Merge pull request #85 from jehiah/oauth2_proxy_85
Naming Is Hard - project name change
This commit is contained in:
commit
4d3b1c4e29
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,4 +1,5 @@
|
|||||||
google_auth_proxy
|
google_auth_proxy
|
||||||
|
oauth2_proxy
|
||||||
# Go.gitignore
|
# Go.gitignore
|
||||||
# Compiled Object files, Static and Dynamic libs (Shared Objects)
|
# Compiled Object files, Static and Dynamic libs (Shared Objects)
|
||||||
*.o
|
*.o
|
||||||
|
58
README.md
58
README.md
@ -1,11 +1,12 @@
|
|||||||
google_auth_proxy
|
oaut2_proxy
|
||||||
=================
|
=================
|
||||||
|
|
||||||
|
(This project was formerly known as Google Auth Proxy)
|
||||||
|
|
||||||
A reverse proxy that provides authentication using Google and other OAuth2
|
A reverse proxy that provides authentication using Providers (Google, Github, and others)
|
||||||
providers to validate individual accounts, or a whole google apps domain.
|
to validate individual accounts, or a whole email domain.
|
||||||
|
|
||||||
[![Build Status](https://secure.travis-ci.org/bitly/google_auth_proxy.png?branch=master)](http://travis-ci.org/bitly/google_auth_proxy)
|
[![Build Status](https://secure.travis-ci.org/bitly/oauth2_proxy.png?branch=master)](http://travis-ci.org/bitly/oauth2_proxy)
|
||||||
|
|
||||||
|
|
||||||
![sign_in_page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png)
|
![sign_in_page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png)
|
||||||
@ -13,19 +14,19 @@ providers to validate individual accounts, or a whole google apps domain.
|
|||||||
## Architecture
|
## Architecture
|
||||||
|
|
||||||
```
|
```
|
||||||
_______ ___________________ __________
|
_______ ______________ __________
|
||||||
|Nginx| ----> |google_auth_proxy| ----> |upstream|
|
|Nginx| ----> |oauth2_proxy| ----> |upstream|
|
||||||
------- ------------------- ----------
|
------- -------------- ----------
|
||||||
||
|
||
|
||||||
\/
|
\/
|
||||||
[google oauth2 api]
|
[provider OAuth2 API]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
1. Download [Prebuilt Binary](https://github.com/bitly/google_auth_proxy/releases) or build from `master` with `$ go get github.com/bitly/google_auth_proxy` which should put the binary in `$GOROOT/bin`
|
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) or build from `master` with `$ go get github.com/bitly/oauth2_proxy` which should put the binary in `$GOROOT/bin`
|
||||||
2. Register an OAuth Application with Google
|
2. Register an OAuth Application with a Provider
|
||||||
3. Configure Google Auth Proxy using config file, command line options, or environment variables
|
3. Configure Google Auth Proxy using config file, command line options, or environment variables
|
||||||
4. Deploy behind a SSL endpoint (example provided for Nginx)
|
4. Deploy behind a SSL endpoint (example provided for Nginx)
|
||||||
|
|
||||||
@ -33,7 +34,7 @@ providers to validate individual accounts, or a whole google apps domain.
|
|||||||
|
|
||||||
You will need to register an OAuth application with Google (or [another
|
You will need to register an OAuth application with Google (or [another
|
||||||
provider](#providers)), and configure it with Redirect URI(s) for the domain
|
provider](#providers)), and configure it with Redirect URI(s) for the domain
|
||||||
you intend to run `google_auth_proxy` on.
|
you intend to run `OAUTH2_PROXY` on.
|
||||||
|
|
||||||
For Google, the registration steps are:
|
For Google, the registration steps are:
|
||||||
|
|
||||||
@ -43,7 +44,7 @@ For Google, the registration steps are:
|
|||||||
* The Application Type should be **Web application**
|
* The Application Type should be **Web application**
|
||||||
* Enter your domain in the Authorized Javascript Origins `https://internal.yourcompany.com`
|
* Enter your domain in the Authorized Javascript Origins `https://internal.yourcompany.com`
|
||||||
* Enter the correct Authorized Redirect URL `https://internal.yourcompany.com/oauth2/callback`
|
* Enter the correct Authorized Redirect URL `https://internal.yourcompany.com/oauth2/callback`
|
||||||
* NOTE: `google_auth_proxy` will _only_ callback on the path `/oauth2/callback`
|
* NOTE: `oauth2_proxy` will _only_ callback on the path `/oauth2/callback`
|
||||||
4. Under "APIs & Auth" choose "Consent Screen"
|
4. Under "APIs & Auth" choose "Consent Screen"
|
||||||
* Fill in the necessary fields and Save (this is _required_)
|
* Fill in the necessary fields and Save (this is _required_)
|
||||||
5. Take note of the **Client ID** and **Client Secret**
|
5. Take note of the **Client ID** and **Client Secret**
|
||||||
@ -59,19 +60,19 @@ For LinkedIn, the registration steps are:
|
|||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
`google_auth_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables).
|
`oauth2_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables).
|
||||||
|
|
||||||
### Config File
|
### Config File
|
||||||
|
|
||||||
An example [google_auth_proxy.cfg](contrib/google_auth_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/google_auth_proxy.cfg`
|
An example [OAUTH2_PROXY.cfg](contrib/oauth2_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/oauth2_proxy.cfg`
|
||||||
|
|
||||||
### Command Line Options
|
### Command Line Options
|
||||||
|
|
||||||
```
|
```
|
||||||
Usage of google_auth_proxy:
|
Usage of oauth2_proxy:
|
||||||
-authenticated-emails-file="": authenticate against emails via file (one per line)
|
-authenticated-emails-file="": authenticate against emails via file (one per line)
|
||||||
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
|
-client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
|
||||||
-client-secret="": the OAuth Client Secret
|
-client-secret="": the Client Secret
|
||||||
-config="": path to config file
|
-config="": path to config file
|
||||||
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
||||||
-cookie-expire=168h0m0s: expire timeframe for cookie
|
-cookie-expire=168h0m0s: expire timeframe for cookie
|
||||||
@ -105,12 +106,12 @@ See below for provider specific options
|
|||||||
|
|
||||||
### Environment variables
|
### Environment variables
|
||||||
|
|
||||||
The environment variables `GOOGLE_AUTH_PROXY_CLIENT_ID`, `GOOGLE_AUTH_PROXY_CLIENT_SECRET`, `GOOGLE_AUTH_PROXY_COOKIE_SECRET`, `GOOGLE_AUTH_PROXY_COOKIE_DOMAIN` and `GOOGLE_AUTH_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments.
|
The environment variables `OAUTH2_PROXY_CLIENT_ID`, `OAUTH2_PROXY_CLIENT_SECRET`, `OAUTH2_PROXY_COOKIE_SECRET`, `OAUTH2_PROXY_COOKIE_DOMAIN` and `OAUTH2_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments.
|
||||||
|
|
||||||
### Example Nginx Configuration
|
### Example Nginx Configuration
|
||||||
|
|
||||||
This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `google_auth_proxy` on port `4180`.
|
This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `oauth2_proxy` on port `4180`.
|
||||||
`google_auth_proxy` then authenticates requests for an upstream application running on port `8080`. The external
|
`oauth2_proxy` then authenticates requests for an upstream application running on port `8080`. The external
|
||||||
endpoint for this example would be `https://internal.yourcompany.com/`.
|
endpoint for this example would be `https://internal.yourcompany.com/`.
|
||||||
|
|
||||||
An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
|
An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
|
||||||
@ -136,10 +137,10 @@ server {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
The command line to run `google_auth_proxy` would look like this:
|
The command line to run `oauth2_proxy` would look like this:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./google_auth_proxy \
|
./oauth2_proxy \
|
||||||
--google-apps-domain="yourcompany.com" \
|
--google-apps-domain="yourcompany.com" \
|
||||||
--upstream=http://127.0.0.1:8080/ \
|
--upstream=http://127.0.0.1:8080/ \
|
||||||
--cookie-secret=... \
|
--cookie-secret=... \
|
||||||
@ -151,7 +152,7 @@ The command line to run `google_auth_proxy` would look like this:
|
|||||||
|
|
||||||
## Endpoint Documentation
|
## Endpoint Documentation
|
||||||
|
|
||||||
Google Auth Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.
|
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.
|
||||||
|
|
||||||
* /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
|
* /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
|
||||||
* /ping - returns an 200 OK response
|
* /ping - returns an 200 OK response
|
||||||
@ -161,17 +162,18 @@ Google Auth Proxy responds directly to the following endpoints. All other endpoi
|
|||||||
|
|
||||||
## Logging Format
|
## Logging Format
|
||||||
|
|
||||||
Google Auth Proxy logs requests to stdout in a format similar to Apache Combined Log.
|
OAuth2 Proxy Proxy logs requests to stdout in a format similar to Apache Combined Log.
|
||||||
|
|
||||||
```
|
```
|
||||||
<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>
|
<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>
|
||||||
```
|
```
|
||||||
|
|
||||||
## <a name="providers"></a>Providers other than Google
|
## <a name="providers"></a>Providers
|
||||||
|
|
||||||
Other providers besides Google can be specified by the `providers` flag/config
|
Authentication providers can be specified by the `providers` flag/config
|
||||||
directive. Right now this includes:
|
directive. Right now this includes:
|
||||||
|
|
||||||
|
* `google` - (default) [Google](https://console.developers.google.com/project)
|
||||||
* `myusa` - The [MyUSA](https://alpha.my.usa.gov) authentication service
|
* `myusa` - The [MyUSA](https://alpha.my.usa.gov) authentication service
|
||||||
([GitHub](https://github.com/18F/myusa))
|
([GitHub](https://github.com/18F/myusa))
|
||||||
* `linkedin` - The [LinkedIn](https://developer.linkedin.com/docs/signin-with-linkedin) Sign In service.
|
* `linkedin` - The [LinkedIn](https://developer.linkedin.com/docs/signin-with-linkedin) Sign In service.
|
||||||
|
6
dist.sh
6
dist.sh
@ -20,9 +20,9 @@ echo "... running tests"
|
|||||||
|
|
||||||
for os in linux darwin; do
|
for os in linux darwin; do
|
||||||
echo "... building v$version for $os/$arch"
|
echo "... building v$version for $os/$arch"
|
||||||
BUILD=$(mktemp -d -t google_auth_proxy)
|
BUILD=$(mktemp -d -t oauth2_proxy)
|
||||||
TARGET="google_auth_proxy-$version.$os-$arch.$goversion"
|
TARGET="oauth2_proxy-$version.$os-$arch.$goversion"
|
||||||
GOOS=$os GOARCH=$arch CGO_ENABLED=0 go build -o $BUILD/$TARGET/google_auth_proxy || exit 1
|
GOOS=$os GOARCH=$arch CGO_ENABLED=0 go build -o $BUILD/$TARGET/oauth2_proxy || exit 1
|
||||||
pushd $BUILD
|
pushd $BUILD
|
||||||
tar czvf $TARGET.tar.gz $TARGET
|
tar czvf $TARGET.tar.gz $TARGET
|
||||||
mv $TARGET.tar.gz $DIR/dist
|
mv $TARGET.tar.gz $DIR/dist
|
||||||
|
6
main.go
6
main.go
@ -18,7 +18,7 @@ import (
|
|||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
|
log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
|
||||||
flagSet := flag.NewFlagSet("google_auth_proxy", flag.ExitOnError)
|
flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
|
||||||
|
|
||||||
googleAppsDomains := StringArray{}
|
googleAppsDomains := StringArray{}
|
||||||
upstreams := StringArray{}
|
upstreams := StringArray{}
|
||||||
@ -38,7 +38,7 @@ func main() {
|
|||||||
flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")
|
flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")
|
||||||
flagSet.String("github-org", "", "restrict logins to members of this organisation")
|
flagSet.String("github-org", "", "restrict logins to members of this organisation")
|
||||||
flagSet.String("github-team", "", "restrict logins to members of this team")
|
flagSet.String("github-team", "", "restrict logins to members of this team")
|
||||||
flagSet.String("client-id", "", "the Google OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
|
flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
|
||||||
flagSet.String("client-secret", "", "the OAuth Client Secret")
|
flagSet.String("client-secret", "", "the OAuth Client Secret")
|
||||||
flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
|
flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
|
||||||
flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
|
flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
|
||||||
@ -65,7 +65,7 @@ func main() {
|
|||||||
flagSet.Parse(os.Args[1:])
|
flagSet.Parse(os.Args[1:])
|
||||||
|
|
||||||
if *showVersion {
|
if *showVersion {
|
||||||
fmt.Printf("google_auth_proxy v%s (built with %s)\n", VERSION, runtime.Version())
|
fmt.Printf("oauth2_proxy v%s (built with %s)\n", VERSION, runtime.Version())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -16,7 +16,7 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/bitly/google_auth_proxy/providers"
|
"github.com/bitly/oauth2_proxy/providers"
|
||||||
)
|
)
|
||||||
|
|
||||||
const robotsPath = "/robots.txt"
|
const robotsPath = "/robots.txt"
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/bitly/google_auth_proxy/providers"
|
"github.com/bitly/oauth2_proxy/providers"
|
||||||
"github.com/bmizerany/assert"
|
"github.com/bmizerany/assert"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
|
14
options.go
14
options.go
@ -7,15 +7,15 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/bitly/google_auth_proxy/providers"
|
"github.com/bitly/oauth2_proxy/providers"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Configuration Options that can be set by Command Line Flag, or Config File
|
// Configuration Options that can be set by Command Line Flag, or Config File
|
||||||
type Options struct {
|
type Options struct {
|
||||||
HttpAddress string `flag:"http-address" cfg:"http_address"`
|
HttpAddress string `flag:"http-address" cfg:"http_address"`
|
||||||
RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"`
|
RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"`
|
||||||
ClientID string `flag:"client-id" cfg:"client_id" env:"GOOGLE_AUTH_PROXY_CLIENT_ID"`
|
ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
|
||||||
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"GOOGLE_AUTH_PROXY_CLIENT_SECRET"`
|
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
|
||||||
|
|
||||||
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
|
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
|
||||||
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
|
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
|
||||||
@ -25,10 +25,10 @@ type Options struct {
|
|||||||
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
|
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
|
||||||
CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
|
CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
|
||||||
|
|
||||||
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
|
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
|
||||||
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
|
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
|
||||||
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
|
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
|
||||||
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"GOOGLE_AUTH_PROXY_COOKIE_REFRESH"`
|
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
|
||||||
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
|
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
|
||||||
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
|
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
|
||||||
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
|
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
package providers
|
package providers
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/bitly/google_auth_proxy/api"
|
"github.com/bitly/oauth2_proxy/api"
|
||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
)
|
)
|
||||||
|
@ -8,7 +8,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
|
||||||
"github.com/bitly/google_auth_proxy/api"
|
"github.com/bitly/oauth2_proxy/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
type LinkedInProvider struct {
|
type LinkedInProvider struct {
|
||||||
|
@ -5,7 +5,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
|
||||||
"github.com/bitly/google_auth_proxy/api"
|
"github.com/bitly/oauth2_proxy/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
type MyUsaProvider struct {
|
type MyUsaProvider struct {
|
||||||
|
@ -130,7 +130,7 @@ func getTemplates() *template.Template {
|
|||||||
</div>
|
</div>
|
||||||
{{ end }}
|
{{ end }}
|
||||||
<footer>
|
<footer>
|
||||||
Secured with <a href="https://github.com/bitly/google_auth_proxy#google_auth_proxy">Google Auth Proxy</a> version {{.Version}}
|
Secured with <a href="https://github.com/bitly/oauth2_proxy#oauth2_proxy">OAuth2 Proxy</a> version {{.Version}}
|
||||||
</footer>
|
</footer>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
Loading…
Reference in New Issue
Block a user