go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-04-04 22:34:22 +02:00
Code Issues Releases Activity
oauth2-proxy/docs/next/configuration/alpha-config/index.html

70 lines
76 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-configuration/alpha-config" data-has-hydrated="false">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v2.4.3">
<title data-rh="true">Alpha Configuration | OAuth2 Proxy</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/alpha-config"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Alpha Configuration | OAuth2 Proxy"><meta data-rh="true" name="description" content="This page contains documentation for alpha features."><meta data-rh="true" property="og:description" content="This page contains documentation for alpha features."><link data-rh="true" rel="icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-rh="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/alpha-config"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/alpha-config" hreflang="en"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/alpha-config" hreflang="x-default"><link rel="stylesheet" href="/oauth2-proxy/assets/css/styles.4014daec.css">
<link rel="preload" href="/oauth2-proxy/assets/js/runtime~main.797195fe.js" as="script">
<link rel="preload" href="/oauth2-proxy/assets/js/main.1106c429.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/oauth2-proxy/"><div class="navbar__logo"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--light_HNdA"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--dark_i4oU"></div><b class="navbar__title text--truncate">OAuth2 Proxy</b></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" aria-haspopup="true" aria-expanded="false" role="button" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/configuration/alpha-config">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/configuration/alpha-config">7.5.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.4.x/configuration/alpha-config">7.4.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.3.x/configuration/alpha-config">7.3.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.2.x/configuration/alpha-config">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/configuration/alpha-config">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/configuration/alpha-config">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a><div class="toggle_vylO colorModeToggle_DEke"><button class="clean-btn toggleButton_gllP toggleButtonDisabled_aARS" type="button" disabled="" title="Switch between dark and light mode (currently light mode)" aria-label="Switch between dark and light mode (currently light mode)" aria-live="polite"><svg viewBox="0 0 24 24" width="24" height="24" class="lightToggleIcon_pyhR"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" class="darkToggleIcon_wfgR"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"></path></svg></button></div><div class="searchBox_ZlJk"><div class="navbar__search searchBarContainer_NW3z"><input placeholder="Search" aria-label="Search" class="navbar__search-input"><div class="loadingRing_RJI3 searchBarLoadingRing_YnHq"><div></div><div></div><div></div><div></div></div><div class="searchHintContainer_Pkmr"><kbd class="searchHint_iIMx">ctrl</kbd><kbd class="searchHint_iIMx">K</kbd></div></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--active" aria-expanded="true" href="/oauth2-proxy/docs/next/configuration/overview">Configuration</a><button aria-label="Toggle the collapsible sidebar category &#x27;Configuration&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/">OAuth Provider Configuration</a><button aria-label="Toggle the collapsible sidebar category &#x27;OAuth Provider Configuration&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="true" href="/oauth2-proxy/docs/next/features/endpoints">Features</a><button aria-label="Toggle the collapsible sidebar category &#x27;Features&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="true" href="/oauth2-proxy/docs/next/community/security">Community</a><button aria-label="Toggle the collapsible sidebar category &#x27;Community&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/contribution">Contribution Guide</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="theme-doc-version-banner alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for <!-- -->OAuth2 Proxy<!-- --> <b>Next</b> version.</div><div class="margin-top--md">For up-to-date documentation, see the <b><a href="/oauth2-proxy/docs/configuration/alpha-config">latest version</a></b> (<!-- -->7.5.x<!-- -->).</div></div><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/oauth2-proxy/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><a class="breadcrumbs__link" itemprop="item" href="/oauth2-proxy/docs/next/configuration/overview"><span itemprop="name">Configuration</span></a><meta itemprop="position" content="1"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">Alpha Configuration</span><meta itemprop="position" content="2"></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: Next</span><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Alpha Configuration</h1></header><div class="theme-admonition theme-admonition-warning alert alert--danger admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 12 16"><path fill-rule="evenodd" d="M5.05.31c.81 2.17.41 3.38-.52 4.31C3.55 5.67 1.98 6.45.9 7.98c-1.45 2.05-1.7 6.53 3.53 7.7-2.2-1.16-2.67-4.52-.3-6.61-.61 2.03.53 3.33 1.94 2.86 1.39-.47 2.3.53 2.27 1.67-.02.78-.31 1.44-1.13 1.81 3.42-.59 4.78-3.42 4.78-5.56 0-2.84-2.53-3.22-1.25-5.61-1.52.13-2.03 1.13-1.89 2.75.09 1.08-1.02 1.8-1.86 1.33-.67-.41-.66-1.19-.06-1.78C8.18 5.31 8.68 2.45 5.05.32L5.03.3l.02.01z"></path></svg></span>danger</div><div class="admonitionContent_S0QG"><p>This page contains documentation for alpha features.
We reserve the right to make breaking changes to the features detailed within this page with no notice.</p><p>Options described in this page may be changed, removed, renamed or moved without prior warning.
Please beware of this before you use alpha configuration options.</p></div></div><p>This page details a set of <strong>alpha</strong> configuration options in a new format.
Going forward we are intending to add structured configuration in YAML format to
replace the existing TOML based configuration file and flags.</p><p>Below is a reference for the structure of the configuration, with
<a href="#alphaoptions">AlphaOptions</a> as the root of the configuration.</p><p>When using alpha configuration, your config file will look something like below:</p><div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token key atrule">upstreams</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">id</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">...</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">...</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">...</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">injectRequestHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">name</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">...</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">...</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">...</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token key atrule">injectResponseHeaders</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">name</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">...</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">...</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">...</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>Please browse the <a href="#configuration-reference">reference</a> below for the structure
of the new configuration format.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="using-alpha-configuration">Using Alpha Configuration<a href="#using-alpha-configuration" class="hash-link" aria-label="Direct link to Using Alpha Configuration" title="Direct link to Using Alpha Configuration"></a></h2><p>To use the new <strong>alpha</strong> configuration, generate a YAML file based on the format
described in the <a href="#configuration-reference">reference</a> below.</p><p>Provide the path to this file using the <code>--alpha-config</code> flag.</p><div class="theme-admonition theme-admonition-note alert alert--secondary admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</div><div class="admonitionContent_S0QG"><p>When using the <code>--alpha-config</code> flag, some options are no longer available.
See <a href="#removed-options">removed options</a> below for more information.</p></div></div><h3 class="anchor anchorWithStickyNavbar_LWe7" id="converting-configuration-to-the-new-structure">Converting configuration to the new structure<a href="#converting-configuration-to-the-new-structure" class="hash-link" aria-label="Direct link to Converting configuration to the new structure" title="Direct link to Converting configuration to the new structure"></a></h3><p>Before adding the new <code>--alpha-config</code> option, start OAuth2 Proxy using the
<code>convert-config-to-alpha</code> flag to convert existing configuration to the new format.</p><div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy --convert-config-to-alpha --config ./path/to/existing/config.cfg</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>This will convert any options supported by the new format to YAML and print the
new configuration to <code>STDOUT</code>.</p><p>Copy this to a new file, remove any options from your existing configuration
noted in <a href="#removed-options">removed options</a> and then start OAuth2 Proxy using
the new config.</p><div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">oauth2-proxy --alpha-config ./path/to/new/config.yaml --config ./path/to/existing/config.cfg</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h2 class="anchor anchorWithStickyNavbar_LWe7" id="using-env-variables-in-the-alpha-configuration">Using ENV variables in the alpha configuration<a href="#using-env-variables-in-the-alpha-configuration" class="hash-link" aria-label="Direct link to Using ENV variables in the alpha configuration" title="Direct link to Using ENV variables in the alpha configuration"></a></h2><p>The alpha package supports the use of environment variables in place of yaml keys, allowing sensitive values to be pulled from somewhere other than the yaml file.
When using environment variables, your yaml will look like this:</p><div class="language-yaml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-yaml codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">providers</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">-</span><span class="token plain"> </span><span class="token key atrule">provider</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> azure</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token key atrule">clientSecret</span><span class="token punctuation" style="color:rgb(199, 146, 234)">:</span><span class="token plain"> $</span><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain">CLIENT_SECRET</span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">...</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>Where CLIENT_SECRET is an environment variable.
More information and available patterns can be found <a href="https://github.com/a8m/envsubst#docs" target="_blank" rel="noopener noreferrer">here</a></p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="removed-options">Removed options<a href="#removed-options" class="hash-link" aria-label="Direct link to Removed options" title="Direct link to Removed options"></a></h2><p>The following flags/options and their respective environment variables are no
longer available when using alpha configuration:</p><ul><li><code>flush-interval</code>/<code>flush_interval</code></li><li><code>pass-host-header</code>/<code>pass_host_header</code></li><li><code>proxy-websockets</code>/<code>proxy_websockets</code></li><li><code>ssl-upstream-insecure-skip-verify</code>/<code>ssl_upstream_insecure_skip_verify</code></li><li><code>upstream</code>/<code>upstreams</code></li></ul><ul><li><code>pass-basic-auth</code>/<code>pass_basic_auth</code></li><li><code>pass-access-token</code>/<code>pass_access_token</code></li><li><code>pass-user-headers</code>/<code>pass_user_headers</code></li><li><code>pass-authorization-header</code>/<code>pass_authorization_header</code></li><li><code>set-basic-auth</code>/<code>set_basic_auth</code></li><li><code>set-xauthrequest</code>/<code>set_xauthrequest</code></li><li><code>set-authorization-header</code>/<code>set_authorization_header</code></li><li><code>prefer-email-to-user</code>/<code>prefer_email_to_user</code></li><li><code>basic-auth-password</code>/<code>basic_auth_password</code></li><li><code>skip-auth-strip-headers</code>/<code>skip_auth_strip_headers</code></li></ul><ul><li><code>client-id</code>/<code>client_id</code></li><li><code>client-secret</code>/<code>client_secret</code>, and <code>client-secret-file</code>/<code>client_secret_file</code></li><li><code>provider</code></li><li><code>provider-display-name</code>/<code>provider_display_name</code></li><li><code>provider-ca-file</code>/<code>provider_ca_files</code></li><li><code>login-url</code>/<code>login_url</code></li><li><code>redeem-url</code>/<code>redeem_url</code></li><li><code>profile-url</code>/<code>profile_url</code></li><li><code>resource</code></li><li><code>validate-url</code>/<code>validate_url</code></li><li><code>scope</code></li><li><code>prompt</code></li><li><code>approval-prompt</code>/<code>approval_prompt</code></li><li><code>acr-values</code>/<code>acr_values</code></li><li><code>user-id-claim</code>/<code>user_id_claim</code></li><li><code>allowed-group</code>/<code>allowed_groups</code></li><li><code>allowed-role</code>/<code>allowed_roles</code></li><li><code>jwt-key</code>/<code>jwt_key</code></li><li><code>jwt-key-file</code>/<code>jwt_key_file</code></li><li><code>pubjwk-url</code>/<code>pubjwk_url</code></li></ul><p>and all provider-specific options, i.e. any option whose name includes <code>oidc</code>,
<code>azure</code>, <code>bitbucket</code>, <code>github</code>, <code>gitlab</code>, <code>google</code> or <code>keycloak</code>. Attempting to
use any of these options via flags or via config when <code>--alpha-config</code> is
set will result in an error.</p><div class="theme-admonition theme-admonition-important alert alert--info admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><div class="admonitionContent_S0QG"><p>You must remove these options before starting OAuth2 Proxy with <code>--alpha-config</code></p></div></div><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configuration-reference">Configuration Reference<a href="#configuration-reference" class="hash-link" aria-label="Direct link to Configuration Reference" title="Direct link to Configuration Reference"></a></h2><h3 class="anchor anchorWithStickyNavbar_LWe7" id="adfsoptions">ADFSOptions<a href="#adfsoptions" class="hash-link" aria-label="Direct link to ADFSOptions" title="Direct link to ADFSOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>skipScope</code></td><td><em>bool</em></td><td>Skip adding the scope parameter in login request<br>Default value is &#x27;false&#x27;</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="alphaoptions">AlphaOptions<a href="#alphaoptions" class="hash-link" aria-label="Direct link to AlphaOptions" title="Direct link to AlphaOptions"></a></h3><p>AlphaOptions contains alpha structured configuration options.
Usage of these options allows users to access alpha features that are not
available as part of the primary configuration structure for OAuth2 Proxy.</p><div class="theme-admonition theme-admonition-warning alert alert--danger admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 12 16"><path fill-rule="evenodd" d="M5.05.31c.81 2.17.41 3.38-.52 4.31C3.55 5.67 1.98 6.45.9 7.98c-1.45 2.05-1.7 6.53 3.53 7.7-2.2-1.16-2.67-4.52-.3-6.61-.61 2.03.53 3.33 1.94 2.86 1.39-.47 2.3.53 2.27 1.67-.02.78-.31 1.44-1.13 1.81 3.42-.59 4.78-3.42 4.78-5.56 0-2.84-2.53-3.22-1.25-5.61-1.52.13-2.03 1.13-1.89 2.75.09 1.08-1.02 1.8-1.86 1.33-.67-.41-.66-1.19-.06-1.78C8.18 5.31 8.68 2.45 5.05.32L5.03.3l.02.01z"></path></svg></span>danger</div><div class="admonitionContent_S0QG"><p>The options within this structure are considered alpha.
They may change between releases without notice.</p></div></div><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>upstreamConfig</code></td><td><em><a href="#upstreamconfig">UpstreamConfig</a></em></td><td>UpstreamConfig is used to configure upstream servers.<br>Once a user is authenticated, requests to the server will be proxied to<br>these upstream servers based on the path mappings defined in this list.</td></tr><tr><td><code>injectRequestHeaders</code></td><td><em><a href="#header">[]Header</a></em></td><td>InjectRequestHeaders is used to configure headers that should be added<br>to requests to upstream servers.<br>Headers may source values from either the authenticated user&#x27;s session<br>or from a static secret value.</td></tr><tr><td><code>injectResponseHeaders</code></td><td><em><a href="#header">[]Header</a></em></td><td>InjectResponseHeaders is used to configure headers that should be added<br>to responses from the proxy.<br>This is typically used when using the proxy as an external authentication<br>provider in conjunction with another proxy such as NGINX and its<br>auth_request module.<br>Headers may source values from either the authenticated user&#x27;s session<br>or from a static secret value.</td></tr><tr><td><code>server</code></td><td><em><a href="#server">Server</a></em></td><td>Server is used to configure the HTTP(S) server for the proxy application.<br>You may choose to run both HTTP and HTTPS servers simultaneously.<br>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br>To use the secure server you must configure a TLS certificate and key.</td></tr><tr><td><code>metricsServer</code></td><td><em><a href="#server">Server</a></em></td><td>MetricsServer is used to configure the HTTP(S) server for metrics.<br>You may choose to run both HTTP and HTTPS servers simultaneously.<br>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br>To use the secure server you must configure a TLS certificate and key.</td></tr><tr><td><code>providers</code></td><td><em><a href="#providers">Providers</a></em></td><td>Providers is used to configure multiple providers.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="azureoptions">AzureOptions<a href="#azureoptions" class="hash-link" aria-label="Direct link to AzureOptions" title="Direct link to AzureOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>tenant</code></td><td><em>string</em></td><td>Tenant directs to a tenant-specific or common (tenant-independent) endpoint<br>Default value is &#x27;common&#x27;</td></tr><tr><td><code>graphGroupField</code></td><td><em>string</em></td><td>GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph<br>Default value is &#x27;id&#x27;</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="bitbucketoptions">BitbucketOptions<a href="#bitbucketoptions" class="hash-link" aria-label="Direct link to BitbucketOptions" title="Direct link to BitbucketOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>team</code></td><td><em>string</em></td><td>Team sets restrict logins to members of this team</td></tr><tr><td><code>repository</code></td><td><em>string</em></td><td>Repository sets restrict logins to user with access to this repository</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="claimsource">ClaimSource<a href="#claimsource" class="hash-link" aria-label="Direct link to ClaimSource" title="Direct link to ClaimSource"></a></h3><p>(<strong>Appears on:</strong> <a href="#headervalue">HeaderValue</a>)</p><p>ClaimSource allows loading a header value from a claim within the session</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>claim</code></td><td><em>string</em></td><td>Claim is the name of the claim in the session that the value should be<br>loaded from.</td></tr><tr><td><code>prefix</code></td><td><em>string</em></td><td>Prefix is an optional prefix that will be prepended to the value of the<br>claim if it is non-empty.</td></tr><tr><td><code>basicAuthPassword</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>BasicAuthPassword converts this claim into a basic auth header.<br>Note the value of claim will become the basic auth username and the<br>basicAuthPassword will be used as the password value.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="duration">Duration<a href="#duration" class="hash-link" aria-label="Direct link to Duration" title="Direct link to Duration"></a></h3><h4 class="anchor anchorWithStickyNavbar_LWe7" id="string-alias">(<code>string</code> alias)<a href="#string-alias" class="hash-link" aria-label="Direct link to string-alias" title="Direct link to string-alias"></a></h4><p>(<strong>Appears on:</strong> <a href="#upstream">Upstream</a>)</p><p>Duration is as string representation of a period of time.
A duration string is a is a possibly signed sequence of decimal numbers,
each with optional fraction and a unit suffix, such as &quot;300ms&quot;, &quot;-1.5h&quot; or &quot;2h45m&quot;.
Valid time units are &quot;ns&quot;, &quot;us&quot; (or &quot;µs&quot;), &quot;ms&quot;, &quot;s&quot;, &quot;m&quot;, &quot;h&quot;.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="githuboptions">GitHubOptions<a href="#githuboptions" class="hash-link" aria-label="Direct link to GitHubOptions" title="Direct link to GitHubOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>org</code></td><td><em>string</em></td><td>Org sets restrict logins to members of this organisation</td></tr><tr><td><code>team</code></td><td><em>string</em></td><td>Team sets restrict logins to members of this team</td></tr><tr><td><code>repo</code></td><td><em>string</em></td><td>Repo sets restrict logins to collaborators of this repository</td></tr><tr><td><code>token</code></td><td><em>string</em></td><td>Token is the token to use when verifying repository collaborators<br>it must have push access to the repository</td></tr><tr><td><code>users</code></td><td><em>[]string</em></td><td>Users allows users with these usernames to login<br>even if they do not belong to the specified org and team or collaborators</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="gitlaboptions">GitLabOptions<a href="#gitlaboptions" class="hash-link" aria-label="Direct link to GitLabOptions" title="Direct link to GitLabOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>group</code></td><td><em>[]string</em></td><td>Group sets restrict logins to members of this group</td></tr><tr><td><code>projects</code></td><td><em>[]string</em></td><td>Projects restricts logins to members of these projects</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="googleoptions">GoogleOptions<a href="#googleoptions" class="hash-link" aria-label="Direct link to GoogleOptions" title="Direct link to GoogleOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>group</code></td><td><em>[]string</em></td><td>Groups sets restrict logins to members of this Google group</td></tr><tr><td><code>adminEmail</code></td><td><em>string</em></td><td>AdminEmail is the Google admin to impersonate for api calls</td></tr><tr><td><code>serviceAccountJson</code></td><td><em>string</em></td><td>ServiceAccountJSON is the path to the service account json credentials</td></tr><tr><td><code>useApplicationDefaultCredentials</code></td><td><em>bool</em></td><td>UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON</td></tr><tr><td><code>targetPrincipal</code></td><td><em>string</em></td><td>TargetPrincipal is the Google Service Account used for Application Default Credentials</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="header">Header<a href="#header" class="hash-link" aria-label="Direct link to Header" title="Direct link to Header"></a></h3><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Header represents an individual header that will be added to a request or
response header.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>name</code></td><td><em>string</em></td><td>Name is the header name to be used for this set of values.<br>Names should be unique within a list of Headers.</td></tr><tr><td><code>preserveRequestValue</code></td><td><em>bool</em></td><td>PreserveRequestValue determines whether any values for this header<br>should be preserved for the request to the upstream server.<br>This option only applies to injected request headers.<br>Defaults to false (headers that match this header will be stripped).</td></tr><tr><td><code>values</code></td><td><em><a href="#headervalue">[]HeaderValue</a></em></td><td>Values contains the desired values for this header</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="headervalue">HeaderValue<a href="#headervalue" class="hash-link" aria-label="Direct link to HeaderValue" title="Direct link to HeaderValue"></a></h3><p>(<strong>Appears on:</strong> <a href="#header">Header</a>)</p><p>HeaderValue represents a single header value and the sources that can
make up the header value</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr><tr><td><code>claim</code></td><td><em>string</em></td><td>Claim is the name of the claim in the session that the value should be<br>loaded from.</td></tr><tr><td><code>prefix</code></td><td><em>string</em></td><td>Prefix is an optional prefix that will be prepended to the value of the<br>claim if it is non-empty.</td></tr><tr><td><code>basicAuthPassword</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>BasicAuthPassword converts this claim into a basic auth header.<br>Note the value of claim will become the basic auth username and the<br>basicAuthPassword will be used as the password value.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="keycloakoptions">KeycloakOptions<a href="#keycloakoptions" class="hash-link" aria-label="Direct link to KeycloakOptions" title="Direct link to KeycloakOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>groups</code></td><td><em>[]string</em></td><td>Group enables to restrict login to members of indicated group</td></tr><tr><td><code>roles</code></td><td><em>[]string</em></td><td>Role enables to restrict login to users with role (only available when using the keycloak-oidc provider)</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="logingovoptions">LoginGovOptions<a href="#logingovoptions" class="hash-link" aria-label="Direct link to LoginGovOptions" title="Direct link to LoginGovOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>jwtKey</code></td><td><em>string</em></td><td>JWTKey is a private key in PEM format used to sign JWT,</td></tr><tr><td><code>jwtKeyFile</code></td><td><em>string</em></td><td>JWTKeyFile is a path to the private key file in PEM format used to sign the JWT</td></tr><tr><td><code>pubjwkURL</code></td><td><em>string</em></td><td>PubJWKURL is the JWK pubkey access endpoint</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="loginurlparameter">LoginURLParameter<a href="#loginurlparameter" class="hash-link" aria-label="Direct link to LoginURLParameter" title="Direct link to LoginURLParameter"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><p>LoginURLParameter is the configuration for a single query parameter that
can be passed through from the <code>/oauth2/start</code> endpoint to the IdP login
URL. The &quot;default&quot; option specifies the default value or values (if any)
that will be passed to the IdP for this parameter, and &quot;allow&quot; is a list
of options for ways in which this parameter can be set or overridden via
the query string to <code>/oauth2/start</code>.
If <em>only</em> a default is specified and no &quot;allow&quot; then the parameter is
effectively fixed - the default value will always be used and anything
passed to the start URL will be ignored. If <em>only</em> &quot;allow&quot; is specified
but no default then the parameter will only be passed on to the IdP if
the caller provides it, and no value will be sent otherwise.</p><p>Examples:</p><h1>A parameter whose value is fixed</h1><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">name: organization</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">default:</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- myorg</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>A parameter that is not passed by default, but may be set to one of a
fixed set of values</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">name: prompt</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">allow:</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- value: login</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- value: consent</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- value: select_account</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>A parameter that is passed by default but may be overridden by one of
a fixed set of values</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">name: prompt</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">default: [&quot;login&quot;]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">allow:</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- value: consent</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- value: select_account</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>A parameter that may be overridden, but only by values that match a
regular expression. For example to restrict <code>login_hint</code> to email
addresses in your organization&#x27;s domain:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">name: login_hint</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">allow:</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">- pattern: &#x27;^[^@]*@example\.com$&#x27;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># this allows at most one &quot;@&quot; sign, and requires &quot;example.com&quot; domain.</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>Note that the YAML rules around exactly which characters are allowed
and/or require escaping in different types of string literals are
convoluted. For regular expressions the single quoted form is simplest
as backslash is not considered to be an escape character. Alternatively
use the &quot;chomped block&quot; format <code>|-</code>:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"> - pattern: |-</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> ^[^@]*@example\.com$</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>The hyphen is important, a <code>|</code> block would have a trailing newline
character.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>name</code></td><td><em>string</em></td><td>Name specifies the name of the query parameter.</td></tr><tr><td><code>default</code></td><td><em>[]string</em></td><td><em>(Optional)</em> Default specifies a default value or values that will be<br>passed to the IdP if not overridden.</td></tr><tr><td><code>allow</code></td><td><em><a href="#urlparameterrule">[]URLParameterRule</a></em></td><td><em>(Optional)</em> Allow specifies rules about how the default (if any) may be<br>overridden via the query string to <code>/oauth2/start</code>. Only<br>values that match one or more of the allow rules will be<br>forwarded to the IdP.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="oidcoptions">OIDCOptions<a href="#oidcoptions" class="hash-link" aria-label="Direct link to OIDCOptions" title="Direct link to OIDCOptions"></a></h3><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>issuerURL</code></td><td><em>string</em></td><td>IssuerURL is the OpenID Connect issuer URL<br>eg: <a href="https://accounts.google.com" target="_blank" rel="noopener noreferrer">https://accounts.google.com</a></td></tr><tr><td><code>insecureAllowUnverifiedEmail</code></td><td><em>bool</em></td><td>InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified<br>default set to &#x27;false&#x27;</td></tr><tr><td><code>insecureSkipIssuerVerification</code></td><td><em>bool</em></td><td>InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL<br>default set to &#x27;false&#x27;</td></tr><tr><td><code>insecureSkipNonce</code></td><td><em>bool</em></td><td>InsecureSkipNonce skips verifying the ID Token&#x27;s nonce claim that must match<br>the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked<br>after the initial OAuth redeem &amp; subsequent token refreshes.<br>default set to &#x27;true&#x27;<br>Warning: In a future release, this will change to &#x27;false&#x27; by default for enhanced security.</td></tr><tr><td><code>skipDiscovery</code></td><td><em>bool</em></td><td>SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints<br>default set to &#x27;false&#x27;</td></tr><tr><td><code>jwksURL</code></td><td><em>string</em></td><td>JwksURL is the OpenID Connect JWKS URL<br>eg: <a href="https://www.googleapis.com/oauth2/v3/certs" target="_blank" rel="noopener noreferrer">https://www.googleapis.com/oauth2/v3/certs</a></td></tr><tr><td><code>emailClaim</code></td><td><em>string</em></td><td>EmailClaim indicates which claim contains the user email,<br>default set to &#x27;email&#x27;</td></tr><tr><td><code>groupsClaim</code></td><td><em>string</em></td><td>GroupsClaim indicates which claim contains the user groups<br>default set to &#x27;groups&#x27;</td></tr><tr><td><code>userIDClaim</code></td><td><em>string</em></td><td>UserIDClaim indicates which claim contains the user ID<br>default set to &#x27;email&#x27;</td></tr><tr><td><code>audienceClaims</code></td><td><em>[]string</em></td><td>AudienceClaim allows to define any claim that is verified against the client id<br>By default <code>aud</code> claim is used for verification.</td></tr><tr><td><code>extraAudiences</code></td><td><em>[]string</em></td><td>ExtraAudiences is a list of additional audiences that are allowed<br>to pass verification in addition to the client id.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="provider">Provider<a href="#provider" class="hash-link" aria-label="Direct link to Provider" title="Direct link to Provider"></a></h3><p>(<strong>Appears on:</strong> <a href="#providers">Providers</a>)</p><p>Provider holds all configuration for a single provider</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>clientID</code></td><td><em>string</em></td><td>ClientID is the OAuth Client ID that is defined in the provider<br>This value is required for all providers.</td></tr><tr><td><code>clientSecret</code></td><td><em>string</em></td><td>ClientSecret is the OAuth Client Secret that is defined in the provider<br>This value is required for all providers.</td></tr><tr><td><code>clientSecretFile</code></td><td><em>string</em></td><td>ClientSecretFile is the name of the file<br>containing the OAuth Client Secret, it will be used if ClientSecret is not set.</td></tr><tr><td><code>keycloakConfig</code></td><td><em><a href="#keycloakoptions">KeycloakOptions</a></em></td><td>KeycloakConfig holds all configurations for Keycloak provider.</td></tr><tr><td><code>azureConfig</code></td><td><em><a href="#azureoptions">AzureOptions</a></em></td><td>AzureConfig holds all configurations for Azure provider.</td></tr><tr><td><code>ADFSConfig</code></td><td><em><a href="#adfsoptions">ADFSOptions</a></em></td><td>ADFSConfig holds all configurations for ADFS provider.</td></tr><tr><td><code>bitbucketConfig</code></td><td><em><a href="#bitbucketoptions">BitbucketOptions</a></em></td><td>BitbucketConfig holds all configurations for Bitbucket provider.</td></tr><tr><td><code>githubConfig</code></td><td><em><a href="#githuboptions">GitHubOptions</a></em></td><td>GitHubConfig holds all configurations for GitHubC provider.</td></tr><tr><td><code>gitlabConfig</code></td><td><em><a href="#gitlaboptions">GitLabOptions</a></em></td><td>GitLabConfig holds all configurations for GitLab provider.</td></tr><tr><td><code>googleConfig</code></td><td><em><a href="#googleoptions">GoogleOptions</a></em></td><td>GoogleConfig holds all configurations for Google provider.</td></tr><tr><td><code>oidcConfig</code></td><td><em><a href="#oidcoptions">OIDCOptions</a></em></td><td>OIDCConfig holds all configurations for OIDC provider<br>or providers utilize OIDC configurations.</td></tr><tr><td><code>loginGovConfig</code></td><td><em><a href="#logingovoptions">LoginGovOptions</a></em></td><td>LoginGovConfig holds all configurations for LoginGov provider.</td></tr><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the provider.<br>This value is required for all providers.</td></tr><tr><td><code>provider</code></td><td><em><a href="#providertype">ProviderType</a></em></td><td>Type is the OAuth provider<br>must be set from the supported providers group,<br>otherwise &#x27;Google&#x27; is set as default</td></tr><tr><td><code>name</code></td><td><em>string</em></td><td>Name is the providers display name<br>if set, it will be shown to the users in the login page.</td></tr><tr><td><code>caFiles</code></td><td><em>[]string</em></td><td>CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.<br>If not specified, the default Go trust sources are used instead</td></tr><tr><td><code>useSystemTrustStore</code></td><td><em>bool</em></td><td>UseSystemTrustStore determines if your custom CA files and the system trust store are used<br>If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files.</td></tr><tr><td><code>loginURL</code></td><td><em>string</em></td><td>LoginURL is the authentication endpoint</td></tr><tr><td><code>loginURLParameters</code></td><td><em><a href="#loginurlparameter">[]LoginURLParameter</a></em></td><td>LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL</td></tr><tr><td><code>redeemURL</code></td><td><em>string</em></td><td>RedeemURL is the token redemption endpoint</td></tr><tr><td><code>profileURL</code></td><td><em>string</em></td><td>ProfileURL is the profile access endpoint</td></tr><tr><td><code>resource</code></td><td><em>string</em></td><td>ProtectedResource is the resource that is protected (Azure AD and ADFS only)</td></tr><tr><td><code>validateURL</code></td><td><em>string</em></td><td>ValidateURL is the access token validation endpoint</td></tr><tr><td><code>scope</code></td><td><em>string</em></td><td>Scope is the OAuth scope specification</td></tr><tr><td><code>allowedGroups</code></td><td><em>[]string</em></td><td>AllowedGroups is a list of restrict logins to members of this group</td></tr><tr><td><code>code_challenge_method</code></td><td><em>string</em></td><td>The code challenge method</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="providertype">ProviderType<a href="#providertype" class="hash-link" aria-label="Direct link to ProviderType" title="Direct link to ProviderType"></a></h3><h4 class="anchor anchorWithStickyNavbar_LWe7" id="string-alias-1">(<code>string</code> alias)<a href="#string-alias-1" class="hash-link" aria-label="Direct link to string-alias-1" title="Direct link to string-alias-1"></a></h4><p>(<strong>Appears on:</strong> <a href="#provider">Provider</a>)</p><p>ProviderType is used to enumerate the different provider type options
Valid options are: adfs, azure, bitbucket, digitalocean facebook, github,
gitlab, google, keycloak, keycloak-oidc, linkedin, login.gov, nextcloud
and oidc.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="providers">Providers<a href="#providers" class="hash-link" aria-label="Direct link to Providers" title="Direct link to Providers"></a></h3><h4 class="anchor anchorWithStickyNavbar_LWe7" id="provider-alias">(<a href="#provider">[]Provider</a> alias)<a href="#provider-alias" class="hash-link" aria-label="Direct link to provider-alias" title="Direct link to provider-alias"></a></h4><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Providers is a collection of definitions for providers.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="secretsource">SecretSource<a href="#secretsource" class="hash-link" aria-label="Direct link to SecretSource" title="Direct link to SecretSource"></a></h3><p>(<strong>Appears on:</strong> <a href="#claimsource">ClaimSource</a>, <a href="#headervalue">HeaderValue</a>, <a href="#tls">TLS</a>)</p><p>SecretSource references an individual secret value.
Only one source within the struct should be defined at any time.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>[]byte</em></td><td>Value expects a base64 encoded string value.</td></tr><tr><td><code>fromEnv</code></td><td><em>string</em></td><td>FromEnv expects the name of an environment variable.</td></tr><tr><td><code>fromFile</code></td><td><em>string</em></td><td>FromFile expects a path to a file containing the secret value.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="server">Server<a href="#server" class="hash-link" aria-label="Direct link to Server" title="Direct link to Server"></a></h3><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>Server represents the configuration for an HTTP(S) server</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>BindAddress</code></td><td><em>string</em></td><td>BindAddress is the address on which to serve traffic.<br>Leave blank or set to &quot;-&quot; to disable.</td></tr><tr><td><code>SecureBindAddress</code></td><td><em>string</em></td><td>SecureBindAddress is the address on which to serve secure traffic.<br>Leave blank or set to &quot;-&quot; to disable.</td></tr><tr><td><code>TLS</code></td><td><em><a href="#tls">TLS</a></em></td><td>TLS contains the information for loading the certificate and key for the<br>secure traffic and further configuration for the TLS server.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="tls">TLS<a href="#tls" class="hash-link" aria-label="Direct link to TLS" title="Direct link to TLS"></a></h3><p>(<strong>Appears on:</strong> <a href="#server">Server</a>)</p><p>TLS contains the information for loading a TLS certificate and key
as well as an optional minimal TLS version that is acceptable.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>Key</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>Key is the TLS key data to use.<br>Typically this will come from a file.</td></tr><tr><td><code>Cert</code></td><td><em><a href="#secretsource">SecretSource</a></em></td><td>Cert is the TLS certificate data to use.<br>Typically this will come from a file.</td></tr><tr><td><code>MinVersion</code></td><td><em>string</em></td><td>MinVersion is the minimal TLS version that is acceptable.<br>E.g. Set to &quot;TLS1.3&quot; to select TLS version 1.3</td></tr><tr><td><code>CipherSuites</code></td><td><em>[]string</em></td><td>CipherSuites is a list of TLS cipher suites that are allowed.<br>E.g.:<br>- TLS_RSA_WITH_RC4_128_SHA<br>- TLS_RSA_WITH_AES_256_GCM_SHA384<br>If not specified, the default Go safe cipher list is used.<br>List of valid cipher suites can be found in the <a href="https://pkg.go.dev/crypto/tls#pkg-constants" target="_blank" rel="noopener noreferrer">crypto/tls documentation</a>.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="urlparameterrule">URLParameterRule<a href="#urlparameterrule" class="hash-link" aria-label="Direct link to URLParameterRule" title="Direct link to URLParameterRule"></a></h3><p>(<strong>Appears on:</strong> <a href="#loginurlparameter">LoginURLParameter</a>)</p><p>URLParameterRule represents a rule by which query parameters
passed to the <code>/oauth2/start</code> endpoint are checked to determine whether
they are valid overrides for the given parameter passed to the IdP&#x27;s
login URL. Either Value or Pattern should be supplied, not both.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>value</code></td><td><em>string</em></td><td>A Value rule matches just this specific value</td></tr><tr><td><code>pattern</code></td><td><em>string</em></td><td>A Pattern rule gives a regular expression that must be matched by<br>some substring of the value. The expression is <em>not</em> automatically<br>anchored to the start and end of the value, if you <em>want</em> to restrict<br>the whole parameter value you must anchor it yourself with <code>^</code> and <code>$</code>.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="upstream">Upstream<a href="#upstream" class="hash-link" aria-label="Direct link to Upstream" title="Direct link to Upstream"></a></h3><p>(<strong>Appears on:</strong> <a href="#upstreamconfig">UpstreamConfig</a>)</p><p>Upstream represents the configuration for an upstream server.
Requests will be proxied to this upstream if the path matches the request path.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>id</code></td><td><em>string</em></td><td>ID should be a unique identifier for the upstream.<br>This value is required for all upstreams.</td></tr><tr><td><code>path</code></td><td><em>string</em></td><td>Path is used to map requests to the upstream server.<br>The closest match will take precedence and all Paths must be unique.<br>Path can also take a pattern when used with RewriteTarget.<br>Path segments can be captured and matched using regular experessions.<br>Eg:<br>- <code>^/foo$</code>: Match only the explicit path <code>/foo</code><br>- <code>^/bar/$</code>: Match any path prefixed with <code>/bar/</code><br>- <code>^/baz/(.*)$</code>: Match any path prefixed with <code>/baz</code> and capture the remaining path for use with RewriteTarget</td></tr><tr><td><code>rewriteTarget</code></td><td><em>string</em></td><td>RewriteTarget allows users to rewrite the request path before it is sent to<br>the upstream server.<br>Use the Path to capture segments for reuse within the rewrite target.<br>Eg: With a Path of <code>^/baz/(.*)</code>, a RewriteTarget of <code>/foo/$1</code> would rewrite<br>the request <code>/baz/abc/123</code> to <code>/foo/abc/123</code> before proxying to the<br>upstream server.</td></tr><tr><td><code>uri</code></td><td><em>string</em></td><td>The URI of the upstream server. This may be an HTTP(S) server of a File<br>based URL. It may include a path, in which case all requests will be served<br>under that path.<br>Eg:<br>- http://localhost:8080<br>- <a href="https://service.localhost" target="_blank" rel="noopener noreferrer">https://service.localhost</a><br>- <a href="https://service.localhost/path" target="_blank" rel="noopener noreferrer">https://service.localhost/path</a><br>- file://host/path<br>If the URI&#x27;s path is &quot;/base&quot; and the incoming request was for &quot;/dir&quot;,<br>the upstream request will be for &quot;/base/dir&quot;.</td></tr><tr><td><code>insecureSkipTLSVerify</code></td><td><em>bool</em></td><td>InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br>This option is insecure and will allow potential Man-In-The-Middle attacks<br>between OAuth2 Proxy and the upstream server.<br>Defaults to false.</td></tr><tr><td><code>static</code></td><td><em>bool</em></td><td>Static will make all requests to this upstream have a static response.<br>The response will have a body of &quot;Authenticated&quot; and a response code<br>matching StaticCode.<br>If StaticCode is not set, the response will return a 200 response.</td></tr><tr><td><code>staticCode</code></td><td><em>int</em></td><td>StaticCode determines the response code for the Static response.<br>This option can only be used with Static enabled.</td></tr><tr><td><code>flushInterval</code></td><td><em><a href="#duration">Duration</a></em></td><td>FlushInterval is the period between flushing the response buffer when<br>streaming response from the upstream.<br>Defaults to 1 second.</td></tr><tr><td><code>passHostHeader</code></td><td><em>bool</em></td><td>PassHostHeader determines whether the request host header should be proxied<br>to the upstream server.<br>Defaults to true.</td></tr><tr><td><code>proxyWebSockets</code></td><td><em>bool</em></td><td>ProxyWebSockets enables proxying of websockets to upstream servers<br>Defaults to true.</td></tr><tr><td><code>timeout</code></td><td><em><a href="#duration">Duration</a></em></td><td>Timeout is the maximum duration the server will wait for a response from the upstream server.<br>Defaults to 30 seconds.</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="upstreamconfig">UpstreamConfig<a href="#upstreamconfig" class="hash-link" aria-label="Direct link to UpstreamConfig" title="Direct link to UpstreamConfig"></a></h3><p>(<strong>Appears on:</strong> <a href="#alphaoptions">AlphaOptions</a>)</p><p>UpstreamConfig is a collection of definitions for upstream servers.</p><table><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>proxyRawPath</code></td><td><em>bool</em></td><td>ProxyRawPath will pass the raw url path to upstream allowing for urls<br>like: &quot;/%2F/&quot; which would otherwise be redirected to &quot;/&quot;</td></tr><tr><td><code>upstreams</code></td><td><em><a href="#upstream">[]Upstream</a></em></td><td>Upstreams represents the configuration for the upstream servers.<br>Requests will be proxied to this upstream if the path matches the request path.</td></tr></tbody></table></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/alpha_config.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_vwxv"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/oauth2-proxy/docs/next/configuration/tls"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">TLS Configuration</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/oauth2-proxy/docs/next/features/endpoints"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Endpoints</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#using-alpha-configuration" class="table-of-contents__link toc-highlight">Using Alpha Configuration</a><ul><li><a href="#converting-configuration-to-the-new-structure" class="table-of-contents__link toc-highlight">Converting configuration to the new structure</a></li></ul></li><li><a href="#using-env-variables-in-the-alpha-configuration" class="table-of-contents__link toc-highlight">Using ENV variables in the alpha configuration</a></li><li><a href="#removed-options" class="table-of-contents__link toc-highlight">Removed options</a></li><li><a href="#configuration-reference" class="table-of-contents__link toc-highlight">Configuration Reference</a><ul><li><a href="#adfsoptions" class="table-of-contents__link toc-highlight">ADFSOptions</a></li><li><a href="#alphaoptions" class="table-of-contents__link toc-highlight">AlphaOptions</a></li><li><a href="#azureoptions" class="table-of-contents__link toc-highlight">AzureOptions</a></li><li><a href="#bitbucketoptions" class="table-of-contents__link toc-highlight">BitbucketOptions</a></li><li><a href="#claimsource" class="table-of-contents__link toc-highlight">ClaimSource</a></li><li><a href="#duration" class="table-of-contents__link toc-highlight">Duration</a></li><li><a href="#githuboptions" class="table-of-contents__link toc-highlight">GitHubOptions</a></li><li><a href="#gitlaboptions" class="table-of-contents__link toc-highlight">GitLabOptions</a></li><li><a href="#googleoptions" class="table-of-contents__link toc-highlight">GoogleOptions</a></li><li><a href="#header" class="table-of-contents__link toc-highlight">Header</a></li><li><a href="#headervalue" class="table-of-contents__link toc-highlight">HeaderValue</a></li><li><a href="#keycloakoptions" class="table-of-contents__link toc-highlight">KeycloakOptions</a></li><li><a href="#logingovoptions" class="table-of-contents__link toc-highlight">LoginGovOptions</a></li><li><a href="#loginurlparameter" class="table-of-contents__link toc-highlight">LoginURLParameter</a></li><li><a href="#oidcoptions" class="table-of-contents__link toc-highlight">OIDCOptions</a></li><li><a href="#provider" class="table-of-contents__link toc-highlight">Provider</a></li><li><a href="#providertype" class="table-of-contents__link toc-highlight">ProviderType</a></li><li><a href="#providers" class="table-of-contents__link toc-highlight">Providers</a></li><li><a href="#secretsource" class="table-of-contents__link toc-highlight">SecretSource</a></li><li><a href="#server" class="table-of-contents__link toc-highlight">Server</a></li><li><a href="#tls" class="table-of-contents__link toc-highlight">TLS</a></li><li><a href="#urlparameterrule" class="table-of-contents__link toc-highlight">URLParameterRule</a></li><li><a href="#upstream" class="table-of-contents__link toc-highlight">Upstream</a></li><li><a href="#upstreamconfig" class="table-of-contents__link toc-highlight">UpstreamConfig</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2024 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/assets/js/runtime~main.797195fe.js"></script>
<script src="/oauth2-proxy/assets/js/main.1106c429.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink