commit
b90a23473f
@ -1,7 +1,7 @@
|
||||
language: go
|
||||
go:
|
||||
- 1.7.5
|
||||
- 1.8
|
||||
- 1.8.1
|
||||
script:
|
||||
- curl -s https://raw.githubusercontent.com/pote/gpm/v1.4.0/bin/gpm > gpm
|
||||
- chmod +x gpm
|
||||
|
100
README.md
100
README.md
@ -1,8 +1,6 @@
|
||||
oauth2_proxy
|
||||
=================
|
||||
|
||||
<small>(This project was renamed from Google Auth Proxy - May 2015)</small>
|
||||
|
||||
A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others)
|
||||
to validate accounts by email, domain or group.
|
||||
|
||||
@ -17,7 +15,7 @@ to validate accounts by email, domain or group.
|
||||
|
||||
## Installation
|
||||
|
||||
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v2.1`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin`
|
||||
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v2.2`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin`
|
||||
2. Select a Provider and Register an OAuth Application with a Provider
|
||||
3. Configure OAuth2 Proxy using config file, command line options, or environment variables
|
||||
4. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
|
||||
@ -159,54 +157,56 @@ An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is i
|
||||
|
||||
```
|
||||
Usage of oauth2_proxy:
|
||||
-approval-prompt="force": Oauth approval_prompt
|
||||
-authenticated-emails-file="": authenticate against emails via file (one per line)
|
||||
-azure-tenant="common": go to a tenant-specific or common (tenant-independent) endpoint.
|
||||
-basic-auth-password="": the password to set when passing the HTTP Basic Auth header
|
||||
-client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
|
||||
-client-secret="": the OAuth Client Secret
|
||||
-config="": path to config file
|
||||
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
||||
-cookie-expire=168h0m0s: expire timeframe for cookie
|
||||
-cookie-httponly=true: set HttpOnly cookie flag
|
||||
-cookie-name="_oauth2_proxy": the name of the cookie that the oauth_proxy creates
|
||||
-cookie-refresh=0: refresh the cookie after this duration; 0 to disable
|
||||
-cookie-secret="": the seed string for secure cookies
|
||||
-cookie-secure=true: set secure (HTTPS) cookie flag
|
||||
-custom-templates-dir="": path to custom html templates
|
||||
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
|
||||
-email-domain=: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
|
||||
-github-org="": restrict logins to members of this organisation
|
||||
-github-team="": restrict logins to members of this team
|
||||
-google-admin-email="": the google admin to impersonate for api calls
|
||||
-google-group=: restrict logins to members of this google group (may be given multiple times).
|
||||
-google-service-account-json="": the path to the service account json credentials
|
||||
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
|
||||
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
|
||||
-https-address=":443": <addr>:<port> to listen on for HTTPS clients
|
||||
-login-url="": Authentication endpoint
|
||||
-pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
|
||||
-pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
|
||||
-pass-user-headers=true: pass X-Forwarded-User and X-Forwarded-Email information to upstream
|
||||
-pass-host-header=true: pass the request Host Header to upstream
|
||||
-profile-url="": Profile access endpoint
|
||||
-provider="google": OAuth provider
|
||||
-proxy-prefix="/oauth2": the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)
|
||||
-redeem-url="": Token redemption endpoint
|
||||
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
|
||||
-resource="": the resource that is being protected. ie: "https://graph.windows.net". Currently only used in the Azure provider.
|
||||
-request-logging=true: Log requests to stdout
|
||||
-scope="": Oauth scope specification
|
||||
-signature-key="": GAP-Signature request signature key (algorithm:secretkey)
|
||||
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
|
||||
-skip-auth-preflight=false: bypass authentication for OPTIONAL requests so preflight requests could succeed when using CORS
|
||||
-skip-provider-button=false: will skip sign-in-page to directly reach the next step: oauth/start
|
||||
-approval-prompt string: OAuth approval_prompt (default "force")
|
||||
-authenticated-emails-file string: authenticate against emails via file (one per line)
|
||||
-azure-tenant string: go to a tenant-specific or common (tenant-independent) endpoint. (default "common")
|
||||
-basic-auth-password string: the password to set when passing the HTTP Basic Auth header
|
||||
-client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
|
||||
-client-secret string: the OAuth Client Secret
|
||||
-config string: path to config file
|
||||
-cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
||||
-cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
|
||||
-cookie-httponly: set HttpOnly cookie flag (default true)
|
||||
-cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")
|
||||
-cookie-refresh duration: refresh the cookie after this duration; 0 to disable
|
||||
-cookie-secret string: the seed string for secure cookies (optionally base64 encoded)
|
||||
-cookie-secure: set secure (HTTPS) cookie flag (default true)
|
||||
-custom-templates-dir string: path to custom html templates
|
||||
-display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
|
||||
-email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
|
||||
-footer string: custom footer string. Use "-" to disable default footer.
|
||||
-github-org string: restrict logins to members of this organisation
|
||||
-github-team string: restrict logins to members of this team
|
||||
-google-admin-email string: the google admin to impersonate for api calls
|
||||
-google-group value: restrict logins to members of this google group (may be given multiple times).
|
||||
-google-service-account-json string: the path to the service account json credentials
|
||||
-htpasswd-file string: additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
|
||||
-http-address string: [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients (default "127.0.0.1:4180")
|
||||
-https-address string: <addr>:<port> to listen on for HTTPS clients (default ":443")
|
||||
-login-url string: Authentication endpoint
|
||||
-pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
|
||||
-pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
|
||||
-pass-host-header: pass the request Host Header to upstream (default true)
|
||||
-pass-user-headers: pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
|
||||
-profile-url string: Profile access endpoint
|
||||
-provider string: OAuth provider (default "google")
|
||||
-proxy-prefix string: the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) (default "/oauth2")
|
||||
-redeem-url string: Token redemption endpoint
|
||||
-redirect-url string: the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
|
||||
-request-logging: Log requests to stdout (default true)
|
||||
-resource string: The resource that is protected (Azure AD only)
|
||||
-scope string: OAuth scope specification
|
||||
-set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
|
||||
-signature-key string: GAP-Signature request signature key (algorithm:secretkey)
|
||||
-skip-auth-preflight: will skip authentication for OPTIONS requests
|
||||
-skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times)
|
||||
-skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start
|
||||
-ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS
|
||||
-tls-cert="": path to certificate file
|
||||
-tls-key="": path to private key file
|
||||
-upstream=: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
|
||||
-validate-url="": Access token validation endpoint
|
||||
-version=false: print version string
|
||||
-tls-cert string: path to certificate file
|
||||
-tls-key string: path to private key file
|
||||
-upstream value: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
|
||||
-validate-url string: Access token validation endpoint
|
||||
-version: print version string
|
||||
```
|
||||
|
||||
See below for provider specific options
|
||||
|
@ -1,3 +1,3 @@
|
||||
package main
|
||||
|
||||
const VERSION = "2.2.0-alpha"
|
||||
const VERSION = "2.2.0"
|
||||
|
Loading…
Reference in New Issue
Block a user