Skip to content

simel0/auth_proxy_nginx

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

OAuth2 Proxy with Multiple Authentication Methods

This project demonstrates a protected API using OAuth2 Proxy with support for both OAuth2 providers and basic authentication.

Adding Basic Auth Users

  1. Using apache2-utils:
docker run --rm httpd:2.4-alpine htpasswd -cbB ./oauth2-proxy/htpasswd username password
  1. Add more users (without -c flag):
docker run --rm httpd:2.4-alpine htpasswd -bB ./oauth2-proxy/htpasswd newuser password

Adding OAuth Providers

1. GitHub OAuth

  1. Register a new OAuth application at GitHub
  2. Add to docker-compose.yaml under oauth2-proxy environment:
- OAUTH2_PROXY_PROVIDER=github
- OAUTH2_PROXY_CLIENT_ID=your-github-client-id
- OAUTH2_PROXY_CLIENT_SECRET=your-github-client-secret
- OAUTH2_PROXY_GITHUB_ORG=your-org-name # Optional: restrict to specific org
- OAUTH2_PROXY_GITHUB_TEAM=your-team-name # Optional: restrict to specific team

2. Azure AD OAuth

  1. Register an application in Azure AD
  2. Add to docker-compose.yaml:
- OAUTH2_PROXY_PROVIDER=azure
- OAUTH2_PROXY_CLIENT_ID=your-azure-client-id
- OAUTH2_PROXY_CLIENT_SECRET=your-azure-client-secret
- OAUTH2_PROXY_AZURE_TENANT=your-tenant-id

3. Facebook OAuth

  1. Create a Facebook application
  2. Add to docker-compose.yaml:
- OAUTH2_PROXY_PROVIDER=facebook
- OAUTH2_PROXY_CLIENT_ID=your-facebook-app-id
- OAUTH2_PROXY_CLIENT_SECRET=your-facebook-app-secret

4. Generic OIDC Provider

For any OpenID Connect provider (like Okta, Auth0, etc.):

- OAUTH2_PROXY_PROVIDER=oidc
- OAUTH2_PROXY_CLIENT_ID=your-client-id
- OAUTH2_PROXY_CLIENT_SECRET=your-client-secret
- OAUTH2_PROXY_OIDC_ISSUER_URL=https://your-provider/.well-known/openid-configuration

Provider-Specific Notes

Google OAuth

  • Configure in Google Cloud Console -> APIs & Services -> Credentials
  • Add authorized redirect URI: http://localhost/oauth2/callback
  • Enable necessary APIs (Google+ API for older versions)

GitHub OAuth

  • Add callback URL: http://localhost/oauth2/callback
  • Scope needs: user:email at minimum

Azure AD

  • Add redirect URI: http://localhost/oauth2/callback
  • Required permissions: email, profile

Facebook

  • Add OAuth redirect URI: http://localhost/oauth2/callback
  • Required permissions: email

Common Configuration Options

Additional environment variables for oauth2-proxy:

# Email domain restrictions
- OAUTH2_PROXY_EMAIL_DOMAINS=* # Allow all emails
- OAUTH2_PROXY_EMAIL_DOMAINS=example.com,another.com # Restrict to specific domains

# Authentication settings
- OAUTH2_PROXY_COOKIE_SECURE=true # For HTTPS
- OAUTH2_PROXY_COOKIE_EXPIRE=168h # Cookie expiry time
- OAUTH2_PROXY_SESSION_STORE_TYPE=cookie # or 'redis' for distributed setup

# Headers passed to upstream
- OAUTH2_PROXY_PASS_USER_HEADERS=true
- OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
- OAUTH2_PROXY_SET_XAUTHREQUEST=true

Security Notes

  1. In production:
  • Use HTTPS (set OAUTH2_PROXY_COOKIE_SECURE=true)
  • Set appropriate email domain restrictions
  • Consider rate limiting
  • Review and restrict scopes to minimum required
  1. Keep credentials secure:
  • Use secrets management in production
  • Rotate client secrets periodically
  • Monitor for unauthorized access

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published