oauth2-proxy/assets/js/e438b577.fee8e74d.js

"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[8096],{3905:function(e,t,n){n.d(t,{Zo:function(){return s},kt:function(){return k}});var r=n(7294);function a(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function o(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);t&&(r=r.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,r)}return n}function i(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?o(Object(n),!0).forEach((function(t){a(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):o(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}function p(e,t){if(null==e)return{};var n,r,a=function(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||(a[n]=e[n]);return a}(e,t);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(a[n]=e[n])}return a}var l=r.createContext({}),c=function(e){var t=r.useContext(l),n=t;return e&&(n="function"==typeof e?e(t):i(i({},t),e)),n},s=function(e){var t=c(e.components);return r.createElement(l.Provider,{value:t},e.children)},u="mdxType",m={inlineCode:"code",wrapper:function(e){var t=e.children;return r.createElement(r.Fragment,{},t)}},d=r.forwardRef((function(e,t){var n=e.components,a=e.mdxType,o=e.originalType,l=e.parentName,s=p(e,["components","mdxType","originalType","parentName"]),u=c(n),d=a,k=u["".concat(l,".").concat(d)]||u[d]||m[d]||o;return n?r.createElement(k,i(i({ref:t},s),{},{components:n})):r.createElement(k,i({ref:t},s))}));function k(e,t){var n=arguments,a=t&&t.mdxType;if("string"==typeof e||a){var o=n.length,i=new Array(o);i[0]=d;var p={};for(var l in t)hasOwnProperty.call(t,l)&&(p[l]=t[l]);p.originalType=e,p[u]="string"==typeof e?e:a,i[1]=p;for(var c=2;c<o;c++)i[c]=n[c];return r.createElement.apply(null,i)}return r.createElement.apply(null,n)}d.displayName="MDXCreateElement"},8160:function(e,t,n){n.r(t),n.d(t,{assets:function(){return s},contentTitle:function(){return l},default:function(){return k},frontMatter:function(){return p},metadata:function(){return c},toc:function(){return u}});var r=n(7462),a=n(3366),o=(n(7294),n(3905)),i=["components"],p={id:"openid_connect",title:"OpenID Connect"},l=void 0,c={unversionedId:"configuration/providers/openid_connect",id:"configuration/providers/openid_connect",title:"OpenID Connect",description:"OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many major providers and several open source projects.",source:"@site/docs/configuration/providers/openid_connect.md",sourceDirName:"configuration/providers",slug:"/configuration/providers/openid_connect",permalink:"/oauth2-proxy/docs/next/configuration/providers/openid_connect",draft:!1,editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/providers/openid_connect.md",tags:[],version:"current",frontMatter:{id:"openid_connect",title:"OpenID Connect"},sidebar:"docs",previous:{title:"Microsoft Azure AD",permalink:"/oauth2-proxy/docs/next/configuration/providers/azure_ad"},next:{title:"Login.gov",permalink:"/oauth2-proxy/docs/next/configuration/providers/login_gov"}},s={},u=[{value:"Dex",id:"dex",level:4},{value:"Okta",id:"okta",level:4},{value:"Okta - localhost",id:"okta---localhost",level:4}],m={toc:u},d="wrapper";function k(e){var t=e.components,n=(0,a.Z)(e,i);return(0,o.kt)(d,(0,r.Z)({},m,n,{components:t,mdxType:"MDXLayout"}),(0,o.kt)("p",null,"OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many major providers and several open source projects."),(0,o.kt)("p",null,"This provider was originally built against CoreOS Dex, and we will use it as an example.\nThe OpenID Connect Provider (OIDC) can also be used to connect to other Identity Providers such as Okta, an example can be found below."),(0,o.kt)("h4",{id:"dex"},"Dex"),(0,o.kt)("p",null,"To configure the OIDC provider for Dex, perform the following steps:"),(0,o.kt)("ol",null,(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"Download Dex:"),(0,o.kt)("pre",{parentName:"li"},(0,o.kt)("code",{parentName:"pre"},"go get github.com/dexidp/dex\n")),(0,o.kt)("p",{parentName:"li"},"See the ",(0,o.kt)("a",{parentName:"p",href:"https://dexidp.io/docs/getting-started/"},"getting started guide")," for more details.")),(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"Setup oauth2-proxy with the correct provider and using the default ports and callbacks. Add a configuration block to\nthe ",(0,o.kt)("inlineCode",{parentName:"p"},"staticClients")," section of ",(0,o.kt)("inlineCode",{parentName:"p"},"examples/config-dev.yaml"),":"),(0,o.kt)("pre",{parentName:"li"},(0,o.kt)("code",{parentName:"pre"},"- id: oauth2-proxy\nredirectURIs:\n- 'http://127.0.0.1:4180/oauth2/callback'\nname: 'oauth2-proxy'\nsecret: proxy\n"))),(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"Launch Dex: from ",(0,o.kt)("inlineCode",{parentName:"p"},"$GOPATH/github.com/dexidp/dex"),", run:"),(0,o.kt)("pre",{parentName:"li"},(0,o.kt)("code",{parentName:"pre"},"bin/dex serve examples/config-dev.yaml\n"))),(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"In a second terminal, run the oauth2-proxy with the following args:"),(0,o.kt)("pre",{parentName:"li"},(0,o.kt)("code",{parentName:"pre"},'-provider oidc\n-provider-display-name "My OIDC Provider"\n-client-id oauth2-proxy\n-client-secret proxy\n-redirect-url http://127.0.0.1:4180/oauth2/callback\n-oidc-issuer-url http://127.0.0.1:5556/dex\n-cookie-secure=false\n-cookie-secret=secret\n-email-domain kilgore.trout\n')),(0,o.kt)("p",{parentName:"li"},"To serve the current working directory as a website under the ",(0,o.kt)("inlineCode",{parentName:"p"},"/static")," endpoint, add:"),(0,o.kt)("pre",{parentName:"li"},(0,o.kt)("code",{parentName:"pre"},"-upstream file://$PWD/#/static/\n"))),(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"Test the setup by visiting ",(0,o.kt)("a",{parentName:"p",href:"http://127.0.0.1:4180"},"http://127.0.0.1:4180")," or ",(0,o.kt)("a",{parentName:"p",href:"http://127.0.0.1:4180/static"},"http://127.0.0.1:4180/static")," ."))),(0,o.kt)("p",null,"See also ",(0,o.kt)("a",{parentName:"p",href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment"},"our local testing environment")," for a self-contained example using Docker and etcd as storage for Dex."),(0,o.kt)("h4",{id:"okta"},"Okta"),(0,o.kt)("p",null,"To configure the OIDC provider for Okta, perform the following steps:"),(0,o.kt)("ol",null,(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"Log in to Okta using an administrative account. It is suggested you try this in preview first, ",(0,o.kt)("inlineCode",{parentName:"p"},"example.oktapreview.com"))),(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"(OPTIONAL) If you want to configure authorization scopes and claims to be passed on to multiple applications,\nyou may wish to configure an authorization server for each application. Otherwise, the provided ",(0,o.kt)("inlineCode",{parentName:"p"},"default")," will work."),(0,o.kt)("ul",{parentName:"li"},(0,o.kt)("li",{parentName:"ul"},"Navigate to ",(0,o.kt)("strong",{parentName:"li"},"Security")," then select ",(0,o.kt)("strong",{parentName:"li"},"API")),(0,o.kt)("li",{parentName:"ul"},"Click ",(0,o.kt)("strong",{parentName:"li"},"Add Authorization Server"),", if this option is not available you may require an additional license for a custom\nauthorization server."),(0,o.kt)("li",{parentName:"ul"},"Fill out the ",(0,o.kt)("strong",{parentName:"li"},"Name")," with something to describe the application you are protecting. e.g. 'Example App'."),(0,o.kt)("li",{parentName:"ul"},"For ",(0,o.kt)("strong",{parentName:"li"},"Audience"),", pick the URL of the application you wish to protect: ",(0,o.kt)("a",{parentName:"li",href:"https://example.corp.com"},"https://example.corp.com")),(0,o.kt)("li",{parentName:"ul"},"Fill out a ",(0,o.kt)("strong",{parentName:"li"},"Description")),(0,o.kt)("li",{parentName:"ul"},"Add any ",(0,o.kt)("strong",{parentName:"li"},"Access Policies")," you wish to configure to limit application access."),(0,o.kt)("li",{parentName:"ul"},"The default settings will work for other options.\n",(0,o.kt)("a",{parentName:"li",href:"https://developer.okta.com/docs/guides/customize-authz-server/overview/"},"See Okta documentation for more information on Authorization Servers")))),(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"Navigate to ",(0,o.kt)("strong",{parentName:"p"},"Applications")," then select ",(0,o.kt)("strong",{parentName:"p"},"Add Application"),"."),(0,o.kt)("ul",{parentName:"li"},(0,o.kt)("li",{parentName:"ul"},"Select ",(0,o.kt)("strong",{parentName:"li"},"Web")," for the ",(0,o.kt)("strong",{parentName:"li"},"Platform")," setting."),(0,o.kt)("li",{parentName:"ul"},"Select ",(0,o.kt)("strong",{parentName:"li"},"OpenID Connect")," and click ",(0,o.kt)("strong",{parentName:"li"},"Create")),(0,o.kt)("li",{parentName:"ul"},"Pick an ",(0,o.kt)("strong",{parentName:"li"},"Application Name")," such as ",(0,o.kt)("inlineCode",{parentName:"li"},"Example App"),"."),(0,o.kt)("li",{parentName:"ul"},"Set the ",(0,o.kt)("strong",{parentName:"li"},"Login redirect URI")," to ",(0,o.kt)("inlineCode",{parentName:"li"},"https://example.corp.com"),"."),(0,o.kt)("li",{parentName:"ul"},"Under ",(0,o.kt)("strong",{parentName:"li"},"General")," set the ",(0,o.kt)("strong",{parentName:"li"},"Allowed grant types")," to ",(0,o.kt)("inlineCode",{parentName:"li"},"Authorization Code")," and ",(0,o.kt)("inlineCode",{parentName:"li"},"Refresh Token"),"."),(0,o.kt)("li",{parentName:"ul"},"Leave the rest as default, taking note of the ",(0,o.kt)("inlineCode",{parentName:"li"},"Client ID")," and ",(0,o.kt)("inlineCode",{parentName:"li"},"Client Secret"),"."),(0,o.kt)("li",{parentName:"ul"},"Under ",(0,o.kt)("strong",{parentName:"li"},"Assignments")," select the users or groups you wish to access your application."))),(0,o.kt)("li",{parentName:"ol"},(0,o.kt)("p",{parentName:"li"},"Create a configuration file like the following:"),(0,o.kt)("pre",{parentName:"li"},(0,o.kt)("code",{parentName:"pre"},'provider = "oidc"\nredirect_url = "https://example.corp.com/oauth2/callback"\noidc_issuer_url = "https://corp.okta.com/oauth2/abCd1234"\nupstreams = [\n    "https://example.corp.com"\n]\nemail_domains = [\n    "corp.com"\n]\nclient_id = "XXXXX"\nclient_secret = "YYYYY"\npass_access_token = true\ncookie_secret = "ZZZZZ"\nskip_provider_button = true\n')))),(0,o.kt)("p",null,"The ",(0,o.kt)("inlineCode",{parentName:"p"},"oidc_issuer_url")," is based on URL from your ",(0,o.kt)("strong",{parentName:"p"},"Authorization Server"),"'s ",(0,o.kt)("strong",{parentName:"p"},"Issuer")," field in step 2, or simply\n",(0,o.kt)("a",{parentName:"p",href:"https://corp.okta.com."},"https://corp.okta.com.")," The ",(0,o.kt)("inlineCode",{parentName:"p"},"client_id")," and ",(0,o.kt)("inlineCode",{parentName:"p"},"client_secret")," are configured in the application settings.\nGenerate a unique ",(0,o.kt)("inlineCode",{parentName:"p"},"cookie_secret")," to encrypt the cookie."),(0,o.kt)("p",null,"Then you can start the oauth2-proxy with ",(0,o.kt)("inlineCode",{parentName:"p"},"./oauth2-proxy --config /etc/example.cfg")),(0,o.kt)("h4",{id:"okta---localhost"},"Okta - localhost"),(0,o.kt)("ol",null,(0,o.kt)("li",{parentName:"ol"},"Signup for developer account: ",(0,o.kt)("a",{parentName:"li",href:"https://developer.okta.com/signup/"},"https://developer.okta.com/signup/")),(0,o.kt)("li",{parentName:"ol"},"Create New ",(0,o.kt)("inlineCode",{parentName:"li"},"Web")," Application: https://${your-okta-domain}/dev/console/apps/new"),(0,o.kt)("li",{parentName:"ol"},"Example Application Settings for localhost:",(0,o.kt)("ul",{parentName:"li"},(0,o.kt)("li",{parentName:"ul"},(0,o.kt)("strong",{parentName:"li"},"Name:")," My Web App"),(0,o.kt)("li",{parentName:"ul"},(0,o.kt)("strong",{parentName:"li"},"Base URIs:")," http://localhost:4180/"),(0,o.kt)("li",{parentName:"ul"},(0,o.kt)("strong",{parentName:"li"},"Login redirect URIs:")," http://localhost:4180/oauth2/callback"),(0,o.kt)("li",{parentName:"ul"},(0,o.kt)("strong",{parentName:"li"},"Logout redirect URIs:")," http://localhost:4180/"),(0,o.kt)("li",{parentName:"ul"},(0,o.kt)("strong",{parentName:"li"},"Group assignments:")," ",(0,o.kt)("inlineCode",{parentName:"li"},"Everyone")),(0,o.kt)("li",{parentName:"ul"},(0,o.kt)("strong",{parentName:"li"},"Grant type allowed:")," ",(0,o.kt)("inlineCode",{parentName:"li"},"Authorization Code")," and ",(0,o.kt)("inlineCode",{parentName:"li"},"Refresh Token")))),(0,o.kt)("li",{parentName:"ol"},"Make note of the ",(0,o.kt)("inlineCode",{parentName:"li"},"Client ID")," and ",(0,o.kt)("inlineCode",{parentName:"li"},"Client secret"),", they are needed in a future step"),(0,o.kt)("li",{parentName:"ol"},"Make note of the ",(0,o.kt)("strong",{parentName:"li"},"default")," Authorization Server Issuer URI from: https://${your-okta-domain}/admin/oauth2/as"),(0,o.kt)("li",{parentName:"ol"},"Example config file ",(0,o.kt)("inlineCode",{parentName:"li"},"/etc/localhost.cfg"),(0,o.kt)("pre",{parentName:"li"},(0,o.kt)("code",{parentName:"pre"},'provider = "oidc"\nredirect_url = "http://localhost:4180/oauth2/callback"\noidc_issuer_url = "https://${your-okta-domain}/oauth2/default"\nupstreams = [\n    "http://0.0.0.0:8080"\n]\nemail_domains = [\n    "*"\n]\nclient_id = "XXX"\nclient_secret = "YYY"\npass_access_token = true\ncookie_secret = "ZZZ"\ncookie_secure = false\nskip_provider_button = true\n# Note: use the following for testing within a container\n# http_address = "0.0.0.0:4180"\n'))),(0,o.kt)("li",{parentName:"ol"},"Then you can start the oauth2-proxy with ",(0,o.kt)("inlineCode",{parentName:"li"},"./oauth2-proxy --config /etc/localhost.cfg"))))}k.isMDXComponent=!0}}]);