@@ -113,15 +113,16 @@ An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is i
113
113
114
114
```
115
115
Usage of oauth2_proxy:
116
- -approval_prompt ="force": Oauth approval_prompt
116
+ -approval-prompt ="force": Oauth approval_prompt
117
117
-authenticated-emails-file="": authenticate against emails via file (one per line)
118
+ -basic-auth-password="": the password to set when passing the HTTP Basic Auth header
118
119
-client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
119
120
-client-secret="": the OAuth Client Secret
120
121
-config="": path to config file
121
122
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
122
123
-cookie-expire=168h0m0s: expire timeframe for cookie
123
124
-cookie-httponly=true: set HttpOnly cookie flag
124
- -cookie-key ="_oauth2_proxy": the name of the cookie that the oauth_proxy creates
125
+ -cookie-name ="_oauth2_proxy": the name of the cookie that the oauth_proxy creates
125
126
-cookie-refresh=0: refresh the cookie after this duration; 0 to disable
126
127
-cookie-secret="": the seed string for secure cookies
127
128
-cookie-secure=true: set secure (HTTPS) cookie flag
@@ -130,17 +131,15 @@ Usage of oauth2_proxy:
130
131
-email-domain=: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
131
132
-github-org="": restrict logins to members of this organisation
132
133
-github-team="": restrict logins to members of this team
133
- -google-group="": restrict logins to members of this google group
134
134
-google-admin-email="": the google admin to impersonate for api calls
135
+ -google-group=: restrict logins to members of this google group (may be given multiple times).
135
136
-google-service-account-json="": the path to the service account json credentials
136
-
137
137
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
138
138
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
139
139
-https-address=":443": <addr>:<port> to listen on for HTTPS clients
140
140
-login-url="": Authentication endpoint
141
141
-pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
142
142
-pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
143
- -basic-auth-password="": the password to set when passing the HTTP Basic Auth header
144
143
-pass-host-header=true: pass the request Host Header to upstream
145
144
-profile-url="": Profile access endpoint
146
145
-provider="google": OAuth provider
@@ -149,6 +148,7 @@ Usage of oauth2_proxy:
149
148
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
150
149
-request-logging=true: Log requests to stdout
151
150
-scope="": Oauth scope specification
151
+ -signature-key="": GAP-Signature request signature key (algorithm:secretkey)
152
152
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
153
153
-tls-cert="": path to certificate file
154
154
-tls-key="": path to private key file
@@ -250,6 +250,24 @@ OAuth2 Proxy responds directly to the following endpoints. All other endpoints w
250
250
* /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
251
251
* /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the [ Nginx ` auth_request ` directive] ( #nginx-auth-request )
252
252
253
+ ## Request signatures
254
+
255
+ If ` signature_key ` is defined, proxied requests will be signed with the
256
+ ` GAP-Signature ` header, which is a [ Hash-based Message Authentication Code
257
+ (HMAC)] ( https://en.wikipedia.org/wiki/Hash-based_message_authentication_code )
258
+ of selected request information and the request body [ see ` SIGNATURE_HEADERS `
259
+ in ` oauthproxy.go ` ] ( ./oauthproxy.go ) .
260
+
261
+ ` signature_key ` must be of the form ` algorithm:secretkey ` , (ie: ` signature_key = "sha1:secret0" ` )
262
+
263
+ For more information about HMAC request signature validation, read the
264
+ following:
265
+
266
+ * [ Amazon Web Services: Signing and Authenticating REST
267
+ Requests] ( https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html )
268
+ * [ rc3.org: Using HMAC to authenticate Web service
269
+ requests] ( http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/ )
270
+
253
271
## Logging Format
254
272
255
273
OAuth2 Proxy logs requests to stdout in a format similar to Apache Combined Log.
@@ -258,7 +276,6 @@ OAuth2 Proxy logs requests to stdout in a format similar to Apache Combined Log.
258
276
<REMOTE_ADDRESS> - <[email protected] > [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>
259
277
```
260
278
261
-
262
279
## Adding a new Provider
263
280
264
281
Follow the examples in the [ ` providers ` package] ( providers/ ) to define a new
0 commit comments