A reverse proxy that provides authentication with Google, Github or other provider
A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
NOTICE: This project was officially archived by Bitly at the end of September 2018. Bitly will no longer be accepting PRs or helping on issues. There has been a discussion to find a new home for the project which has led to the following notable forks:
Please submit all future PRs and issues to pusher/oauth2_proxy.
v2.2) or build with
$ go get github.com/bitly/oauth2_proxywhich will put the binary in
$GOROOT/binPrebuilt binaries can be validated by extracting the file and verifying it against the
sha256sum.txtchecksum file provided for each release starting with version
v2.3.
sha256sum -c sha256sum.txt 2>&1 | grep OK oauth2_proxy-2.3.linux-amd64: OK
You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run
oauth2_proxyon.
Valid providers are :
The provider can be selected using the
providerconfiguration value.
For Google, the registration steps are:
https://internal.yourcompany.com
https://internal.yourcompany.com/oauth2/callback
It's recommended to refresh sessions on a short interval (1h) with
cookie-refreshsetting which validates that the account is still authorized.
https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.user.readonly
google-admin-emailflag. This email will be impersonated by this client to make calls to the Admin SDK. See the note on the link from step 5 for the reason why.
google-groupflag. You can pass multiple instances of this flag with different groups and the user will be checked against all the provided groups.
google-service-account-jsonflag.
Note: The user is checked against the group members list on initial authentication and every time the token is refreshed ( about once an hour ).
https://internal.yourcompany.com/oauth2/callback
TenantIDand provide it via the
--azure-tenant=commandline option. Default the
commontenant is used.
The Azure AD auth provider uses
openidas it default scope. It uses
https://graph.windows.netas a default protected resource. It call to
https://graph.windows.net/meto get the email address of the user that logs in.
https://internal.yourcompany.com/oauth2/callback
Authorization callback URLenter the correct url ie
https://internal.yourcompany.com/oauth2/callback
The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access. Restricting by org and team is normally accompanied with
--email-domain=*
-github-org="": restrict logins to members of this organisation -github-team="": restrict logins to members of any of these teams (slug), separated by a comma
If you are using GitHub enterprise, make sure you set the following to the appropriate url:
-login-url="http(s):///login/oauth/authorize" -redeem-url="http(s):///login/oauth/access_token" -validate-url="http(s):///api/v3"
Whether you are using GitLab.com or self-hosting GitLab, follow these steps to add an application
If you are using self-hosted GitLab, make sure you set the following to the appropriate URL:
-login-url="/oauth/authorize" -redeem-url="/oauth/token" -validate-url="/api/v4/user"
For LinkedIn, the registration steps are:
https://internal.yourcompany.com/oauth2/callback
For adding an application to the Microsoft Azure AD follow these steps to add an application.
Take note of your
TenantIdif applicable for your situation. The
TenantIdcan be used to override the default
commonauthorization server with a tenant specific server.
OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many major providers and several open source projects. This provider was originally built against CoreOS Dex and we will use it as an example.
Login with the fixture use in the dex guide and run the oauth2_proxy with the following args:
-provider oidc -client-id oauth2_proxy -client-secret proxy -redirect-url http://127.0.0.1:4180/oauth2/callback -oidc-issuer-url http://127.0.0.1:5556 -cookie-secure=false -email-domain example.com
To authorize by email domain use
--email-domain=yourcompany.com. To authorize individual email addresses use
--authenticated-emails-file=/path/to/filewith one email per line. To authorize all email addresses use
--email-domain=*.
oauth2_proxycan be configured via config file, command line options or environment variables.
To generate a strong cookie secret use
python -c 'import os,base64; print base64.urlsafe_b64encode(os.urandom(16))'
An example oauth2_proxy.cfg config file is in the contrib directory. It can be used by specifying
-config=/etc/oauth2_proxy.cfg
Usage of oauth2_proxy: -approval-prompt string: OAuth approval_prompt (default "force") -authenticated-emails-file string: authenticate against emails via file (one per line) -azure-tenant string: go to a tenant-specific or common (tenant-independent) endpoint. (default "common") -basic-auth-password string: the password to set when passing the HTTP Basic Auth header -client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com" -client-secret string: the OAuth Client Secret -config string: path to config file -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com) -cookie-expire duration: expire timeframe for cookie (default 168h0m0s) -cookie-httponly: set HttpOnly cookie flag (default true) -cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy") -cookie-refresh duration: refresh the cookie after this duration; 0 to disable -cookie-secret string: the seed string for secure cookies (optionally base64 encoded) -cookie-secure: set secure (HTTPS) cookie flag (default true) -custom-templates-dir string: path to custom html templates -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true) -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email -footer string: custom footer string. Use "-" to disable default footer. -github-org string: restrict logins to members of this organisation -github-team string: restrict logins to members of any of these teams (slug), separated by a comma -google-admin-email string: the google admin to impersonate for api calls -google-group value: restrict logins to members of this google group (may be given multiple times). -google-service-account-json string: the path to the service account json credentials -htpasswd-file string: additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption -http-address string: [http://]: or unix:// to listen on for HTTP clients (default "127.0.0.1:4180") -https-address string: : to listen on for HTTPS clients (default ":443") -login-url string: Authentication endpoint -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header -pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true) -pass-host-header: pass the request Host Header to upstream (default true) -pass-user-headers: pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true) -profile-url string: Profile access endpoint -provider string: OAuth provider (default "google") -proxy-prefix string: the url root path that this proxy should be nested under (e.g. //sign_in) (default "/oauth2") -redeem-url string: Token redemption endpoint -redirect-url string: the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback" -request-logging: Log requests to stdout (default true) -request-logging-format: Template for request log lines (see "Logging Format" paragraph below) -resource string: The resource that is protected (Azure AD only) -scope string: OAuth scope specification -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) -signature-key string: GAP-Signature request signature key (algorithm:secretkey) -skip-auth-preflight: will skip authentication for OPTIONS requests -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times) -skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS -tls-cert string: path to certificate file -tls-key string: path to private key file -upstream value: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path -validate-url string: Access token validation endpoint -version: print version string
See below for provider specific options
oauth2_proxysupports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as
http://127.0.0.1:8080/for the upstream parameter, that will forward all authenticated requests to be forwarded to the upstream server. If you instead provide
http://127.0.0.1:8080/some/path/then it will only be requests that start with
/some/path/which are forwarded to the upstream.
Static file paths are configured as a file:// URL.
file:///var/www/static/will serve the files from that directory at
http://[oauth2_proxy url]/var/www/static/, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at.
file:///var/www/static/#/static/will ie. make
/var/www/static/available at
http://[oauth2_proxy url]/static/.
Multiple upstreams can either be configured by supplying a comma separated list to the
-upstreamparameter, supplying the parameter multiple times or provinding a list in the config file. When multiple upstreams are used routing to them will be based on the path they are set up with.
The following environment variables can be used in place of the corresponding command-line arguments:
OAUTH2_PROXY_CLIENT_ID
OAUTH2_PROXY_CLIENT_SECRET
OAUTH2_PROXY_COOKIE_NAME
OAUTH2_PROXY_COOKIE_SECRET
OAUTH2_PROXY_COOKIE_DOMAIN
OAUTH2_PROXY_COOKIE_EXPIRE
OAUTH2_PROXY_COOKIE_REFRESH
OAUTH2_PROXY_SIGNATURE_KEY
There are two recommended configurations.
1) Configure SSL Termination with OAuth2 Proxy by providing a
--tls-cert=/path/to/cert.pemand
--tls-key=/path/to/cert.key.
The command line to run
oauth2_proxyin this configuration would look like this:
./oauth2_proxy \ --email-domain="yourcompany.com" \ --upstream=http://127.0.0.1:8080/ \ --tls-cert=/path/to/cert.pem \ --tls-key=/path/to/cert.key \ --cookie-secret=... \ --cookie-secure=true \ --provider=... \ --client-id=... \ --client-secret=...
2) Configure SSL Termination with Nginx (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....
Because
oauth2_proxylistens on
127.0.0.1:4180by default, to listen on all interfaces (needed when using an external load balancer like Amazon ELB or Google Platform Load Balancing) use
--http-address="0.0.0.0:4180"or
--http-address="http://:4180".
Nginx will listen on port
443and handle SSL connections while proxying to
oauth2_proxyon port
4180.
oauth2_proxywill then authenticate requests for an upstream application. The external endpoint for this example would be
https://internal.yourcompany.com/.
An example Nginx config follows. Note the use of
Strict-Transport-Securityheader to pin requests to SSL via HSTS:
server { listen 443 default ssl; server_name internal.yourcompany.com; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/cert.key; add_header Strict-Transport-Security max-age=2592000;location / { proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_connect_timeout 1; proxy_send_timeout 30; proxy_read_timeout 30; }
}
The command line to run
oauth2_proxyin this configuration would look like this:
./oauth2_proxy \ --email-domain="yourcompany.com" \ --upstream=http://127.0.0.1:8080/ \ --cookie-secret=... \ --cookie-secure=true \ --provider=... \ --client-id=... \ --client-secret=...
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The
/oauth2prefix can be changed with the
--proxy-prefixconfig variable.
auth_requestdirective
If
signature_keyis defined, proxied requests will be signed with the
GAP-Signatureheader, which is a Hash-based Message Authentication Code (HMAC) of selected request information and the request body see
SIGNATURE_HEADERSin
oauthproxy.go.
signature_keymust be of the form
algorithm:secretkey, (ie:
signature_key = "sha1:secret0")
For more information about HMAC request signature validation, read the following:
By default, OAuth2 Proxy logs requests to stdout in a format similar to Apache Combined Log.
- [19/Mar/2015:17:20:19 -0400] GET "/path/" HTTP/1.1 ""
If you require a different format than that, you can configure it with the
-request-logging-formatflag. The default format is configured as follows:
{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}
logMessageDatain
logging_handler.gofor all available variables.
providerspackage to define a new
Providerinstance. Add a new
caseto
providers.New()to allow
oauth2_proxyto use the new
Provider.
auth_requestdirective
The Nginx
auth_requestdirective allows Nginx to authenticate requests via the oauth2_proxy's
/authendpoint, which only returns a 202 Accepted response or a 401 Unauthorized response without proxying the request through. For example:
server { listen 443 ssl; server_name ...; include ssl/ssl.conf;location /oauth2/ { proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; } location = /oauth2/auth { proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; # nginx auth_request includes headers but not body proxy_set_header Content-Length ""; proxy_pass_request_body off; }
location / { auth_request /oauth2/auth; error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend, # requires running with --set-xauthrequest flag auth_request_set $user $upstream_http_x_auth_request_user; auth_request_set $email $upstream_http_x_auth_request_email; proxy_set_header X-User $user; proxy_set_header X-Email $email; # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; proxy_pass http://backend/; # or "root /path/to/site;" or "fastcgi_pass ..." etc
} }