1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-24 08:52:25 +02:00
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
Go to file
Mike Bland 37f287bef4 Calculate cookie expiration from encoded timestamp
Found out the hard way that _incoming_ cookies do _not_ have their expiration
timestamps encoded. To perform auto-refresh based on expiration time, we have
to recalculate it from the time encoded in the cookie value.
2015-05-10 00:11:26 -04:00
api Extract api package 2015-03-30 10:23:30 -04:00
contrib Set cookie-refresh flag = 0; update README, config 2015-05-09 17:36:17 -04:00
providers Introduce validate-url flag/config 2015-05-08 17:13:35 -04:00
.gitignore Add vim .swp files to gitignore 2015-04-07 05:53:40 -04:00
.travis.yml bump travis Go versions 2015-03-17 16:02:21 -04:00
cookies_test.go Refactor cookie building and parsing 2015-04-07 05:53:41 -04:00
cookies.go Implement cookie auto-refresh 2015-05-08 14:05:09 -04:00
dist.sh release scripts 2014-11-09 21:48:09 -05:00
env_options_test.go test/fix environment var parsing 2014-11-14 23:15:27 -05:00
env_options.go test/fix environment var parsing 2014-11-14 23:15:27 -05:00
Godeps release scripts 2014-11-09 21:48:09 -05:00
htpasswd_test.go testing 2012-12-17 13:38:33 -05:00
htpasswd.go better environment parsing 2014-11-09 21:12:36 -05:00
LICENSE add MIT license for google_auth_proxy 2014-06-09 16:25:26 -04:00
logging_handler.go improve request logging (closer to Apache Common Log) 2015-03-19 22:34:01 -04:00
main.go Set cookie-refresh flag = 0; update README, config 2015-05-09 17:36:17 -04:00
oauthproxy_test.go Calculate cookie expiration from encoded timestamp 2015-05-10 00:11:26 -04:00
oauthproxy.go Calculate cookie expiration from encoded timestamp 2015-05-10 00:11:26 -04:00
options_test.go Enforce that cookie_refresh < cookie_expire 2015-05-09 17:37:33 -04:00
options.go Enforce that cookie_refresh < cookie_expire 2015-05-09 17:37:33 -04:00
README.md Set cookie-refresh flag = 0; update README, config 2015-05-09 17:36:17 -04:00
string_array.go Add config file support 2014-11-09 20:33:12 -05:00
templates_test.go Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 14:38:57 -06:00
templates.go Add ProviderName field; use in sign_in template 2015-03-31 12:59:07 -04:00
test.sh release scripts 2014-11-09 21:48:09 -05:00
validator_test.go Make address/domain comparisons case-insensitive 2015-04-07 17:25:46 -04:00
validator.go Make address/domain comparisons case-insensitive 2015-04-07 17:25:46 -04:00
version.go tag 1.1.1 2015-03-23 09:19:24 -04:00

google_auth_proxy

A reverse proxy that provides authentication using Google and other OAuth2 providers to validate individual accounts, or a whole google apps domain.

Build Status

sign_in_page

Architecture

    _______       ___________________       __________
    |Nginx| ----> |google_auth_proxy| ----> |upstream| 
    -------       -------------------       ----------
                          ||
                          \/
                  [google oauth2 api]

Installation

  1. Download Prebuilt Binary or build from master with $ go get github.com/bitly/google_auth_proxy which should put the binary in $GOROOT/bin
  2. Register an OAuth Application with Google
  3. Configure Google Auth Proxy using config file, command line options, or environment variables
  4. Deploy behind a SSL endpoint (example provided for Nginx)

OAuth Configuration

You will need to register an OAuth application with Google (or another provider), and configure it with Redirect URI(s) for the domain you intend to run google_auth_proxy on.

For Google, the registration steps are:

  1. Create a new project: https://console.developers.google.com/project
  2. Under "APIs & Auth", choose "Credentials"
  3. Now, choose "Create new Client ID"
    • The Application Type should be Web application
    • Enter your domain in the Authorized Javascript Origins https://internal.yourcompany.com
    • Enter the correct Authorized Redirect URL https://internal.yourcompany.com/oauth2/callback
      • NOTE: google_auth_proxy will only callback on the path /oauth2/callback
  4. Under "APIs & Auth" choose "Consent Screen"
    • Fill in the necessary fields and Save (this is required)
  5. Take note of the Client ID and Client Secret

For LinkedIn, the registration steps are:

  1. Create a new project: https://www.linkedin.com/secure/developer
  2. In the OAuth User Agreement section:
    • In default scope, select r_basicprofile and r_emailaddress.
    • In "OAuth 2.0 Redirect URLs", enter https://internal.yourcompany.com/oauth2/callback
  3. Fill in the remaining required fields and Save.
  4. Take note of the Consumer Key / API Key and Consumer Secret / Secret Key

Configuration

google_auth_proxy can be configured via config file, command line options or environment variables.

Config File

An example google_auth_proxy.cfg config file is in the contrib directory. It can be used by specifying -config=/etc/google_auth_proxy.cfg

Command Line Options

Usage of google_auth_proxy:
  -authenticated-emails-file="": authenticate against emails via file (one per line)
  -client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
  -client-secret="": the OAuth Client Secret
  -config="": path to config file
  -cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
  -cookie-expire=168h0m0s: expire timeframe for cookie
  -cookie-httponly=true: set HttpOnly cookie flag
  -cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
  -cookie-refresh=144h0m0s: refresh the cookie when this much time remains before expiration
  -cookie-secret="": the seed string for secure cookies
  -cookie-secure=true: set secure (HTTPS) cookie flag
  -custom-templates-dir="": path to custom html templates
  -display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
  -google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
  -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
  -http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
  -login-url="": Authentication endpoint
  -pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
  -pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
  -pass-host-header=true: pass the request Host Header to upstream
  -profile-url="": Profile access endpoint
  -provider="": Oauth provider (defaults to Google)
  -redeem-url="": Token redemption endpoint
  -redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
  -request-logging=true: Log requests to stdout
  -scope="": Oauth scope specification
  -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
  -upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
  -validate-url="": Access token validation endpoint
  -version=false: print version string

Environment variables

The environment variables GOOGLE_AUTH_PROXY_CLIENT_ID, GOOGLE_AUTH_PROXY_CLIENT_SECRET, GOOGLE_AUTH_PROXY_COOKIE_SECRET, GOOGLE_AUTH_PROXY_COOKIE_DOMAIN and GOOGLE_AUTH_PROXY_COOKIE_EXPIRE can be used in place of the corresponding command-line arguments.

Example Nginx Configuration

This example has a Nginx SSL endpoint proxying to google_auth_proxy on port 4180. google_auth_proxy then authenticates requests for an upstream application running on port 8080. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=1209600;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run google_auth_proxy would look like this:

./google_auth_proxy \
   --google-apps-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --client-id=... \
   --client-secret=...

Endpoint Documentation

Google Auth Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.

  • /ping - returns an 200 OK response
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this ass the callback url.

Logging Format

Google Auth Proxy logs requests to stdout in a format similar to Apache Combined Log.

<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>

Providers other than Google

Other providers besides Google can be specified by the providers flag/config directive. Right now this includes:

Adding a new Provider

Follow the examples in the providers package to define a new Provider instance. Add a new case to providers.New() to allow the auth proxy to use the new Provider.