Alpha Configuration

warning

This page contains documentation for alpha features. We reserve the right to make breaking changes to the features detailed within this page with no notice.

Options described in this page may be changed, removed, renamed or moved without prior warning. Please beware of this before you use alpha configuration options.

This page details a set of alpha configuration options in a new format. Going forward we are intending to add structured configuration in YAML format to replace the existing TOML based configuration file and flags.

Below is a reference for the structure of the configuration, with AlphaOptions as the root of the configuration.

When using alpha configuration, your config file will look something like below:

upstreams:
  - id: ...
    ...
injectRequestHeaders:
  - name: ...
    ...
injectResponseHeaders:
  - name: ...
    ...

Please browse the reference below for the structure of the new configuration format.

Using Alpha Configuration

To use the new alpha configuration, generate a YAML file based on the format described in the reference below.

Provide the path to this file using the --alpha-config flag.

note

When using the --alpha-config flag, some options are no longer available. See removed options below for more information.

Converting configuration to the new structure

Before adding the new --alpha-config option, start OAuth2 Proxy using the convert-config-to-alpha flag to convert existing configuration to the new format.

oauth2-proxy --convert-config-to-alpha --config ./path/to/existing/config.cfg

This will convert any options supported by the new format to YAML and print the new configuration to STDOUT.

Copy this to a new file, remove any options from your existing configuration noted in removed options and then start OAuth2 Proxy using the new config.

oauth2-proxy --alpha-config ./path/to/new/config.yaml --config ./path/to/existing/config.cfg

Removed options

The following flags/options and their respective environment variables are no longer available when using alpha configuration:

• flush-interval/flush_interval
• pass-host-header/pass_host_header
• proxy-websockets/proxy_websockets
• ssl-upstream-insecure-skip-verify/ssl_upstream_insecure_skip_verify
• upstream/upstreams

• pass-basic-auth/pass_basic_auth
• pass-access-token/pass_access_token
• pass-user-headers/pass_user_headers
• pass-authorization-header/pass_authorization_header
• set-basic-auth/set_basic_auth
• set-xauthrequest/set_xauthrequest
• set-authorization-header/set_authorization_header
• prefer-email-to-user/prefer_email_to_user
• basic-auth-password/basic_auth_password
• skip-auth-strip-headers/skip_auth_strip_headers

Attempting to use these options via flags or via config when --alpha-config set will result in an error.

important

You must remove these options before starting OAuth2 Proxy with --alpha-config

Configuration Reference

AlphaOptions

AlphaOptions contains alpha structured configuration options. Usage of these options allows users to access alpha features that are not available as part of the primary configuration structure for OAuth2 Proxy.

warning

The options within this structure are considered alpha. They may change between releases without notice.

Field	Type	Description
upstreams	Upstreams	Upstreams is used to configure upstream servers. Once a user is authenticated, requests to the server will be proxied to these upstream servers based on the path mappings defined in this list.
injectRequestHeaders	[]Header	InjectRequestHeaders is used to configure headers that should be added to requests to upstream servers. Headers may source values from either the authenticated user's session or from a static secret value.
injectResponseHeaders	[]Header	InjectResponseHeaders is used to configure headers that should be added to responses from the proxy. This is typically used when using the proxy as an external authentication provider in conjunction with another proxy such as NGINX and its auth_request module. Headers may source values from either the authenticated user's session or from a static secret value.
server	Server	Server is used to configure the HTTP(S) server for the proxy application. You may choose to run both HTTP and HTTPS servers simultaneously. This can be done by setting the BindAddress and the SecureBindAddress simultaneously. To use the secure server you must configure a TLS certificate and key.
metricsServer	Server	MetricsServer is used to configure the HTTP(S) server for metrics. You may choose to run both HTTP and HTTPS servers simultaneously. This can be done by setting the BindAddress and the SecureBindAddress simultaneously. To use the secure server you must configure a TLS certificate and key.

ClaimSource

(Appears on: HeaderValue)

ClaimSource allows loading a header value from a claim within the session

Field	Type	Description
claim	string	Claim is the name of the claim in the session that the value should be loaded from.
prefix	string	Prefix is an optional prefix that will be prepended to the value of the claim if it is non-empty.
basicAuthPassword	SecretSource	BasicAuthPassword converts this claim into a basic auth header. Note the value of claim will become the basic auth username and the basicAuthPassword will be used as the password value.

Duration

(string alias)

(Appears on: Upstream)

Duration is as string representation of a period of time. A duration string is a is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Header

(Appears on: AlphaOptions)

Header represents an individual header that will be added to a request or response header.

Field	Type	Description
name	string	Name is the header name to be used for this set of values. Names should be unique within a list of Headers.
preserveRequestValue	bool	PreserveRequestValue determines whether any values for this header should be preserved for the request to the upstream server. This option only applies to injected request headers. Defaults to false (headers that match this header will be stripped).
values	[]HeaderValue	Values contains the desired values for this header

HeaderValue

(Appears on: Header)

HeaderValue represents a single header value and the sources that can make up the header value

Field	Type	Description
value	[]byte	Value expects a base64 encoded string value.
fromEnv	string	FromEnv expects the name of an environment variable.
fromFile	string	FromFile expects a path to a file containing the secret value.
claim	string	Claim is the name of the claim in the session that the value should be loaded from.
prefix	string	Prefix is an optional prefix that will be prepended to the value of the claim if it is non-empty.
basicAuthPassword	SecretSource	BasicAuthPassword converts this claim into a basic auth header. Note the value of claim will become the basic auth username and the basicAuthPassword will be used as the password value.

SecretSource

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

Field	Type	Description
value	[]byte	Value expects a base64 encoded string value.
fromEnv	string	FromEnv expects the name of an environment variable.
fromFile	string	FromFile expects a path to a file containing the secret value.

Server

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

Field	Type	Description
BindAddress	string	BindAddress is the address on which to serve traffic. Leave blank or set to "-" to disable.
SecureBindAddress	string	SecureBindAddress is the address on which to serve secure traffic. Leave blank or set to "-" to disable.
TLS	TLS	TLS contains the information for loading the certificate and key for the secure traffic.

TLS

(Appears on: Server)

TLS contains the information for loading a TLS certifcate and key.

Field	Type	Description
Key	SecretSource	Key is the TLS key data to use. Typically this will come from a file.
Cert	SecretSource	Cert is the TLS certificate data to use. Typically this will come from a file.

Upstream

(Appears on: Upstreams)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

Field	Type	Description
id	string	ID should be a unique identifier for the upstream. This value is required for all upstreams.
path	string	Path is used to map requests to the upstream server. The closest match will take precedence and all Paths must be unique.
uri	string	The URI of the upstream server. This may be an HTTP(S) server of a File based URL. It may include a path, in which case all requests will be served under that path. Eg: - http://localhost:8080 - https://service.localhost - https://service.localhost/path - file://host/path If the URI's path is "/base" and the incoming request was for "/dir", the upstream request will be for "/base/dir".
insecureSkipTLSVerify	bool	InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts. This option is insecure and will allow potential Man-In-The-Middle attacks betweem OAuth2 Proxy and the usptream server. Defaults to false.
static	bool	Static will make all requests to this upstream have a static response. The response will have a body of "Authenticated" and a response code matching StaticCode. If StaticCode is not set, the response will return a 200 response.
staticCode	int	StaticCode determines the response code for the Static response. This option can only be used with Static enabled.
flushInterval	Duration	FlushInterval is the period between flushing the response buffer when streaming response from the upstream. Defaults to 1 second.
passHostHeader	bool	PassHostHeader determines whether the request host header should be proxied to the upstream server. Defaults to true.
proxyWebSockets	bool	ProxyWebSockets enables proxying of websockets to upstream servers Defaults to true.

Upstreams

([]Upstream alias)

(Appears on: AlphaOptions)

Upstreams is a collection of definitions for upstream servers.