api | ||
contrib | ||
providers | ||
.gitignore | ||
.travis.yml | ||
cookies_test.go | ||
cookies.go | ||
dist.sh | ||
env_options_test.go | ||
env_options.go | ||
Godeps | ||
htpasswd_test.go | ||
htpasswd.go | ||
LICENSE | ||
logging_handler.go | ||
main.go | ||
oauthproxy_test.go | ||
oauthproxy.go | ||
options_test.go | ||
options.go | ||
README.md | ||
string_array.go | ||
templates_test.go | ||
templates.go | ||
test.sh | ||
validator_test.go | ||
validator_watcher_copy_test.go | ||
validator_watcher_test.go | ||
validator.go | ||
version.go | ||
watcher_unsupported.go | ||
watcher.go |
oauth2_proxy
(This project was renamed from Google Auth Proxy - May 2015)
A reverse proxy that provides authentication using Providers (Google, Github, and others) to validate accounts by email, domain or group.
Architecture
Installation
- Download Prebuilt Binary (current release is
v1.1.1
) or build with$ go get github.com/bitly/oauth2_proxy
which will put the binary in$GOROOT/bin
- Register an OAuth Application with a Provider
- Configure Oauth2 Proxy using config file, command line options, or environment variables
- Deploy behind a SSL endpoint (example provided for Nginx)
OAuth Provider Configuration
You will need to register an OAuth application with a Provider (Google, Github or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2_proxy
on.
Valid providers are :
The provider can be selected using the provider
configuration value.
Google Auth Provider
For Google, the registration steps are:
- Create a new project: https://console.developers.google.com/project
- Under "APIs & Auth", choose "Credentials"
- Now, choose "Create new Client ID"
- The Application Type should be Web application
- Enter your domain in the Authorized Javascript Origins
https://internal.yourcompany.com
- Enter the correct Authorized Redirect URL
https://internal.yourcompany.com/oauth2/callback
- NOTE:
oauth2_proxy
will only callback on the path/oauth2/callback
- NOTE:
- Under "APIs & Auth" choose "Consent Screen"
- Fill in the necessary fields and Save (this is required)
- Take note of the Client ID and Client Secret
GitHub Auth Provider
- Create a new project: https://github.com/settings/developers
- Under
Authorization callback URL
enter the correct url iehttps://internal.yourcompany.com/oauth2/callback
The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access.
-github-org="": restrict logins to members of this organisation
-github-team="": restrict logins to members of this team
LinkedIn Auth Provider
For LinkedIn, the registration steps are:
- Create a new project: https://www.linkedin.com/secure/developer
- In the OAuth User Agreement section:
- In default scope, select r_basicprofile and r_emailaddress.
- In "OAuth 2.0 Redirect URLs", enter
https://internal.yourcompany.com/oauth2/callback
- Fill in the remaining required fields and Save.
- Take note of the Consumer Key / API Key and Consumer Secret / Secret Key
MyUSA Auth Provider
The MyUSA authentication service (GitHub)
Configuration
oauth2_proxy
can be configured via config file, command line options or environment variables.
Config File
An example oauth2_proxy.cfg config file is in the contrib directory. It can be used by specifying -config=/etc/oauth2_proxy.cfg
Command Line Options
Usage of oauth2_proxy:
-authenticated-emails-file="": authenticate against emails via file (one per line)
-client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
-client-secret="": the Client Secret
-config="": path to config file
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
-cookie-expire=168h0m0s: expire timeframe for cookie
-cookie-httponly=true: set HttpOnly cookie flag
-cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
-cookie-refresh=0: refresh the cookie when less than this much time remains before expiration; 0 to disable
-cookie-secret="": the seed string for secure cookies
-cookie-secure=true: set secure (HTTPS) cookie flag
-custom-templates-dir="": path to custom html templates
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
-login-url="": Authentication endpoint
-pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
-pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
-pass-host-header=true: pass the request Host Header to upstream
-profile-url="": Profile access endpoint
-provider="": Oauth provider (defaults to Google)
-redeem-url="": Token redemption endpoint
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
-request-logging=true: Log requests to stdout
-scope="": Oauth scope specification
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
-validate-url="": Access token validation endpoint
-version=false: print version string
See below for provider specific options
Environment variables
The environment variables OAUTH2_PROXY_CLIENT_ID
, OAUTH2_PROXY_CLIENT_SECRET
, OAUTH2_PROXY_COOKIE_SECRET
, OAUTH2_PROXY_COOKIE_DOMAIN
and OAUTH2_PROXY_COOKIE_EXPIRE
can be used in place of the corresponding command-line arguments.
Example Nginx Configuration
This example has a Nginx SSL endpoint proxying to oauth2_proxy
on port 4180
.
oauth2_proxy
then authenticates requests for an upstream application running on port 8080
. The external
endpoint for this example would be https://internal.yourcompany.com/
.
An example Nginx config follows. Note the use of Strict-Transport-Security
header to pin requests to SSL
via HSTS:
server {
listen 443 default ssl;
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=1209600;
location / {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}
The command line to run oauth2_proxy
would look like this:
./oauth2_proxy \
--google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--client-id=... \
--client-secret=...
Endpoint Documentation
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.
- /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
- /ping - returns an 200 OK response
- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
- /oauth2/start - a URL that will redirect to start the OAuth cycle
- /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this ass the callback url.
Logging Format
OAuth2 Proxy Proxy logs requests to stdout in a format similar to Apache Combined Log.
<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>
Adding a new Provider
Follow the examples in the providers
package to define a new
Provider
instance. Add a new case
to
providers.New()
to allow oauth2_proxy
to use the
new Provider
.