meutel/oauth2_proxy
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #85 from jehiah/oauth2_proxy_85

Browse Source 
Naming Is Hard - project name change
This commit is contained in:
Jehiah Czebotar 2015-05-21 02:57:51 -04:00
commit 4d3b1c4e29
11 changed files with 50 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
google_auth_proxy google_auth_proxy
oauth2_proxy
# Go.gitignore # Go.gitignore
# Compiled Object files, Static and Dynamic libs (Shared Objects) # Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o *.o

58
README.md
View File

@ -1,11 +1,12 @@
google_auth_proxy oaut2_proxy
================= =================
(This project was formerly known as Google Auth Proxy)
A reverse proxy that provides authentication using Google and other OAuth2 A reverse proxy that provides authentication using Providers (Google, Github, and others)
providers to validate individual accounts, or a whole google apps domain. to validate individual accounts, or a whole email domain.
[![Build Status](https://secure.travis-ci.org/bitly/google_auth_proxy.png?branch=master)](http://travis-ci.org/bitly/google_auth_proxy) [![Build Status](https://secure.travis-ci.org/bitly/oauth2_proxy.png?branch=master)](http://travis-ci.org/bitly/oauth2_proxy)
![sign_in_page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png) ![sign_in_page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png)
@ -13,19 +14,19 @@ providers to validate individual accounts, or a whole google apps domain.
## Architecture ## Architecture
``` ```
_______ ___________________ __________ _______ ______________ __________
|Nginx| ----> |google_auth_proxy| ----> |upstream| |Nginx| ----> |oauth2_proxy| ----> |upstream|
------- ------------------- ---------- ------- -------------- ----------
|| ||
\/ \/
[google oauth2 api] [provider OAuth2 API]
``` ```
## Installation ## Installation
1. Download [Prebuilt Binary](https://github.com/bitly/google_auth_proxy/releases) or build from `master` with `$ go get github.com/bitly/google_auth_proxy` which should put the binary in `$GOROOT/bin` 1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) or build from `master` with `$ go get github.com/bitly/oauth2_proxy` which should put the binary in `$GOROOT/bin`
2. Register an OAuth Application with Google 2. Register an OAuth Application with a Provider
3. Configure Google Auth Proxy using config file, command line options, or environment variables 3. Configure Google Auth Proxy using config file, command line options, or environment variables
4. Deploy behind a SSL endpoint (example provided for Nginx) 4. Deploy behind a SSL endpoint (example provided for Nginx)
@ -33,7 +34,7 @@ providers to validate individual accounts, or a whole google apps domain.
You will need to register an OAuth application with Google (or [another You will need to register an OAuth application with Google (or [another
provider](#providers)), and configure it with Redirect URI(s) for the domain provider](#providers)), and configure it with Redirect URI(s) for the domain
you intend to run `google_auth_proxy` on. you intend to run `OAUTH2_PROXY` on.
For Google, the registration steps are: For Google, the registration steps are:
@ -43,7 +44,7 @@ For Google, the registration steps are:
* The Application Type should be **Web application** * The Application Type should be **Web application**
* Enter your domain in the Authorized Javascript Origins `https://internal.yourcompany.com` * Enter your domain in the Authorized Javascript Origins `https://internal.yourcompany.com`
* Enter the correct Authorized Redirect URL `https://internal.yourcompany.com/oauth2/callback` * Enter the correct Authorized Redirect URL `https://internal.yourcompany.com/oauth2/callback`
* NOTE: `google_auth_proxy` will _only_ callback on the path `/oauth2/callback` * NOTE: `oauth2_proxy` will _only_ callback on the path `/oauth2/callback`
4. Under "APIs & Auth" choose "Consent Screen" 4. Under "APIs & Auth" choose "Consent Screen"
* Fill in the necessary fields and Save (this is _required_) * Fill in the necessary fields and Save (this is _required_)
5. Take note of the **Client ID** and **Client Secret** 5. Take note of the **Client ID** and **Client Secret**
@ -59,19 +60,19 @@ For LinkedIn, the registration steps are:
## Configuration ## Configuration
`google_auth_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables). `oauth2_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables).
### Config File ### Config File
An example [google_auth_proxy.cfg](contrib/google_auth_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/google_auth_proxy.cfg` An example [OAUTH2_PROXY.cfg](contrib/oauth2_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/oauth2_proxy.cfg`
### Command Line Options ### Command Line Options
``` ```
Usage of google_auth_proxy: Usage of oauth2_proxy:
-authenticated-emails-file="": authenticate against emails via file (one per line) -authenticated-emails-file="": authenticate against emails via file (one per line)
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com" -client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
-client-secret="": the OAuth Client Secret -client-secret="": the Client Secret
-config="": path to config file -config="": path to config file
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)* -cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
-cookie-expire=168h0m0s: expire timeframe for cookie -cookie-expire=168h0m0s: expire timeframe for cookie
@ -105,12 +106,12 @@ See below for provider specific options
### Environment variables ### Environment variables
The environment variables `GOOGLE_AUTH_PROXY_CLIENT_ID`, `GOOGLE_AUTH_PROXY_CLIENT_SECRET`, `GOOGLE_AUTH_PROXY_COOKIE_SECRET`, `GOOGLE_AUTH_PROXY_COOKIE_DOMAIN` and `GOOGLE_AUTH_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments. The environment variables `OAUTH2_PROXY_CLIENT_ID`, `OAUTH2_PROXY_CLIENT_SECRET`, `OAUTH2_PROXY_COOKIE_SECRET`, `OAUTH2_PROXY_COOKIE_DOMAIN` and `OAUTH2_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments.
### Example Nginx Configuration ### Example Nginx Configuration
This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `google_auth_proxy` on port `4180`. This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `oauth2_proxy` on port `4180`.
`google_auth_proxy` then authenticates requests for an upstream application running on port `8080`. The external `oauth2_proxy` then authenticates requests for an upstream application running on port `8080`. The external
endpoint for this example would be `https://internal.yourcompany.com/`. endpoint for this example would be `https://internal.yourcompany.com/`.
An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
@ -136,10 +137,10 @@ server {
} }
``` ```
The command line to run `google_auth_proxy` would look like this: The command line to run `oauth2_proxy` would look like this:
```bash ```bash
./google_auth_proxy \ ./oauth2_proxy \
--google-apps-domain="yourcompany.com" \ --google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \ --upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \ --cookie-secret=... \
@ -151,7 +152,7 @@ The command line to run `google_auth_proxy` would look like this:
## Endpoint Documentation ## Endpoint Documentation
Google Auth Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.
* /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info * /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
* /ping - returns an 200 OK response * /ping - returns an 200 OK response
@ -161,17 +162,18 @@ Google Auth Proxy responds directly to the following endpoints. All other endpoi
## Logging Format ## Logging Format
Google Auth Proxy logs requests to stdout in a format similar to Apache Combined Log. OAuth2 Proxy Proxy logs requests to stdout in a format similar to Apache Combined Log.
``` ```
<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION> <REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>
``` ```
## <a name="providers"></a>Providers other than Google ## <a name="providers"></a>Providers
Other providers besides Google can be specified by the `providers` flag/config Authentication providers can be specified by the `providers` flag/config
directive. Right now this includes: directive. Right now this includes:
* `google` - (default) [Google](https://console.developers.google.com/project)
* `myusa` - The [MyUSA](https://alpha.my.usa.gov) authentication service * `myusa` - The [MyUSA](https://alpha.my.usa.gov) authentication service
([GitHub](https://github.com/18F/myusa)) ([GitHub](https://github.com/18F/myusa))
* `linkedin` - The [LinkedIn](https://developer.linkedin.com/docs/signin-with-linkedin) Sign In service. * `linkedin` - The [LinkedIn](https://developer.linkedin.com/docs/signin-with-linkedin) Sign In service.

6
dist.sh
View File

@ -20,9 +20,9 @@ echo "... running tests"
for os in linux darwin; do for os in linux darwin; do
echo "... building v$version for $os/$arch" echo "... building v$version for $os/$arch"
BUILD=$(mktemp -d -t google_auth_proxy) BUILD=$(mktemp -d -t oauth2_proxy)
TARGET="google_auth_proxy-$version.$os-$arch.$goversion" TARGET="oauth2_proxy-$version.$os-$arch.$goversion"
GOOS=$os GOARCH=$arch CGO_ENABLED=0 go build -o $BUILD/$TARGET/google_auth_proxy || exit 1 GOOS=$os GOARCH=$arch CGO_ENABLED=0 go build -o $BUILD/$TARGET/oauth2_proxy || exit 1
pushd $BUILD pushd $BUILD
tar czvf $TARGET.tar.gz $TARGET tar czvf $TARGET.tar.gz $TARGET
mv $TARGET.tar.gz $DIR/dist mv $TARGET.tar.gz $DIR/dist

6
main.go
View File

@ -18,7 +18,7 @@ import (
func main() { func main() {
log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile) log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
flagSet := flag.NewFlagSet("google_auth_proxy", flag.ExitOnError) flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
googleAppsDomains := StringArray{} googleAppsDomains := StringArray{}
upstreams := StringArray{} upstreams := StringArray{}
@ -38,7 +38,7 @@ func main() {
flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)") flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")
flagSet.String("github-org", "", "restrict logins to members of this organisation") flagSet.String("github-org", "", "restrict logins to members of this organisation")
flagSet.String("github-team", "", "restrict logins to members of this team") flagSet.String("github-team", "", "restrict logins to members of this team")
flagSet.String("client-id", "", "the Google OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"") flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
flagSet.String("client-secret", "", "the OAuth Client Secret") flagSet.String("client-secret", "", "the OAuth Client Secret")
flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)") flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption") flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
@ -65,7 +65,7 @@ func main() {
flagSet.Parse(os.Args[1:]) flagSet.Parse(os.Args[1:])
if *showVersion { if *showVersion {
fmt.Printf("google_auth_proxy v%s (built with %s)\n", VERSION, runtime.Version()) fmt.Printf("oauth2_proxy v%s (built with %s)\n", VERSION, runtime.Version())
return return
} }

2
oauthproxy.go
View File

@ -16,7 +16,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/bitly/google_auth_proxy/providers" "github.com/bitly/oauth2_proxy/providers"
) )
const robotsPath = "/robots.txt" const robotsPath = "/robots.txt"

2
oauthproxy_test.go
View File

@ -1,7 +1,7 @@
package main package main
import ( import (
"github.com/bitly/google_auth_proxy/providers" "github.com/bitly/oauth2_proxy/providers"
"github.com/bmizerany/assert" "github.com/bmizerany/assert"
"io/ioutil" "io/ioutil"
"log" "log"

14
options.go
View File

@ -7,15 +7,15 @@ import (
"strings" "strings"
"time" "time"
"github.com/bitly/google_auth_proxy/providers" "github.com/bitly/oauth2_proxy/providers"
) )
// Configuration Options that can be set by Command Line Flag, or Config File // Configuration Options that can be set by Command Line Flag, or Config File
type Options struct { type Options struct {
HttpAddress string `flag:"http-address" cfg:"http_address"` HttpAddress string `flag:"http-address" cfg:"http_address"`
RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"` RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"`
ClientID string `flag:"client-id" cfg:"client_id" env:"GOOGLE_AUTH_PROXY_CLIENT_ID"` ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"GOOGLE_AUTH_PROXY_CLIENT_SECRET"` ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"` GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
@ -25,10 +25,10 @@ type Options struct {
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"` DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"` CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"` CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"` CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"` CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"GOOGLE_AUTH_PROXY_COOKIE_REFRESH"` CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"` CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"` CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`

2
providers/internal_util.go
View File

@ -1,7 +1,7 @@
package providers package providers
import ( import (
"github.com/bitly/google_auth_proxy/api" "github.com/bitly/oauth2_proxy/api"
"log" "log"
"net/http" "net/http"
) )

2
providers/linkedin.go
View File

@ -8,7 +8,7 @@ import (
"net/http" "net/http"
"net/url" "net/url"
"github.com/bitly/google_auth_proxy/api" "github.com/bitly/oauth2_proxy/api"
) )
type LinkedInProvider struct { type LinkedInProvider struct {

2
providers/myusa.go
View File

@ -5,7 +5,7 @@ import (
"net/http" "net/http"
"net/url" "net/url"
"github.com/bitly/google_auth_proxy/api" "github.com/bitly/oauth2_proxy/api"
) )
type MyUsaProvider struct { type MyUsaProvider struct {

2
templates.go
View File

@ -130,7 +130,7 @@ func getTemplates() *template.Template {
</div> </div>
{{ end }} {{ end }}
<footer> <footer>
Secured with <a href="https://github.com/bitly/google_auth_proxy#google_auth_proxy">Google Auth Proxy</a> version {{.Version}} Secured with <a href="https://github.com/bitly/oauth2_proxy#oauth2_proxy">OAuth2 Proxy</a> version {{.Version}}
</footer> </footer>
</body> </body>
</html> </html>