OAuth2-Proxy
Siehe auch
Keycloak
Artikel ist DRAFT/TODO.
- Links
Die für OAuth durch den Proxy zur Verfügung gestellte Redirect-URL lautet https://myhost/oauth2/callback. Der Client selbst lauscht hinter einem Reverse Proxy auf Port 4180/tcp, oder selbst direkt auf 443/tcp.
Installation
VER=7.0.0
cd /tmp
wget https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v$VER/oauth2-proxy-v$VER.linux-amd64.tar.gz
tar xvzf oauth2-proxy-v$VER.linux-amd64.tar.gz
mv oauth2-proxy-v$VER.linux-amd64 /opt
cd /opt
ln -s oauth2-proxy-v$VER.linux-amd64 oauth2-proxy
/etc/oauth2-proxy.cfg passend zum genutzten IdP-Provider anlegen und konfigurieren.
Start mit /opt/oauth2-proxy/oauth2-proxy --config=/etc/oauth2-proxy.cfg.
Sollen die Kommandozeilen-Argumente in einer Konfigurationsdatei verwendet werden, müssen alle Vorkommen von - durch _ ersetzt werden. Argumente, die auf der Kommandozeile mehrfach angegeben werden können, müssen in der Konfigurationsdatei in der Mehrzahl mit angehängtem s angegeben werden.
Keycloak
- oauth-proxy-Seite
Die Konfiguration gegen Keycloak funktioniert wie folgt:
/etc/oauth2-proxy.cfgprovider="keycloak" client_id="<client you have created>"" client_secret="<your client's secret>"" login_url="http(s)://keycloak/auth/realms/<your realm>/protocol/openid-connect/auth" redeem_url="http(s)://keycloak/auth/realms/<your realm>/protocol/openid-connect/token" profile_url="http(s)://keycloak/auth/realms/<your realm>/protocol/openid-connect/userinfo" validate_url="http(s)://keycloak/auth/realms/<your realm>/protocol/openid-connect/userinfo" keycloak_groups=["/admin,/consultants"] # any aes256 encoded string cookie_secret="inXIjzAmzgkuBUmyN9Vflw==" email_domains=["*"] # my listen address: http behind a proxy, or 443 directly http_address="172.16.63.76:4180"
- Keycloak-Seite
Neuer Client „oauth2-proxy“ mit „openid-connect“.
Clients > „oauth2-proxy“ > Settings
Client ID: oauth2-proxy
Client Protocol: openid-connect
Access Type: confidential
Valid Redirect URIs: https://internal.yourcompany.com/oauth2/callback
Clients > „oauth2-proxy“ > Mappers > Create
Name: OAuth Group Membership
Mapper Type: Group Membership
Token Claim Name: groups
Komandozeilen-Argumente
Usage of oauth2-proxy:
--alpha-config string path to alpha config file (use at your own risk - the structure in this config file may change between minor releases)
--config string path to config file
--convert-config-to-alpha if true, the proxy will load configuration as normal and convert existing configuration to the alpha config structure, and print it to stdout
--version print version string
Usage of oauth2-proxy:
--acr-values string acr values string: optional
--allowed-group strings restrict logins to members of this group (may be given multiple times)
--alpha-config string path to alpha config file (use at your own risk - the structure in this config file may change between minor releases)
--approval-prompt string OAuth approval_prompt (default "force")
--auth-logging Log authentication attempts (default true)
--auth-logging-format string Template for authentication log lines (default "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}")
--authenticated-emails-file string authenticate against emails via file (one per line)
--azure-tenant string go to a tenant-specific or common (tenant-independent) endpoint. (default "common")
--banner string custom banner string. Use "-" to disable default banner.
--basic-auth-password string the password to set when passing the HTTP Basic Auth header
--bitbucket-repository string restrict logins to user with access to this repository
--bitbucket-team string restrict logins to members of this team
--client-id string the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
--client-secret string the OAuth Client Secret
--client-secret-file string the file with OAuth Client Secret
--config string path to config file
--convert-config-to-alpha if true, the proxy will load configuration as normal and convert existing configuration to the alpha config structure, and print it to stdout
--cookie-domain .yourcompany.com Optional cookie domains to force cookies to (ie: .yourcompany.com). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).
--cookie-expire duration expire timeframe for cookie (default 168h0m0s)
--cookie-httponly set HttpOnly cookie flag (default true)
--cookie-name string the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")
--cookie-path string an optional cookie path to force cookies to (ie: /poc/)* (default "/")
--cookie-refresh duration refresh the cookie after this duration; 0 to disable
--cookie-samesite string set SameSite cookie attribute (ie: "lax", "strict", "none", or "").
--cookie-secret string the seed string for secure cookies (optionally base64 encoded)
--cookie-secure set secure (HTTPS) cookie flag (default true)
--custom-templates-dir string path to custom html templates
--display-htpasswd-form display username / password login form if an htpasswd file is provided (default true)
--email-domain strings authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
--errors-to-info-log Log errors to the standard logging channel instead of stderr
--exclude-logging-path strings Exclude logging requests to paths (eg: '/path1,/path2,/path3')
--extra-jwt-issuers strings if skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)
--flush-interval duration period between response flushing when streaming responses (default 1s)
--footer string custom footer string. Use "-" to disable default footer.
--force-https force HTTPS redirect for HTTP requests
--gcp-healthchecks Enable GCP/GKE healthcheck endpoints
--github-org string restrict logins to members of this organisation
--github-repo string restrict logins to collaborators of this repository
--github-team string restrict logins to members of this team
--github-token string the token to use when verifying repository collaborators (must have push access to the repository)
--github-user strings allow users with these usernames to login even if they do not belong to the specified org and team or collaborators (may be given multiple times)
--gitlab-group strings restrict logins to members of this group (may be given multiple times)
--gitlab-project group/project=accesslevel restrict logins to members of this project (may be given multiple times) (eg group/project=accesslevel). Access level should be a value matching Gitlab access levels (see https://docs.gitlab.com/ee/api/members.html#valid-access-levels), defaulted to 20 if absent
--google-admin-email string the google admin to impersonate for api calls
--google-group strings restrict logins to members of this google group (may be given multiple times).
--google-service-account-json string the path to the service account json credentials
--htpasswd-file string additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption
--http-address string [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients (default "127.0.0.1:4180")
--https-address string <addr>:<port> to listen on for HTTPS clients (default ":443")
--insecure-oidc-allow-unverified-email Don't fail if an email address in an id_token is not verified
--insecure-oidc-skip-issuer-verification Do not verify if issuer matches OIDC discovery URL
--jwt-key string private key in PEM format used to sign JWT, so that you can say something like -jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov
--jwt-key-file string path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov
--keycloak-group strings restrict logins to members of these groups (may be given multiple times)
--logging-compress Should rotated log files be compressed using gzip
--logging-filename string File to log requests to, empty for stdout
--logging-local-time If the time in log files and backup filenames are local or UTC time (default true)
--logging-max-age int Maximum number of days to retain old log files (default 7)
--logging-max-backups int Maximum number of old log files to retain; 0 to disable
--logging-max-size int Maximum size in megabytes of the log file before rotation (default 100)
--login-url string Authentication endpoint
--oidc-email-claim string which OIDC claim contains the user's email (default "email")
--oidc-groups-claim string which OIDC claim contains the user groups (default "groups")
--oidc-issuer-url string OpenID Connect issuer URL (ie: https://accounts.google.com)
--oidc-jwks-url string OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)
--pass-access-token pass OAuth access_token to upstream via X-Forwarded-Access-Token header
--pass-authorization-header pass the Authorization Header to upstream
--pass-basic-auth pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
--pass-host-header pass the request Host Header to upstream (default true)
--pass-user-headers pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
--ping-path string the ping endpoint that can be used for basic health checks (default "/ping")
--ping-user-agent string special User-Agent that will be used for basic health checks
--prefer-email-to-user Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, eg. htaccess authentication. Used in conjunction with -pass-basic-auth and -pass-user-headers
--profile-url string Profile access endpoint
--prompt string OIDC prompt
--provider string OAuth provider (default "google")
--provider-ca-file strings One or more paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.
--provider-display-name string Provider display name
--proxy-prefix string the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) (default "/oauth2")
--proxy-websockets enables WebSocket proxying (default true)
--pubjwk-url string JWK pubkey access endpoint: required by login.gov
--real-client-ip-header string Header used to determine the real IP of the client (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP) (default "X-Real-IP")
--redeem-url string Token redemption endpoint
--redirect-url string the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
--redis-ca-path string Redis custom CA path
--redis-cluster-connection-urls strings List of Redis cluster connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-cluster
--redis-connection-url string URL of redis server for redis session storage (eg: redis://HOST[:PORT])
--redis-insecure-skip-tls-verify Use insecure TLS connection to redis
--redis-password --redis-connection-url Redis password. Applicable for all Redis configurations. Will override any password set in --redis-connection-url
--redis-sentinel-connection-urls strings List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel
--redis-sentinel-master-name string Redis sentinel master name. Used in conjunction with --redis-use-sentinel
--redis-sentinel-password --redis-password Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use --redis-password
--redis-use-cluster Connect to redis cluster. Must set --redis-cluster-connection-urls to use this feature
--redis-use-sentinel Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature
--request-logging Log HTTP requests (default true)
--request-logging-format string Template for HTTP request log lines (default "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}")
--resource string The resource that is protected (Azure AD only)
--reverse-proxy are we running behind a reverse proxy, controls whether headers like X-Real-Ip are accepted
--scope string OAuth scope specification
--session-cookie-minimal strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)
--session-store-type string the session storage provider to use (default "cookie")
--set-authorization-header set Authorization response headers (useful in Nginx auth_request mode)
--set-basic-auth set HTTP Basic Auth information in response (useful in Nginx auth_request mode)
--set-xauthrequest set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
--signature-key string GAP-Signature request signature key (algorithm:secretkey)
--silence-ping-logging Disable logging of requests to ping endpoint
--skip-auth-preflight will skip authentication for OPTIONS requests
--skip-auth-regex strings (DEPRECATED for --skip-auth-route) bypass authentication for requests path's that match (may be given multiple times)
--skip-auth-route strings bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods
--skip-auth-strip-headers strips X-Forwarded-* style authentication headers & Authorization header if they would be set by oauth2-proxy (default true)
--skip-jwt-bearer-tokens will skip requests that have verified JWT bearer tokens (default false)
--skip-oidc-discovery Skip OIDC discovery and use manually supplied Endpoints
--skip-provider-button will skip sign-in-page to directly reach the next step: oauth/start
--ssl-insecure-skip-verify skip validation of certificates presented when using HTTPS providers
--ssl-upstream-insecure-skip-verify skip validation of certificates presented when using HTTPS upstreams
--standard-logging Log standard runtime information (default true)
--standard-logging-format string Template for standard log lines (default "[{{.Timestamp}}] [{{.File}}] {{.Message}}")
--tls-cert-file string path to certificate file
--tls-key-file string path to private key file
--trusted-ip strings list of IPs or CIDR ranges to allow to bypass authentication. WARNING: trusting by IP has inherent security flaws, read the configuration documentation for more information.
--upstream strings the http url(s) of the upstream endpoint, file:// paths for static files or static://<status_code> for static response. Routing is based on the path
--user-id-claim oidc-email-claim (DEPRECATED for oidc-email-claim) which claim contains the user ID (default "email")
--validate-url string Access token validation endpoint
--version print version string
--whitelist-domain strings allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)
pflag: help requested
Built on 2024-11-18