go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-12-21 23:57:36 +02:00
Code Issues Releases Activity

feat: add allowed_* constraint option to proxy endpoint query string (#2841)

Browse Source 
* Add check for constraints to the proxy endpoint

* Add tests for allowed_groups query string

* Add this feature to the changelog

* Apply suggestions from code review

Co-authored-by: Jan Larwig <jan@larwig.com>

* Use explicit key names in TestProxyAllowedGroups

* Document the query parameters on proxy endpoint

* Comment was copied from the AuthOnly handler but on closer inspection is not relevant here
replacing comment with one more relevant

---------

Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
This commit is contained in:
Jacob Alberty
2025-11-08 06:58:34 -06:00
committed by GitHub
parent 22053dcade
commit fcc2db040e
4 changed files with 88 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/docs/features/endpoints.md
View File

@@ -5,6 +5,7 @@ title: Endpoints
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable.
- / - the proxy endpoint provides authentication and returns the appropriate 40x error if not authenticated or authorized then passes the request upstream.
- /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
- /ping - returns a 200 OK response, which is intended for use with health checks
- /ready - returns a 200 OK response if all the underlying connections (e.g., Redis store) are connected
@@ -45,3 +46,14 @@ It can be configured using the following query parameters:
- `allowed_groups`: comma separated list of allowed groups
- `allowed_email_domains`: comma separated list of allowed email domains
- `allowed_emails`: comma separated list of allowed emails
### Proxy (/)
This endpoint returns the upstream response if authenticated.
If unauthenticated it returns a 401 Unauthorized. If the authenticatd user
is not in one of the allowed groups, or emails then it returns a 403 forbidden
It can be configured using the following query parameters:
- `allowed_groups`: comma separated list of allowed groups
- `allowed_email_domains`: comma separated list of allowed email domains
- `allowed_emails`: comma separated list of allowed emails