Fork https://github.com/pusher/oauth2_proxy.git Adding gitea provider
Go to file
2015-09-09 02:10:32 -07:00
api SessionState refactoring; improve token renewal and cookie refresh 2015-07-02 23:09:11 -04:00
contrib cookie refresh: validation fixes, interval changes 2015-06-23 07:51:00 -04:00
cookie SessionState refactoring; improve token renewal and cookie refresh 2015-07-02 23:09:11 -04:00
providers google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
.gitignore Project Rename -> oauth2_proxy 2015-05-21 02:55:04 -04:00
.travis.yml v2.0 & cleanup changes 2015-06-12 13:07:26 -04:00
dist.sh v2.0 & cleanup changes 2015-06-12 13:07:26 -04:00
env_options_test.go test/fix environment var parsing 2014-11-14 23:15:27 -05:00
env_options.go test/fix environment var parsing 2014-11-14 23:15:27 -05:00
Godeps google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
htpasswd_test.go testing 2012-12-17 13:38:33 -05:00
htpasswd.go Reload authenticated-emails-file upon update 2015-05-12 10:39:18 -04:00
http.go support TLS directly 2015-06-07 23:14:48 -04:00
LICENSE add MIT license for google_auth_proxy 2014-06-09 16:25:26 -04:00
logging_handler.go improve request logging (closer to Apache Common Log) 2015-03-19 22:34:01 -04:00
main.go google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
oauthproxy_test.go Add support for setting the basic auth password. 2015-07-24 09:17:43 +00:00
oauthproxy.go google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
options_test.go google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
options.go google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
README.md google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
string_array.go Add config file support 2014-11-09 20:33:12 -05:00
templates_test.go Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 14:38:57 -06:00
templates.go Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-06-06 14:21:42 -04:00
test.sh release scripts 2014-11-09 21:48:09 -05:00
validator_test.go Ensure watcher tests don't block during shutdown 2015-05-13 18:48:39 -04:00
validator_watcher_copy_test.go Fix unsupported WatchForUpdates and build tags 2015-05-30 13:44:18 -04:00
validator_watcher_test.go Fix unsupported WatchForUpdates and build tags 2015-05-30 13:44:18 -04:00
validator.go More robust handling for missing email 2015-07-24 16:26:40 -04:00
version.go tag v2.0.1 2015-07-02 23:29:25 -04:00
watcher_unsupported.go Fix validator_test hang on Solaris, Plan 9 2015-05-30 22:11:02 -04:00
watcher.go Fix validator_test hang on Solaris, Plan 9 2015-05-30 22:11:02 -04:00

oauth2_proxy

(This project was renamed from Google Auth Proxy - May 2015)

A reverse proxy that provides authentication using Providers (Google, Github, and others) to validate accounts by email, domain or group.

Build Status

Sign In Page

Architecture

OAuth2 Proxy Architecture

Installation

  1. Download Prebuilt Binary (current release is v2.0.1) or build with $ go get github.com/bitly/oauth2_proxy which will put the binary in $GOROOT/bin
  2. Select a Provider and Register an OAuth Application with a Provider
  3. Configure OAuth2 Proxy using config file, command line options, or environment variables
  4. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)

OAuth Provider Configuration

You will need to register an OAuth application with a Provider (Google, Github or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2_proxy on.

Valid providers are :

The provider can be selected using the provider configuration value.

Google Auth Provider

For Google, the registration steps are:

  1. Create a new project: https://console.developers.google.com/project
  2. Under "APIs & Auth", choose "Credentials"
  3. Now, choose "Create new Client ID"
    • The Application Type should be Web application and click Configure Consent Screen
    • Fill out the appropriate details on the Consent Screen page and hit Save
    • On the next screen, leaving Web Application checked, enter your domain in the Authorized Javascript Origins https://internal.yourcompany.com
    • Enter the correct Authorized Redirect URL https://internal.yourcompany.com/oauth2/callback
      • NOTE: oauth2_proxy will only callback on the path /oauth2/callback
  4. Take note of the Client ID and Client Secret

It's recommended to refresh sessions on a short interval (1h) with cookie-refresh setting which validates that the account is still authorized.

Restrict auth to specific Google groups on your domain. (optional)

  1. Create a service account: https://developers.google.com/identity/protocols/OAuth2ServiceAccount and make sure to download the json file.
  2. Make note of the Client ID for a future step.
  3. Under "APIs & Auth", choose APIs.
  4. Click on Admin SDK and then Enable API.
  5. Follow the steps on https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account and give the client id from step 2 the following oauth scopes:
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
  1. Follow the steps on https://support.google.com/a/answer/60757 to enable Admin API access.
  2. Create or choose an existing administrative email address on the Gmail domain to assign to the google-admin-email flag. This email will be impersonated by this client to make calls to the Admin SDK. See the note on the link from step 5 for the reason why.
  3. Create or choose an existing email group and set that email to the google-group flag. You can pass multiple instances of this flag with different groups and the user will be checked against all the provided groups.
  4. Lock down the permissions on the json file downloaded from step 1 so only oauth2_proxy is able to read the file and set the path to the file in the google-service-account-json flag.
  5. Restart oauth2_proxy.

Note: The user is checked against the group members list on initial authentication and every time the token is refreshed ( about once an hour ).

GitHub Auth Provider

  1. Create a new project: https://github.com/settings/developers
  2. Under Authorization callback URL enter the correct url ie https://internal.yourcompany.com/oauth2/callback

The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access. Restricting by org and team is normally accompanied with --email-domain=*

-github-org="": restrict logins to members of this organisation
-github-team="": restrict logins to members of this team

LinkedIn Auth Provider

For LinkedIn, the registration steps are:

  1. Create a new project: https://www.linkedin.com/secure/developer
  2. In the OAuth User Agreement section:
    • In default scope, select r_basicprofile and r_emailaddress.
    • In "OAuth 2.0 Redirect URLs", enter https://internal.yourcompany.com/oauth2/callback
  3. Fill in the remaining required fields and Save.
  4. Take note of the Consumer Key / API Key and Consumer Secret / Secret Key

MyUSA Auth Provider

The MyUSA authentication service (GitHub)

Email Authentication

To authorize by email domain use --email-domain=yourcompany.com. To authorize individual email addresses use --authenticated-emails-file=/path/to/file with one email per line. To authorize all email addresse use --email-domain=*.

Configuration

oauth2_proxy can be configured via config file, command line options or environment variables.

Config File

An example oauth2_proxy.cfg config file is in the contrib directory. It can be used by specifying -config=/etc/oauth2_proxy.cfg

Command Line Options

Usage of oauth2_proxy:
  -approval_prompt="force": Oauth approval_prompt
  -authenticated-emails-file="": authenticate against emails via file (one per line)
  -client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
  -client-secret="": the OAuth Client Secret
  -config="": path to config file
  -cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
  -cookie-expire=168h0m0s: expire timeframe for cookie
  -cookie-httponly=true: set HttpOnly cookie flag
  -cookie-key="_oauth2_proxy": the name of the cookie that the oauth_proxy creates
  -cookie-refresh=0: refresh the cookie after this duration; 0 to disable
  -cookie-secret="": the seed string for secure cookies
  -cookie-secure=true: set secure (HTTPS) cookie flag
  -custom-templates-dir="": path to custom html templates
  -display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
  -email-domain=: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
  -github-org="": restrict logins to members of this organisation
  -github-team="": restrict logins to members of this team
  -google-group="": restrict logins to members of this google group
  -google-admin-email="": the google admin to impersonate for api calls
  -google-service-account-json="": the path to the service account json credentials

  -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
  -http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
  -https-address=":443": <addr>:<port> to listen on for HTTPS clients
  -login-url="": Authentication endpoint
  -pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
  -pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
  -basic-auth-password="": the password to set when passing the HTTP Basic Auth header
  -pass-host-header=true: pass the request Host Header to upstream
  -profile-url="": Profile access endpoint
  -provider="google": OAuth provider
  -proxy-prefix="/oauth2": the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)
  -redeem-url="": Token redemption endpoint
  -redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
  -request-logging=true: Log requests to stdout
  -scope="": Oauth scope specification
  -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
  -tls-cert="": path to certificate file
  -tls-key="": path to private key file
  -upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
  -validate-url="": Access token validation endpoint
  -version=false: print version string

See below for provider specific options

Environment variables

The environment variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET, OAUTH2_PROXY_COOKIE_DOMAIN and OAUTH2_PROXY_COOKIE_EXPIRE can be used in place of the corresponding command-line arguments.

SSL Configuration

There are two recommended configurations.

  1. Configure SSL Terminiation with OAuth2 Proxy by providing a --tls-cert=/path/to/cert.pem and --tls-key=/path/to/cert.key.

The command line to run oauth2_proxy in this configuration would look like this:

./oauth2_proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --tls-cert=/path/to/cert.pem \
   --tls-key=/path/to/cert.key \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --client-id=... \
   --client-secret=...
  1. Configure SSL Termination with Nginx (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....

Because oauth2_proxy listens on 127.0.0.1:4180 by default, to listen on all interfaces (needed when using an external load balancer like Amazon ELB or Google Platform Load Balancing) use --http-address="0.0.0.0:4180" or --http-address="http://:4180".

Nginx will listen on port 443 and handle SSL connections while proxying to oauth2_proxy on port 4180. oauth2_proxy will then authenticate requests for an upstream application. The external endpoint for this example would be https://internal.yourcompany.com/.

An example Nginx config follows. Note the use of Strict-Transport-Security header to pin requests to SSL via HSTS:

server {
    listen 443 default ssl;
    server_name internal.yourcompany.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    add_header Strict-Transport-Security max-age=2592000;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The command line to run oauth2_proxy in this configuration would look like this:

./oauth2_proxy \
   --email-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
   --cookie-secure=true \
   --provider=... \
   --client-id=... \
   --client-secret=...

Endpoint Documentation

OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The /oauth2 prefix can be changed with the --proxy-prefix config variable.

  • /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
  • /ping - returns an 200 OK response
  • /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
  • /oauth2/start - a URL that will redirect to start the OAuth cycle
  • /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.

Logging Format

OAuth2 Proxy logs requests to stdout in a format similar to Apache Combined Log.

<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>

Adding a new Provider

Follow the examples in the providers package to define a new Provider instance. Add a new case to providers.New() to allow oauth2_proxy to use the new Provider.