This project demonstrates a protected API using OAuth2 Proxy with support for both OAuth2 providers and basic authentication.
- Using apache2-utils:
docker run --rm httpd:2.4-alpine htpasswd -cbB ./oauth2-proxy/htpasswd username password
- Add more users (without -c flag):
docker run --rm httpd:2.4-alpine htpasswd -bB ./oauth2-proxy/htpasswd newuser password
- Register a new OAuth application at GitHub
- Add to docker-compose.yaml under oauth2-proxy environment:
- OAUTH2_PROXY_PROVIDER=github
- OAUTH2_PROXY_CLIENT_ID=your-github-client-id
- OAUTH2_PROXY_CLIENT_SECRET=your-github-client-secret
- OAUTH2_PROXY_GITHUB_ORG=your-org-name # Optional: restrict to specific org
- OAUTH2_PROXY_GITHUB_TEAM=your-team-name # Optional: restrict to specific team
- Register an application in Azure AD
- Add to docker-compose.yaml:
- OAUTH2_PROXY_PROVIDER=azure
- OAUTH2_PROXY_CLIENT_ID=your-azure-client-id
- OAUTH2_PROXY_CLIENT_SECRET=your-azure-client-secret
- OAUTH2_PROXY_AZURE_TENANT=your-tenant-id
- Create a Facebook application
- Add to docker-compose.yaml:
- OAUTH2_PROXY_PROVIDER=facebook
- OAUTH2_PROXY_CLIENT_ID=your-facebook-app-id
- OAUTH2_PROXY_CLIENT_SECRET=your-facebook-app-secret
For any OpenID Connect provider (like Okta, Auth0, etc.):
- OAUTH2_PROXY_PROVIDER=oidc
- OAUTH2_PROXY_CLIENT_ID=your-client-id
- OAUTH2_PROXY_CLIENT_SECRET=your-client-secret
- OAUTH2_PROXY_OIDC_ISSUER_URL=https://your-provider/.well-known/openid-configuration
- Configure in Google Cloud Console -> APIs & Services -> Credentials
- Add authorized redirect URI:
http://localhost/oauth2/callback
- Enable necessary APIs (Google+ API for older versions)
- Add callback URL:
http://localhost/oauth2/callback
- Scope needs:
user:email
at minimum
- Add redirect URI:
http://localhost/oauth2/callback
- Required permissions:
email
,profile
- Add OAuth redirect URI:
http://localhost/oauth2/callback
- Required permissions:
email
Additional environment variables for oauth2-proxy:
# Email domain restrictions
- OAUTH2_PROXY_EMAIL_DOMAINS=* # Allow all emails
- OAUTH2_PROXY_EMAIL_DOMAINS=example.com,another.com # Restrict to specific domains
# Authentication settings
- OAUTH2_PROXY_COOKIE_SECURE=true # For HTTPS
- OAUTH2_PROXY_COOKIE_EXPIRE=168h # Cookie expiry time
- OAUTH2_PROXY_SESSION_STORE_TYPE=cookie # or 'redis' for distributed setup
# Headers passed to upstream
- OAUTH2_PROXY_PASS_USER_HEADERS=true
- OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
- OAUTH2_PROXY_SET_XAUTHREQUEST=true
- In production:
- Use HTTPS (set OAUTH2_PROXY_COOKIE_SECURE=true)
- Set appropriate email domain restrictions
- Consider rate limiting
- Review and restrict scopes to minimum required
- Keep credentials secure:
- Use secrets management in production
- Rotate client secrets periodically
- Monitor for unauthorized access