This repository has been archived by the owner on Jan 24, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #85 from jehiah/oauth2_proxy_85
Naming Is Hard - project name change
- Loading branch information
Showing
11 changed files
with
50 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,39 +1,40 @@ | ||
google_auth_proxy | ||
oaut2_proxy | ||
================= | ||
|
||
(This project was formerly known as Google Auth Proxy) | ||
|
||
A reverse proxy that provides authentication using Google and other OAuth2 | ||
providers to validate individual accounts, or a whole google apps domain. | ||
A reverse proxy that provides authentication using Providers (Google, Github, and others) | ||
to validate individual accounts, or a whole email domain. | ||
|
||
[![Build Status](https://secure.travis-ci.org/bitly/google_auth_proxy.png?branch=master)](http://travis-ci.org/bitly/google_auth_proxy) | ||
[![Build Status](https://secure.travis-ci.org/bitly/oauth2_proxy.png?branch=master)](http://travis-ci.org/bitly/oauth2_proxy) | ||
|
||
|
||
![sign_in_page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png) | ||
|
||
## Architecture | ||
|
||
``` | ||
_______ ___________________ __________ | ||
|Nginx| ----> |google_auth_proxy| ----> |upstream| | ||
------- ------------------- ---------- | ||
|| | ||
\/ | ||
[google oauth2 api] | ||
_______ ______________ __________ | ||
|Nginx| ----> |oauth2_proxy| ----> |upstream| | ||
------- -------------- ---------- | ||
|| | ||
\/ | ||
[provider OAuth2 API] | ||
``` | ||
|
||
|
||
## Installation | ||
|
||
1. Download [Prebuilt Binary](https://github.com/bitly/google_auth_proxy/releases) or build from `master` with `$ go get github.com/bitly/google_auth_proxy` which should put the binary in `$GOROOT/bin` | ||
2. Register an OAuth Application with Google | ||
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) or build from `master` with `$ go get github.com/bitly/oauth2_proxy` which should put the binary in `$GOROOT/bin` | ||
2. Register an OAuth Application with a Provider | ||
3. Configure Google Auth Proxy using config file, command line options, or environment variables | ||
4. Deploy behind a SSL endpoint (example provided for Nginx) | ||
|
||
## OAuth Configuration | ||
|
||
You will need to register an OAuth application with Google (or [another | ||
provider](#providers)), and configure it with Redirect URI(s) for the domain | ||
you intend to run `google_auth_proxy` on. | ||
you intend to run `OAUTH2_PROXY` on. | ||
|
||
For Google, the registration steps are: | ||
|
||
|
@@ -43,7 +44,7 @@ For Google, the registration steps are: | |
* The Application Type should be **Web application** | ||
* Enter your domain in the Authorized Javascript Origins `https://internal.yourcompany.com` | ||
* Enter the correct Authorized Redirect URL `https://internal.yourcompany.com/oauth2/callback` | ||
* NOTE: `google_auth_proxy` will _only_ callback on the path `/oauth2/callback` | ||
* NOTE: `oauth2_proxy` will _only_ callback on the path `/oauth2/callback` | ||
4. Under "APIs & Auth" choose "Consent Screen" | ||
* Fill in the necessary fields and Save (this is _required_) | ||
5. Take note of the **Client ID** and **Client Secret** | ||
|
@@ -59,19 +60,19 @@ For LinkedIn, the registration steps are: | |
|
||
## Configuration | ||
|
||
`google_auth_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables). | ||
`oauth2_proxy` can be configured via [config file](#config-file), [command line options](#command-line-options) or [environment variables](#environment-variables). | ||
|
||
### Config File | ||
|
||
An example [google_auth_proxy.cfg](contrib/google_auth_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/google_auth_proxy.cfg` | ||
An example [OAUTH2_PROXY.cfg](contrib/oauth2_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/oauth2_proxy.cfg` | ||
|
||
### Command Line Options | ||
|
||
``` | ||
Usage of google_auth_proxy: | ||
Usage of oauth2_proxy: | ||
-authenticated-emails-file="": authenticate against emails via file (one per line) | ||
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com" | ||
-client-secret="": the OAuth Client Secret | ||
-client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com" | ||
-client-secret="": the Client Secret | ||
-config="": path to config file | ||
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)* | ||
-cookie-expire=168h0m0s: expire timeframe for cookie | ||
|
@@ -105,12 +106,12 @@ See below for provider specific options | |
|
||
### Environment variables | ||
|
||
The environment variables `GOOGLE_AUTH_PROXY_CLIENT_ID`, `GOOGLE_AUTH_PROXY_CLIENT_SECRET`, `GOOGLE_AUTH_PROXY_COOKIE_SECRET`, `GOOGLE_AUTH_PROXY_COOKIE_DOMAIN` and `GOOGLE_AUTH_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments. | ||
The environment variables `OAUTH2_PROXY_CLIENT_ID`, `OAUTH2_PROXY_CLIENT_SECRET`, `OAUTH2_PROXY_COOKIE_SECRET`, `OAUTH2_PROXY_COOKIE_DOMAIN` and `OAUTH2_PROXY_COOKIE_EXPIRE` can be used in place of the corresponding command-line arguments. | ||
|
||
### Example Nginx Configuration | ||
|
||
This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `google_auth_proxy` on port `4180`. | ||
`google_auth_proxy` then authenticates requests for an upstream application running on port `8080`. The external | ||
This example has a [Nginx](http://nginx.org/) SSL endpoint proxying to `oauth2_proxy` on port `4180`. | ||
`oauth2_proxy` then authenticates requests for an upstream application running on port `8080`. The external | ||
endpoint for this example would be `https://internal.yourcompany.com/`. | ||
|
||
An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL | ||
|
@@ -136,10 +137,10 @@ server { | |
} | ||
``` | ||
|
||
The command line to run `google_auth_proxy` would look like this: | ||
The command line to run `oauth2_proxy` would look like this: | ||
|
||
```bash | ||
./google_auth_proxy \ | ||
./oauth2_proxy \ | ||
--google-apps-domain="yourcompany.com" \ | ||
--upstream=http://127.0.0.1:8080/ \ | ||
--cookie-secret=... \ | ||
|
@@ -151,7 +152,7 @@ The command line to run `google_auth_proxy` would look like this: | |
|
||
## Endpoint Documentation | ||
|
||
Google Auth Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. | ||
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. | ||
|
||
* /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info | ||
* /ping - returns an 200 OK response | ||
|
@@ -161,17 +162,18 @@ Google Auth Proxy responds directly to the following endpoints. All other endpoi | |
|
||
## Logging Format | ||
|
||
Google Auth Proxy logs requests to stdout in a format similar to Apache Combined Log. | ||
OAuth2 Proxy Proxy logs requests to stdout in a format similar to Apache Combined Log. | ||
|
||
``` | ||
<REMOTE_ADDRESS> - <[email protected]> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION> | ||
``` | ||
|
||
## <a name="providers"></a>Providers other than Google | ||
## <a name="providers"></a>Providers | ||
|
||
Other providers besides Google can be specified by the `providers` flag/config | ||
Authentication providers can be specified by the `providers` flag/config | ||
directive. Right now this includes: | ||
|
||
* `google` - (default) [Google](https://console.developers.google.com/project) | ||
* `myusa` - The [MyUSA](https://alpha.my.usa.gov) authentication service | ||
([GitHub](https://github.com/18F/myusa)) | ||
* `linkedin` - The [LinkedIn](https://developer.linkedin.com/docs/signin-with-linkedin) Sign In service. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters