div><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>If you set up your OAuth2 provider to rotate your client secret, you can use the <code>client-secret-file</code> option to reload the secret when it is updated.</p></div></div></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/overview.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/behaviour"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Behaviour</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/oauth_provider"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">OAuth Provider Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#generating-a-cookie-secret" class="table-of-contents__link">Generating a Cookie Secret</a></li><li><a href="#config-file" class="table-of-contents__link">Config File</a></li><li><a href="#command-line-options" class="table-of-contents__link">Command Line Options</a></li><li><a href="#upstreams-configuration" class="table-of-contents__link">Upstreams Configuration</a></li><li><a href="#environment-variables" class="table-of-contents__link">Environment variables</a></li><li><a href="#logging-configuration" class="table-of-contents__link">Logging Configuration</a><ul><li><a href="#auth-log-format" class="table-of-contents__link">Auth Log Format</a></li><li><a href="#request-log-format" class="table-of-contents__link">Request Log Format</a></li><li><a href="#standard-log-format" class="table-of-contents__link">Standard Log Format</a></li></ul></li><li><a href="#configuring-for-use-with-the-nginx-auth_request-directive" class="table-of-contents__link">Configuring for use with the Nginx <code>auth_request</code> directive</a></li><li><a href="#configuring-for-use-with-the-traefik-v2-forwardauth-middleware" class="table-of-contents__link">Configuring for use with the Traefik (v2) <code>ForwardAuth</code> middleware</a><ul><li><a href="#forwardauth-with-401-errors-middleware" class="table-of-contents__link">ForwardAuth with 401 errors middleware</a></li><li><a href="#forwardauth-with-static-upstreams-configuration" class="table-of-contents__link">ForwardAuth with static upstreams configuration</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
@@ -51,6 +51,6 @@ Note that <code>nginxinc/kubernetes-ingress</code> does not include the Lua modu
<script src="/oauth2-proxy/60.0c644c35.js"></script>
<script src="/oauth2-proxy/935f2afb.1429e449.js"></script>
<script src="/oauth2-proxy/17896441.3f09010b.js"></script>
-<script src="/oauth2-proxy/0f425520.3155874e.js"></script>
+<script src="/oauth2-proxy/0f425520.6799b1da.js"></script>
</body>
</html>
\ No newline at end of file
diff --git a/docs/next/configuration/session_storage/index.html b/docs/next/configuration/session_storage/index.html
index bbdae380..ccea23b0 100644
--- a/docs/next/configuration/session_storage/index.html
+++ b/docs/next/configuration/session_storage/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Session Storage | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Session Storage | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:description" content="Sessions allow a user's authentication to be tracked between multiple HTTP"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/session_storage"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/session_storage"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -35,7 +35,7 @@ disclosure.</p><h4><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnc
and <code>--redis-sentinel-connection-urls</code> appropriately.</p><p>Redis Cluster is available to be the backend store as well. To leverage it, you will need to set the
<code>--redis-use-cluster=true</code> flag, and configure the flags <code>--redis-cluster-connection-urls</code> appropriately.</p><p>Note that flags <code>--redis-use-sentinel=true</code> and <code>--redis-use-cluster=true</code> are mutually exclusive.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/sessions.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/oauth_provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« OAuth Provider Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/tls"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">TLS Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#cookie-storage" class="table-of-contents__link">Cookie Storage</a></li><li><a href="#redis-storage" class="table-of-contents__link">Redis Storage</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/next/configuration/tls/index.html b/docs/next/configuration/tls/index.html
index 29bdb9dd..2285669e 100644
--- a/docs/next/configuration/tls/index.html
+++ b/docs/next/configuration/tls/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">TLS Configuration | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="TLS Configuration | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="There are two recommended configurations:"><meta data-react-helmet="true" property="og:description" content="There are two recommended configurations:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/tls"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/tls"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -29,7 +29,7 @@ would be <code>https://internal.yourcompany.com/</code>.</p><p>An example Nginx
via <a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">HSTS</a>:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">server {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> listen 443 default ssl;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> server_name internal.yourcompany.com;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate /path/to/cert.pem;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> ssl_certificate_key /path/to/cert.key;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> add_header Strict-Transport-Security max-age=2592000;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block">
</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> location / {</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_pass http://127.0.0.1:4180;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header Host $host;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Real-IP $remote_addr;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_set_header X-Scheme $scheme;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_connect_timeout 1;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_send_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> proxy_read_timeout 30;</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> }</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">}</span></div></div></div></div></div></li><li><p>The command line to run <code>oauth2-proxy</code> in this configuration would look like this:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-bash codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">./oauth2-proxy </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --email-domain</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token string" style="color:rgb(195, 232, 141)">"yourcompany.com"</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --upstream</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">http://127.0.0.1:8080/ </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --cookie-secure</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --provider</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --reverse-proxy</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token plain">true </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-id</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">. </span><span class="token punctuation" style="color:rgb(199, 146, 234)">\</span><span class="token plain"></span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-secret</span><span class="token operator" style="color:rgb(137, 221, 255)">=</span><span class="token punctuation" style="color:rgb(199, 146, 234)">..</span><span class="token plain">.</span></div></div></div></div></div></li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/tls.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/session_storage"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Session Storage</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/alpha-config"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Alpha Configuration »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#terminate-tls-at-oauth2-proxy" class="table-of-contents__link">Terminate TLS at OAuth2 Proxy</a></li><li><a href="#terminate-tls-at-reverse-proxy-eg-nginx" class="table-of-contents__link">Terminate TLS at Reverse Proxy, e.g. Nginx</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/docs/next/features/endpoints/index.html b/docs/next/features/endpoints/index.html
index cb89d95d..7da1761f 100644
--- a/docs/next/features/endpoints/index.html
+++ b/docs/next/features/endpoints/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Endpoints | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Endpoints | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/features/endpoints"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/features/endpoints"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -14,13 +14,13 @@
<link rel="preload" href="/oauth2-proxy/60.0c644c35.js" as="script">
<link rel="preload" href="/oauth2-proxy/935f2afb.1429e449.js" as="script">
<link rel="preload" href="/oauth2-proxy/17896441.3f09010b.js" as="script">
-<link rel="preload" href="/oauth2-proxy/efc9be4b.e5ba1330.js" as="script">
+<link rel="preload" href="/oauth2-proxy/efc9be4b.54e8580a.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
-<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/features/endpoints">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by <code>--metrics-address</code>, disabled by default</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user's email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/next/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The "sign_out_page" should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/next/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/alpha-config"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Alpha Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
+<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/features/endpoints">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/features/endpoints">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/features/endpoints">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/features/endpoints">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/features/endpoints">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/features/endpoints">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Endpoints</h1></header><div class="markdown"><p>OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The <code>/oauth2</code> prefix can be changed with the <code>--proxy-prefix</code> config variable.</p><ul><li>/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see <a href="http://www.robotstxt.org/" target="_blank" rel="noopener noreferrer">robotstxt.org</a> for more info</li><li>/ping - returns a 200 OK response, which is intended for use with health checks</li><li>/metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by <code>--metrics-address</code>, disabled by default</li><li>/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)</li><li>/oauth2/sign_out - this URL is used to clear the session cookie</li><li>/oauth2/start - a URL that will redirect to start the OAuth cycle</li><li>/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.</li><li>/oauth2/userinfo - the URL is used to return user's email from the session in JSON format.</li><li>/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the <a href="/oauth2-proxy/docs/next/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive">Nginx <code>auth_request</code> directive</a></li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="sign-out"></a>Sign out<a aria-hidden="true" tabindex="-1" class="hash-link" href="#sign-out" title="Direct link to heading">#</a></h3><p>To sign the user out, redirect them to <code>/oauth2/sign_out</code>. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the <code>rd</code> query parameter, i.e. redirect the user to something like (notice the url-encoding!):</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page</span></div></div></div></div></div><p>Alternatively, include the redirect URL in the <code>X-Auth-Request-Redirect</code> header:</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">GET /oauth2/sign_out HTTP/1.1</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">X-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">...</span></div></div></div></div></div><p>(The "sign_out_page" should be the <a href="https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1" target="_blank" rel="noopener noreferrer"><code>end_session_endpoint</code></a> from <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" target="_blank" rel="noopener noreferrer">the metadata</a> if your OIDC provider supports Session Management and Discovery.)</p><p>BEWARE that the domain you want to redirect to (<code>my-oidc-provider.example.com</code> in the example) must be added to the <a href="/oauth2-proxy/docs/next/configuration/overview"><code>--whitelist-domain</code></a> configuration option otherwise the redirect will be ignored.</p><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="auth"></a>Auth<a aria-hidden="true" tabindex="-1" class="hash-link" href="#auth" title="Direct link to heading">#</a></h3><p>This endpoint returns 202 Accepted response or a 401 Unauthorized response.</p><p>It can be configured using the following query parameters query parameters:</p><ul><li><code>allowed_groups</code>: comma separated list of allowed groups</li><li><code>allowed_email_domains</code>: comma separated list of allowed email domains</li></ul></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/features/endpoints.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/configuration/alpha-config"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Alpha Configuration</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/community/security"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Security »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#sign-out" class="table-of-contents__link">Sign out</a></li><li><a href="#auth" class="table-of-contents__link">Auth</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
@@ -28,6 +28,6 @@
<script src="/oauth2-proxy/60.0c644c35.js"></script>
<script src="/oauth2-proxy/935f2afb.1429e449.js"></script>
<script src="/oauth2-proxy/17896441.3f09010b.js"></script>
-<script src="/oauth2-proxy/efc9be4b.e5ba1330.js"></script>
+<script src="/oauth2-proxy/efc9be4b.54e8580a.js"></script>
</body>
</html>
\ No newline at end of file
diff --git a/docs/next/index.html b/docs/next/index.html
index f475a7f8..c2dcd6f5 100644
--- a/docs/next/index.html
+++ b/docs/next/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Installation | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="current"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-current"><meta data-react-helmet="true" property="og:title" content="Installation | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:description" content="1. Choose how to deploy:"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/next/">Next</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">7.2.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active active" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/oauth_provider">OAuth Provider Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Features</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Community</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></div></div></div><main class="docMainContainer_3EyW"><div class="container padding-vert--lg docItemWrapper_1EkI"><div class="row"><div class="col docItemCol_2ASc"><div class="alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for OAuth2 Proxy <strong>Next</strong> version.</div><div class="margin-top--md">For up-to-date documentation, see the <strong><a href="/oauth2-proxy/docs/">latest version</a></strong> (7.2.x).</div></div><div class="docItemContainer_3QWW"><article><div><span class="badge badge--secondary">Version: Next</span></div><header><h1 class="docTitle_1Lrw">Installation</h1></header><div class="markdown"><ol><li><p>Choose how to deploy:</p><p>a. Download <a href="https://github.com/oauth2-proxy/oauth2-proxy/releases" target="_blank" rel="noopener noreferrer">Prebuilt Binary</a> (current release is <code>v7.2.1</code>)</p><p>b. Build with <code>$ go get github.com/oauth2-proxy/oauth2-proxy/v7</code> which will put the binary in <code>$GOPATH/bin</code></p><p>c. Using the prebuilt docker image <a href="https://quay.io/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer">quay.io/oauth2-proxy/oauth2-proxy</a> (AMD64, ARMv6 and ARM64 tags available)</p><p>d. Using a <a href="https://github.com/oauth2-proxy/manifests" target="_blank" rel="noopener noreferrer">Kubernetes manifest</a> (Helm)</p></li></ol><p>Prebuilt binaries can be validated by extracting the file and verifying it against the <code>sha256sum.txt</code> checksum file provided for each release starting with version <code>v3.0.0</code>.</p><div class="mdxCodeBlock_1XEh"><div class="codeBlockContent_1u-d"><button tabindex="0" type="button" aria-label="Copy code to clipboard" class="copyButton_10dd">Copy</button><div class="prism-code language-undefined codeBlock_3iAC"><div class="codeBlockLines_b7E3" style="color:#bfc7d5;background-color:#292d3e"><div class="token-line" style="color:#bfc7d5"><span class="token plain">$ sha256sum -c sha256sum.txt</span></div><div class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy-x.y.z.linux-amd64: OK</span></div></div></div></div></div><ol start="2"><li><a href="/oauth2-proxy/docs/next/configuration/oauth_provider">Select a Provider and Register an OAuth Application with a Provider</a></li><li><a href="/oauth2-proxy/docs/next/configuration/overview">Configure OAuth2 Proxy using config file, command line options, or environment variables</a></li><li><a href="/oauth2-proxy/docs/next/configuration/tls">Configure SSL or Deploy behind a SSL endpoint</a> (example provided for Nginx)</li></ol></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/installation.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/oauth2-proxy/docs/next/behaviour"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Behaviour »</div></a></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/efc9be4b.54e8580a.js b/efc9be4b.54e8580a.js
new file mode 100644
index 00000000..5d27adbe
--- /dev/null
+++ b/efc9be4b.54e8580a.js
@@ -0,0 +1 @@
+(window.webpackJsonp=window.webpackJsonp||[]).push([[50],{108:function(e,t,n){"use strict";n.r(t),n.d(t,"frontMatter",(function(){return a})),n.d(t,"metadata",(function(){return c})),n.d(t,"rightToc",(function(){return s})),n.d(t,"default",(function(){return u}));var r=n(2),o=n(6),i=(n(0),n(116)),a={id:"endpoints",title:"Endpoints"},c={unversionedId:"features/endpoints",id:"features/endpoints",isDocsHomePage:!1,title:"Endpoints",description:"OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.",source:"@site/docs/features/endpoints.md",slug:"/features/endpoints",permalink:"/oauth2-proxy/docs/next/features/endpoints",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/features/endpoints.md",version:"current",sidebar:"docs",previous:{title:"Alpha Configuration",permalink:"/oauth2-proxy/docs/next/configuration/alpha-config"},next:{title:"Security",permalink:"/oauth2-proxy/docs/next/community/security"}},s=[{value:"Sign out",id:"sign-out",children:[]},{value:"Auth",id:"auth",children:[]}],l={rightToc:s};function u(e){var t=e.components,n=Object(o.a)(e,["components"]);return Object(i.b)("wrapper",Object(r.a)({},l,n,{components:t,mdxType:"MDXLayout"}),Object(i.b)("p",null,"OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The ",Object(i.b)("inlineCode",{parentName:"p"},"/oauth2")," prefix can be changed with the ",Object(i.b)("inlineCode",{parentName:"p"},"--proxy-prefix")," config variable."),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},"/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see ",Object(i.b)("a",Object(r.a)({parentName:"li"},{href:"http://www.robotstxt.org/"}),"robotstxt.org")," for more info"),Object(i.b)("li",{parentName:"ul"},"/ping - returns a 200 OK response, which is intended for use with health checks"),Object(i.b)("li",{parentName:"ul"},"/metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by ",Object(i.b)("inlineCode",{parentName:"li"},"--metrics-address"),", disabled by default"),Object(i.b)("li",{parentName:"ul"},"/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)"),Object(i.b)("li",{parentName:"ul"},"/oauth2/sign_out - this URL is used to clear the session cookie"),Object(i.b)("li",{parentName:"ul"},"/oauth2/start - a URL that will redirect to start the OAuth cycle"),Object(i.b)("li",{parentName:"ul"},"/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url."),Object(i.b)("li",{parentName:"ul"},"/oauth2/userinfo - the URL is used to return user's email from the session in JSON format."),Object(i.b)("li",{parentName:"ul"},"/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the ",Object(i.b)("a",Object(r.a)({parentName:"li"},{href:"/oauth2-proxy/docs/next/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive"}),"Nginx ",Object(i.b)("inlineCode",{parentName:"a"},"auth_request")," directive"))),Object(i.b)("h3",{id:"sign-out"},"Sign out"),Object(i.b)("p",null,"To sign the user out, redirect them to ",Object(i.b)("inlineCode",{parentName:"p"},"/oauth2/sign_out"),". This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the ",Object(i.b)("inlineCode",{parentName:"p"},"rd")," query parameter, i.e. redirect the user to something like (notice the url-encoding!):"),Object(i.b)("pre",null,Object(i.b)("code",Object(r.a)({parentName:"pre"},{}),"/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page\n")),Object(i.b)("p",null,"Alternatively, include the redirect URL in the ",Object(i.b)("inlineCode",{parentName:"p"},"X-Auth-Request-Redirect")," header:"),Object(i.b)("pre",null,Object(i.b)("code",Object(r.a)({parentName:"pre"},{}),"GET /oauth2/sign_out HTTP/1.1\nX-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page\n...\n")),Object(i.b)("p",null,'(The "sign_out_page" should be the ',Object(i.b)("a",Object(r.a)({parentName:"p"},{href:"https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1"}),Object(i.b)("inlineCode",{parentName:"a"},"end_session_endpoint"))," from ",Object(i.b)("a",Object(r.a)({parentName:"p"},{href:"https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig"}),"the metadata")," if your OIDC provider supports Session Management and Discovery.)"),Object(i.b)("p",null,"BEWARE that the domain you want to redirect to (",Object(i.b)("inlineCode",{parentName:"p"},"my-oidc-provider.example.com")," in the example) must be added to the ",Object(i.b)("a",Object(r.a)({parentName:"p"},{href:"../configuration/overview"}),Object(i.b)("inlineCode",{parentName:"a"},"--whitelist-domain"))," configuration option otherwise the redirect will be ignored."),Object(i.b)("h3",{id:"auth"},"Auth"),Object(i.b)("p",null,"This endpoint returns 202 Accepted response or a 401 Unauthorized response."),Object(i.b)("p",null,"It can be configured using the following query parameters query parameters:"),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},Object(i.b)("inlineCode",{parentName:"li"},"allowed_groups"),": comma separated list of allowed groups"),Object(i.b)("li",{parentName:"ul"},Object(i.b)("inlineCode",{parentName:"li"},"allowed_email_domains"),": comma separated list of allowed email domains")))}u.isMDXComponent=!0},116:function(e,t,n){"use strict";n.d(t,"a",(function(){return p})),n.d(t,"b",(function(){return h}));var r=n(0),o=n.n(r);function i(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);t&&(r=r.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,r)}return n}function c(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?a(Object(n),!0).forEach((function(t){i(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):a(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}function s(e,t){if(null==e)return{};var n,r,o=function(e,t){if(null==e)return{};var n,r,o={},i=Object.keys(e);for(r=0;r<i.length;r++)n=i[r],t.indexOf(n)>=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(r=0;r<i.length;r++)n=i[r],t.indexOf(n)>=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var l=o.a.createContext({}),u=function(e){var t=o.a.useContext(l),n=t;return e&&(n="function"==typeof e?e(t):c(c({},t),e)),n},p=function(e){var t=u(e.components);return o.a.createElement(l.Provider,{value:t},e.children)},d={inlineCode:"code",wrapper:function(e){var t=e.children;return o.a.createElement(o.a.Fragment,{},t)}},b=o.a.forwardRef((function(e,t){var n=e.components,r=e.mdxType,i=e.originalType,a=e.parentName,l=s(e,["components","mdxType","originalType","parentName"]),p=u(n),b=r,h=p["".concat(a,".").concat(b)]||p[b]||d[b]||i;return n?o.a.createElement(h,c(c({ref:t},l),{},{components:n})):o.a.createElement(h,c({ref:t},l))}));function h(e,t){var n=arguments,r=t&&t.mdxType;if("string"==typeof e||r){var i=n.length,a=new Array(i);a[0]=b;var c={};for(var s in t)hasOwnProperty.call(t,s)&&(c[s]=t[s]);c.originalType=e,c.mdxType="string"==typeof e?e:r,a[1]=c;for(var l=2;l<i;l++)a[l]=n[l];return o.a.createElement.apply(null,a)}return o.a.createElement.apply(null,n)}b.displayName="MDXCreateElement"}}]);
\ No newline at end of file
diff --git a/efc9be4b.e5ba1330.js b/efc9be4b.e5ba1330.js
deleted file mode 100644
index 9e3f36fe..00000000
--- a/efc9be4b.e5ba1330.js
+++ /dev/null
@@ -1 +0,0 @@
-(window.webpackJsonp=window.webpackJsonp||[]).push([[50],{108:function(e,t,n){"use strict";n.r(t),n.d(t,"frontMatter",(function(){return a})),n.d(t,"metadata",(function(){return c})),n.d(t,"rightToc",(function(){return s})),n.d(t,"default",(function(){return u}));var r=n(2),o=n(6),i=(n(0),n(116)),a={id:"endpoints",title:"Endpoints"},c={unversionedId:"features/endpoints",id:"features/endpoints",isDocsHomePage:!1,title:"Endpoints",description:"OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.",source:"@site/docs/features/endpoints.md",slug:"/features/endpoints",permalink:"/oauth2-proxy/docs/next/features/endpoints",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/features/endpoints.md",version:"current",sidebar:"docs",previous:{title:"Alpha Configuration",permalink:"/oauth2-proxy/docs/next/configuration/alpha-config"},next:{title:"Security",permalink:"/oauth2-proxy/docs/next/community/security"}},s=[{value:"Sign out",id:"sign-out",children:[]}],p={rightToc:s};function u(e){var t=e.components,n=Object(o.a)(e,["components"]);return Object(i.b)("wrapper",Object(r.a)({},p,n,{components:t,mdxType:"MDXLayout"}),Object(i.b)("p",null,"OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The ",Object(i.b)("inlineCode",{parentName:"p"},"/oauth2")," prefix can be changed with the ",Object(i.b)("inlineCode",{parentName:"p"},"--proxy-prefix")," config variable."),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},"/robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see ",Object(i.b)("a",Object(r.a)({parentName:"li"},{href:"http://www.robotstxt.org/"}),"robotstxt.org")," for more info"),Object(i.b)("li",{parentName:"ul"},"/ping - returns a 200 OK response, which is intended for use with health checks"),Object(i.b)("li",{parentName:"ul"},"/metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by ",Object(i.b)("inlineCode",{parentName:"li"},"--metrics-address"),", disabled by default"),Object(i.b)("li",{parentName:"ul"},"/oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)"),Object(i.b)("li",{parentName:"ul"},"/oauth2/sign_out - this URL is used to clear the session cookie"),Object(i.b)("li",{parentName:"ul"},"/oauth2/start - a URL that will redirect to start the OAuth cycle"),Object(i.b)("li",{parentName:"ul"},"/oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url."),Object(i.b)("li",{parentName:"ul"},"/oauth2/userinfo - the URL is used to return user's email from the session in JSON format."),Object(i.b)("li",{parentName:"ul"},"/oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the ",Object(i.b)("a",Object(r.a)({parentName:"li"},{href:"/oauth2-proxy/docs/next/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive"}),"Nginx ",Object(i.b)("inlineCode",{parentName:"a"},"auth_request")," directive"))),Object(i.b)("h3",{id:"sign-out"},"Sign out"),Object(i.b)("p",null,"To sign the user out, redirect them to ",Object(i.b)("inlineCode",{parentName:"p"},"/oauth2/sign_out"),". This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the ",Object(i.b)("inlineCode",{parentName:"p"},"rd")," query parameter, i.e. redirect the user to something like (notice the url-encoding!):"),Object(i.b)("pre",null,Object(i.b)("code",Object(r.a)({parentName:"pre"},{}),"/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page\n")),Object(i.b)("p",null,"Alternatively, include the redirect URL in the ",Object(i.b)("inlineCode",{parentName:"p"},"X-Auth-Request-Redirect")," header:"),Object(i.b)("pre",null,Object(i.b)("code",Object(r.a)({parentName:"pre"},{}),"GET /oauth2/sign_out HTTP/1.1\nX-Auth-Request-Redirect: https://my-oidc-provider/sign_out_page\n...\n")),Object(i.b)("p",null,'(The "sign_out_page" should be the ',Object(i.b)("a",Object(r.a)({parentName:"p"},{href:"https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.2.1"}),Object(i.b)("inlineCode",{parentName:"a"},"end_session_endpoint"))," from ",Object(i.b)("a",Object(r.a)({parentName:"p"},{href:"https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig"}),"the metadata")," if your OIDC provider supports Session Management and Discovery.)"),Object(i.b)("p",null,"BEWARE that the domain you want to redirect to (",Object(i.b)("inlineCode",{parentName:"p"},"my-oidc-provider.example.com")," in the example) must be added to the ",Object(i.b)("a",Object(r.a)({parentName:"p"},{href:"../configuration/overview"}),Object(i.b)("inlineCode",{parentName:"a"},"--whitelist-domain"))," configuration option otherwise the redirect will be ignored."))}u.isMDXComponent=!0},116:function(e,t,n){"use strict";n.d(t,"a",(function(){return l})),n.d(t,"b",(function(){return b}));var r=n(0),o=n.n(r);function i(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);t&&(r=r.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,r)}return n}function c(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?a(Object(n),!0).forEach((function(t){i(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):a(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}function s(e,t){if(null==e)return{};var n,r,o=function(e,t){if(null==e)return{};var n,r,o={},i=Object.keys(e);for(r=0;r<i.length;r++)n=i[r],t.indexOf(n)>=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(r=0;r<i.length;r++)n=i[r],t.indexOf(n)>=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var p=o.a.createContext({}),u=function(e){var t=o.a.useContext(p),n=t;return e&&(n="function"==typeof e?e(t):c(c({},t),e)),n},l=function(e){var t=u(e.components);return o.a.createElement(p.Provider,{value:t},e.children)},d={inlineCode:"code",wrapper:function(e){var t=e.children;return o.a.createElement(o.a.Fragment,{},t)}},h=o.a.forwardRef((function(e,t){var n=e.components,r=e.mdxType,i=e.originalType,a=e.parentName,p=s(e,["components","mdxType","originalType","parentName"]),l=u(n),h=r,b=l["".concat(a,".").concat(h)]||l[h]||d[h]||i;return n?o.a.createElement(b,c(c({ref:t},p),{},{components:n})):o.a.createElement(b,c({ref:t},p))}));function b(e,t){var n=arguments,r=t&&t.mdxType;if("string"==typeof e||r){var i=n.length,a=new Array(i);a[0]=h;var c={};for(var s in t)hasOwnProperty.call(t,s)&&(c[s]=t[s]);c.originalType=e,c.mdxType="string"==typeof e?e:r,a[1]=c;for(var p=2;p<i;p++)a[p]=n[p];return o.a.createElement.apply(null,a)}return o.a.createElement.apply(null,n)}h.displayName="MDXCreateElement"}}]);
\ No newline at end of file
diff --git a/index.html b/index.html
index c2aa108b..524e646f 100644
--- a/index.html
+++ b/index.html
@@ -6,7 +6,7 @@
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Welcome to OAuth2 Proxy | OAuth2 Proxy</title><meta data-react-helmet="true" property="og:title" content="Welcome to OAuth2 Proxy | OAuth2 Proxy"><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/"><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_tag" content="default"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/"><link rel="stylesheet" href="/oauth2-proxy/styles.b2862157.css">
<link rel="preload" href="/oauth2-proxy/styles.f494e809.js" as="script">
-<link rel="preload" href="/oauth2-proxy/runtime~main.5e8ccbcc.js" as="script">
+<link rel="preload" href="/oauth2-proxy/runtime~main.97af83ee.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.089aca77.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.b73729bd.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.0f84ec0c.js" as="script">
@@ -20,7 +20,7 @@ to validate accounts by email, domain or group.</p><div class="admonition admoni
Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork.
A list of changes can be seen in the <a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/CHANGELOG.md" target="_blank" rel="noopener noreferrer">CHANGELOG</a>.</p></div></div><p><img alt="Sign In Page" src="/oauth2-proxy/assets/images/sign-in-page-947a0ef7ee9fb0aa2b7179b8c7a1cc76.png"></p><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="architecture"></a>Architecture<a aria-hidden="true" tabindex="-1" class="hash-link" href="#architecture" title="Direct link to heading">#</a></h2><p><img alt="OAuth2 Proxy Architecture" src="/oauth2-proxy/assets/images/architecture-08b382c30c02b227fa4c86cb158b600e.png"></p></div></div></div></div></div></main></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2022 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.f494e809.js"></script>
-<script src="/oauth2-proxy/runtime~main.5e8ccbcc.js"></script>
+<script src="/oauth2-proxy/runtime~main.97af83ee.js"></script>
<script src="/oauth2-proxy/main.089aca77.js"></script>
<script src="/oauth2-proxy/1.b73729bd.js"></script>
<script src="/oauth2-proxy/2.0f84ec0c.js"></script>
diff --git a/runtime~main.5e8ccbcc.js b/runtime~main.97af83ee.js
similarity index 61%
rename from runtime~main.5e8ccbcc.js
rename to runtime~main.97af83ee.js
index 8f75d4ea..a42aefce 100644
--- a/runtime~main.5e8ccbcc.js
+++ b/runtime~main.97af83ee.js
@@ -1 +1 @@
-!function(e){function c(c){for(var f,b,n=c[0],d=c[1],o=c[2],u=0,l=[];u<n.length;u++)b=n[u],Object.prototype.hasOwnProperty.call(r,b)&&r[b]&&l.push(r[b][0]),r[b]=0;for(f in d)Object.prototype.hasOwnProperty.call(d,f)&&(e[f]=d[f]);for(i&&i(c);l.length;)l.shift()();return t.push.apply(t,o||[]),a()}function a(){for(var e,c=0;c<t.length;c++){for(var a=t[c],f=!0,b=1;b<a.length;b++){var d=a[b];0!==r[d]&&(f=!1)}f&&(t.splice(c--,1),e=n(n.s=a[0]))}return e}var f={},r={57:0},t=[];function b(e){return n.p+""+({3:"001ca130",4:"00691219",5:"0721a2c0",6:"0f425520",7:"17896441",8:"1999cd7b",9:"230aeb34",10:"243cbd97",11:"300a9996",12:"35234f08",13:"357fe94d",14:"3b8c55ea",15:"3b8e2d60",16:"3def9002",17:"3fa022c7",18:"41de83de",19:"42326c77",20:"585bdad0",21:"5a047177",22:"63d69a63",23:"6f497b56",24:"76aee1e9",25:"7874e99f",26:"7b04b1d5",27:"7dcecc8d",28:"8c826f25",29:"92147208",30:"935f2afb",31:"94285305",32:"9ac82b89",33:"9b9cfcc1",34:"9f61b932",35:"a1bbfb14",36:"a37c03cb",37:"a991188b",38:"adcdd4d2",39:"ade45c9a",40:"b89e1cb0",41:"be200c4b",42:"cbc8963c",43:"cd4a49c1",44:"cecf159a",45:"de718920",46:"e8c74efb",47:"ea7cbf6d",48:"ecc333f0",49:"edfc6e1b",50:"efc9be4b",51:"f3976560",52:"f4c9d322",53:"f5839aac",54:"f98fc388",55:"fb908f49"}[e]||e)+"."+{1:"b73729bd",2:"0f84ec0c",3:"446eb9c9",4:"b2dfc659",5:"a90d8322",6:"3155874e",7:"3f09010b",8:"46972a4d",9:"d5b08ee8",10:"a8d0e9a3",11:"b7a71b7e",12:"1da5596a",13:"4d208af0",14:"3a181e89",15:"0b9656a2",16:"60ccd596",17:"05712c0a",18:"9aa82ee1",19:"8f4766a3",20:"5bd991bb",21:"7631f436",22:"0230d4fd",23:"9a644fc6",24:"8aaa381a",25:"6f7ac14d",26:"1a4858e7",27:"cbd1bb5d",28:"f531f433",29:"114088bc",30:"1429e449",31:"cff6b03f",32:"4743b5b3",33:"2f147917",34:"8b6b8c4c",35:"866a6184",36:"fe04e9e0",37:"f43c20c7",38:"86e71566",39:"82f3357c",40:"52daa6be",41:"810bef87",42:"7f614d2e",43:"23aff2c4",44:"4dd0cced",45:"748e7f46",46:"b5ed146a",47:"22bf10e4",48:"d4801f2e",49:"d363ab28",50:"e5ba1330",51:"44bda334",52:"d8a15a21",53:"17917aea",54:"dff58a75",55:"70b8b3c4",58:"c351a43a",59:"d377417b",60:"0c644c35"}[e]+".js"}function n(c){if(f[c])return f[c].exports;var a=f[c]={i:c,l:!1,exports:{}};return e[c].call(a.exports,a,a.exports,n),a.l=!0,a.exports}n.e=function(e){var c=[],a=r[e];if(0!==a)if(a)c.push(a[2]);else{var f=new Promise((function(c,f){a=r[e]=[c,f]}));c.push(a[2]=f);var t,d=document.createElement("script");d.charset="utf-8",d.timeout=120,n.nc&&d.setAttribute("nonce",n.nc),d.src=b(e);var o=new Error;t=function(c){d.onerror=d.onload=null,clearTimeout(u);var a=r[e];if(0!==a){if(a){var f=c&&("load"===c.type?"missing":c.type),t=c&&c.target&&c.target.src;o.message="Loading chunk "+e+" failed.\n("+f+": "+t+")",o.name="ChunkLoadError",o.type=f,o.request=t,a[1](o)}r[e]=void 0}};var u=setTimeout((function(){t({type:"timeout",target:d})}),12e4);d.onerror=d.onload=t,document.head.appendChild(d)}return Promise.all(c)},n.m=e,n.c=f,n.d=function(e,c,a){n.o(e,c)||Object.defineProperty(e,c,{enumerable:!0,get:a})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,c){if(1&c&&(e=n(e)),8&c)return e;if(4&c&&"object"==typeof e&&e&&e.__esModule)return e;var a=Object.create(null);if(n.r(a),Object.defineProperty(a,"default",{enumerable:!0,value:e}),2&c&&"string"!=typeof e)for(var f in e)n.d(a,f,function(c){return e[c]}.bind(null,f));return a},n.n=function(e){var c=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(c,"a",c),c},n.o=function(e,c){return Object.prototype.hasOwnProperty.call(e,c)},n.p="/oauth2-proxy/",n.gca=function(e){return b(e={17896441:"7",92147208:"29",94285305:"31","001ca130":"3","00691219":"4","0721a2c0":"5","0f425520":"6","1999cd7b":"8","230aeb34":"9","243cbd97":"10","300a9996":"11","35234f08":"12","357fe94d":"13","3b8c55ea":"14","3b8e2d60":"15","3def9002":"16","3fa022c7":"17","41de83de":"18","42326c77":"19","585bdad0":"20","5a047177":"21","63d69a63":"22","6f497b56":"23","76aee1e9":"24","7874e99f":"25","7b04b1d5":"26","7dcecc8d":"27","8c826f25":"28","935f2afb":"30","9ac82b89":"32","9b9cfcc1":"33","9f61b932":"34",a1bbfb14:"35",a37c03cb:"36",a991188b:"37",adcdd4d2:"38",ade45c9a:"39",b89e1cb0:"40",be200c4b:"41",cbc8963c:"42",cd4a49c1:"43",cecf159a:"44",de718920:"45",e8c74efb:"46",ea7cbf6d:"47",ecc333f0:"48",edfc6e1b:"49",efc9be4b:"50",f3976560:"51",f4c9d322:"52",f5839aac:"53",f98fc388:"54",fb908f49:"55"}[e]||e)},n.oe=function(e){throw console.error(e),e};var d=window.webpackJsonp=window.webpackJsonp||[],o=d.push.bind(d);d.push=c,d=d.slice();for(var u=0;u<d.length;u++)c(d[u]);var i=o;a()}([]);
\ No newline at end of file
+!function(e){function c(c){for(var f,b,d=c[0],n=c[1],o=c[2],u=0,l=[];u<d.length;u++)b=d[u],Object.prototype.hasOwnProperty.call(r,b)&&r[b]&&l.push(r[b][0]),r[b]=0;for(f in n)Object.prototype.hasOwnProperty.call(n,f)&&(e[f]=n[f]);for(i&&i(c);l.length;)l.shift()();return t.push.apply(t,o||[]),a()}function a(){for(var e,c=0;c<t.length;c++){for(var a=t[c],f=!0,b=1;b<a.length;b++){var n=a[b];0!==r[n]&&(f=!1)}f&&(t.splice(c--,1),e=d(d.s=a[0]))}return e}var f={},r={57:0},t=[];function b(e){return d.p+""+({3:"001ca130",4:"00691219",5:"0721a2c0",6:"0f425520",7:"17896441",8:"1999cd7b",9:"230aeb34",10:"243cbd97",11:"300a9996",12:"35234f08",13:"357fe94d",14:"3b8c55ea",15:"3b8e2d60",16:"3def9002",17:"3fa022c7",18:"41de83de",19:"42326c77",20:"585bdad0",21:"5a047177",22:"63d69a63",23:"6f497b56",24:"76aee1e9",25:"7874e99f",26:"7b04b1d5",27:"7dcecc8d",28:"8c826f25",29:"92147208",30:"935f2afb",31:"94285305",32:"9ac82b89",33:"9b9cfcc1",34:"9f61b932",35:"a1bbfb14",36:"a37c03cb",37:"a991188b",38:"adcdd4d2",39:"ade45c9a",40:"b89e1cb0",41:"be200c4b",42:"cbc8963c",43:"cd4a49c1",44:"cecf159a",45:"de718920",46:"e8c74efb",47:"ea7cbf6d",48:"ecc333f0",49:"edfc6e1b",50:"efc9be4b",51:"f3976560",52:"f4c9d322",53:"f5839aac",54:"f98fc388",55:"fb908f49"}[e]||e)+"."+{1:"b73729bd",2:"0f84ec0c",3:"446eb9c9",4:"b2dfc659",5:"a90d8322",6:"6799b1da",7:"3f09010b",8:"46972a4d",9:"d5b08ee8",10:"a8d0e9a3",11:"b7a71b7e",12:"1da5596a",13:"4d208af0",14:"3a181e89",15:"0b9656a2",16:"60ccd596",17:"05712c0a",18:"9aa82ee1",19:"8f4766a3",20:"5bd991bb",21:"7631f436",22:"0230d4fd",23:"9a644fc6",24:"8aaa381a",25:"6f7ac14d",26:"1a4858e7",27:"cbd1bb5d",28:"f531f433",29:"114088bc",30:"1429e449",31:"cff6b03f",32:"4743b5b3",33:"2f147917",34:"8b6b8c4c",35:"866a6184",36:"fe04e9e0",37:"f43c20c7",38:"86e71566",39:"82f3357c",40:"52daa6be",41:"810bef87",42:"7f614d2e",43:"23aff2c4",44:"4dd0cced",45:"748e7f46",46:"b5ed146a",47:"22bf10e4",48:"d4801f2e",49:"d363ab28",50:"54e8580a",51:"44bda334",52:"d8a15a21",53:"17917aea",54:"dff58a75",55:"70b8b3c4",58:"c351a43a",59:"d377417b",60:"0c644c35"}[e]+".js"}function d(c){if(f[c])return f[c].exports;var a=f[c]={i:c,l:!1,exports:{}};return e[c].call(a.exports,a,a.exports,d),a.l=!0,a.exports}d.e=function(e){var c=[],a=r[e];if(0!==a)if(a)c.push(a[2]);else{var f=new Promise((function(c,f){a=r[e]=[c,f]}));c.push(a[2]=f);var t,n=document.createElement("script");n.charset="utf-8",n.timeout=120,d.nc&&n.setAttribute("nonce",d.nc),n.src=b(e);var o=new Error;t=function(c){n.onerror=n.onload=null,clearTimeout(u);var a=r[e];if(0!==a){if(a){var f=c&&("load"===c.type?"missing":c.type),t=c&&c.target&&c.target.src;o.message="Loading chunk "+e+" failed.\n("+f+": "+t+")",o.name="ChunkLoadError",o.type=f,o.request=t,a[1](o)}r[e]=void 0}};var u=setTimeout((function(){t({type:"timeout",target:n})}),12e4);n.onerror=n.onload=t,document.head.appendChild(n)}return Promise.all(c)},d.m=e,d.c=f,d.d=function(e,c,a){d.o(e,c)||Object.defineProperty(e,c,{enumerable:!0,get:a})},d.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},d.t=function(e,c){if(1&c&&(e=d(e)),8&c)return e;if(4&c&&"object"==typeof e&&e&&e.__esModule)return e;var a=Object.create(null);if(d.r(a),Object.defineProperty(a,"default",{enumerable:!0,value:e}),2&c&&"string"!=typeof e)for(var f in e)d.d(a,f,function(c){return e[c]}.bind(null,f));return a},d.n=function(e){var c=e&&e.__esModule?function(){return e.default}:function(){return e};return d.d(c,"a",c),c},d.o=function(e,c){return Object.prototype.hasOwnProperty.call(e,c)},d.p="/oauth2-proxy/",d.gca=function(e){return b(e={17896441:"7",92147208:"29",94285305:"31","001ca130":"3","00691219":"4","0721a2c0":"5","0f425520":"6","1999cd7b":"8","230aeb34":"9","243cbd97":"10","300a9996":"11","35234f08":"12","357fe94d":"13","3b8c55ea":"14","3b8e2d60":"15","3def9002":"16","3fa022c7":"17","41de83de":"18","42326c77":"19","585bdad0":"20","5a047177":"21","63d69a63":"22","6f497b56":"23","76aee1e9":"24","7874e99f":"25","7b04b1d5":"26","7dcecc8d":"27","8c826f25":"28","935f2afb":"30","9ac82b89":"32","9b9cfcc1":"33","9f61b932":"34",a1bbfb14:"35",a37c03cb:"36",a991188b:"37",adcdd4d2:"38",ade45c9a:"39",b89e1cb0:"40",be200c4b:"41",cbc8963c:"42",cd4a49c1:"43",cecf159a:"44",de718920:"45",e8c74efb:"46",ea7cbf6d:"47",ecc333f0:"48",edfc6e1b:"49",efc9be4b:"50",f3976560:"51",f4c9d322:"52",f5839aac:"53",f98fc388:"54",fb908f49:"55"}[e]||e)},d.oe=function(e){throw console.error(e),e};var n=window.webpackJsonp=window.webpackJsonp||[],o=n.push.bind(n);n.push=c,n=n.slice();for(var u=0;u<n.length;u++)c(n[u]);var i=o;a()}([]);
\ No newline at end of file