OAuth Provider Configuration

You will need to register an OAuth application with a Provider (Google, GitHub or another provider), and configure it with Redirect URI(s) for the domain you intend to run oauth2-proxy on.

Valid providers are :

• ADFS
• Bitbucket
• DigitalOcean
• Facebook
• Gitea
• GitHub
• GitLab
• Google default
• Keycloak (Deprecated)
• Keycloak OIDC
• LinkedIn
• login.gov
• Microsoft Azure (Deprecated)
• Microsoft Entra ID
• Nextcloud
• OpenID Connect
• SourceHut

The provider can be selected using the provider configuration value, or set in the providers array using AlphaConfig. However, the feature to implement multiple providers is not complete.

Please note that not all providers support all claims. The preferred_username claim is currently only supported by the OpenID Connect provider.

Email Authentication

To authorize a specific email-domain use --email-domain=yourcompany.com. To authorize individual email addresses use --authenticated-emails-file=/path/to/file with one email per line. To authorize all email addresses use --email-domain=*.

Adding a new Provider

Follow the examples in the providers package to define a new Provider instance. Add a new case to providers.New() to allow oauth2-proxy to use the new Provider.