Alpha Configuration
This page contains documentation for alpha features. We reserve the right to make breaking changes to the features detailed within this page with no notice.
Options described in this page may be changed, removed, renamed or moved without prior warning. Please beware of this before you use alpha configuration options.
This page details a set of alpha configuration options in a new format. Going forward we are intending to add structured configuration in YAML format to replace the existing TOML based configuration file and flags.
Below is a reference for the structure of the configuration, with AlphaOptions as the root of the configuration.
When using alpha configuration, your config file will look something like below:
upstreams:
- id: ...
...
injectRequestHeaders:
- name: ...
...
injectResponseHeaders:
- name: ...
...
Please browse the reference below for the structure of the new configuration format.
Using Alpha Configuration
To use the new alpha configuration, generate a YAML file based on the format described in the reference below.
Provide the path to this file using the --alpha-config flag.
When using the --alpha-config flag, some options are no longer available.
See removed options below for more information.
Converting configuration to the new structure
Before adding the new --alpha-config option, start OAuth2 Proxy using the
convert-config-to-alpha flag to convert existing configuration to the new format.
oauth2-proxy --convert-config-to-alpha --config ./path/to/existing/config.cfg
This will convert any options supported by the new format to YAML and print the
new configuration to STDOUT.
Copy this to a new file, remove any options from your existing configuration noted in removed options and then start OAuth2 Proxy using the new config.
oauth2-proxy --alpha-config ./path/to/new/config.yaml --config ./path/to/existing/config.cfg
Removed options
The following flags/options and their respective environment variables are no longer available when using alpha configuration:
flush-interval/flush_intervalpass-host-header/pass_host_headerproxy-websockets/proxy_websocketsssl-upstream-insecure-skip-verify/ssl_upstream_insecure_skip_verifyupstream/upstreams
pass-basic-auth/pass_basic_authpass-access-token/pass_access_tokenpass-user-headers/pass_user_headerspass-authorization-header/pass_authorization_headerset-basic-auth/set_basic_authset-xauthrequest/set_xauthrequestset-authorization-header/set_authorization_headerprefer-email-to-user/prefer_email_to_userbasic-auth-password/basic_auth_passwordskip-auth-strip-headers/skip_auth_strip_headers
Attempting to use these options via flags or via config when --alpha-config
set will result in an error.
You must remove these options before starting OAuth2 Proxy with --alpha-config
Configuration Reference
ADFSOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
skipScope | bool | Skip adding the scope parameter in login request Default value is 'false' |
AlphaOptions
AlphaOptions contains alpha structured configuration options. Usage of these options allows users to access alpha features that are not available as part of the primary configuration structure for OAuth2 Proxy.
The options within this structure are considered alpha. They may change between releases without notice.
| Field | Type | Description |
|---|---|---|
upstreamConfig | UpstreamConfig | UpstreamConfig is used to configure upstream servers. Once a user is authenticated, requests to the server will be proxied to these upstream servers based on the path mappings defined in this list. |
injectRequestHeaders | []Header | InjectRequestHeaders is used to configure headers that should be added to requests to upstream servers. Headers may source values from either the authenticated user's session or from a static secret value. |
injectResponseHeaders | []Header | InjectResponseHeaders is used to configure headers that should be added to responses from the proxy. This is typically used when using the proxy as an external authentication provider in conjunction with another proxy such as NGINX and its auth_request module. Headers may source values from either the authenticated user's session or from a static secret value. |
server | Server | Server is used to configure the HTTP(S) server for the proxy application. You may choose to run both HTTP and HTTPS servers simultaneously. This can be done by setting the BindAddress and the SecureBindAddress simultaneously. To use the secure server you must configure a TLS certificate and key. |
metricsServer | Server | MetricsServer is used to configure the HTTP(S) server for metrics. You may choose to run both HTTP and HTTPS servers simultaneously. This can be done by setting the BindAddress and the SecureBindAddress simultaneously. To use the secure server you must configure a TLS certificate and key. |
providers | Providers | Providers is used to configure multiple providers. |
AzureOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
tenant | string | Tenant directs to a tenant-specific or common (tenant-independent) endpoint Default value is 'common' |
BitbucketOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
team | string | Team sets restrict logins to members of this team |
repository | string | Repository sets restrict logins to user with access to this repository |
ClaimSource
(Appears on: HeaderValue)
ClaimSource allows loading a header value from a claim within the session
| Field | Type | Description |
|---|---|---|
claim | string | Claim is the name of the claim in the session that the value should be loaded from. |
prefix | string | Prefix is an optional prefix that will be prepended to the value of the claim if it is non-empty. |
basicAuthPassword | SecretSource | BasicAuthPassword converts this claim into a basic auth header. Note the value of claim will become the basic auth username and the basicAuthPassword will be used as the password value. |
Duration
(string alias)
(Appears on: Upstream)
Duration is as string representation of a period of time. A duration string is a is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
GitHubOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
org | string | Org sets restrict logins to members of this organisation |
team | string | Team sets restrict logins to members of this team |
repo | string | Repo sets restrict logins to collaborators of this repository |
token | string | Token is the token to use when verifying repository collaborators it must have push access to the repository |
users | []string | Users allows users with these usernames to login even if they do not belong to the specified org and team or collaborators |
GitLabOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
group | []string | Group sets restrict logins to members of this group |
projects | []string | Projects restricts logins to members of any of these projects |
GoogleOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
group | []string | Groups sets restrict logins to members of this google group |
adminEmail | string | AdminEmail is the google admin to impersonate for api calls |
serviceAccountJson | string | ServiceAccountJSON is the path to the service account json credentials |
Header
(Appears on: AlphaOptions)
Header represents an individual header that will be added to a request or response header.
| Field | Type | Description |
|---|---|---|
name | string | Name is the header name to be used for this set of values. Names should be unique within a list of Headers. |
preserveRequestValue | bool | PreserveRequestValue determines whether any values for this header should be preserved for the request to the upstream server. This option only applies to injected request headers. Defaults to false (headers that match this header will be stripped). |
values | []HeaderValue | Values contains the desired values for this header |
HeaderValue
(Appears on: Header)
HeaderValue represents a single header value and the sources that can make up the header value
| Field | Type | Description |
|---|---|---|
value | []byte | Value expects a base64 encoded string value. |
fromEnv | string | FromEnv expects the name of an environment variable. |
fromFile | string | FromFile expects a path to a file containing the secret value. |
claim | string | Claim is the name of the claim in the session that the value should be loaded from. |
prefix | string | Prefix is an optional prefix that will be prepended to the value of the claim if it is non-empty. |
basicAuthPassword | SecretSource | BasicAuthPassword converts this claim into a basic auth header. Note the value of claim will become the basic auth username and the basicAuthPassword will be used as the password value. |
KeycloakOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
groups | []string | Group enables to restrict login to members of indicated group |
roles | []string | Role enables to restrict login to users with role (only available when using the keycloak-oidc provider) |
LoginGovOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
jwtKey | string | JWTKey is a private key in PEM format used to sign JWT, |
jwtKeyFile | string | JWTKeyFile is a path to the private key file in PEM format used to sign the JWT |
pubjwkURL | string | PubJWKURL is the JWK pubkey access endpoint |
OIDCOptions
(Appears on: Provider)
| Field | Type | Description |
|---|---|---|
issuerURL | string | IssuerURL is the OpenID Connect issuer URL eg: https://accounts.google.com |
insecureAllowUnverifiedEmail | bool | InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified default set to 'false' |
insecureSkipIssuerVerification | bool | InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL default set to 'false' |
insecureSkipNonce | bool | InsecureSkipNonce skips verifying the ID Token's nonce claim that must match the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked after the initial OAuth redeem & subsequent token refreshes. default set to 'true' Warning: In a future release, this will change to 'false' by default for enhanced security. |
skipDiscovery | bool | SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints default set to 'false' |
jwksURL | string | JwksURL is the OpenID Connect JWKS URL eg: https://www.googleapis.com/oauth2/v3/certs |
emailClaim | string | EmailClaim indicates which claim contains the user email, default set to 'email' |
groupsClaim | string | GroupsClaim indicates which claim contains the user groups default set to 'groups' |
userIDClaim | string | UserIDClaim indicates which claim contains the user ID default set to 'email' |
Provider
(Appears on: Providers)
Provider holds all configuration for a single provider
| Field | Type | Description |
|---|---|---|
clientID | string | ClientID is the OAuth Client ID that is defined in the provider This value is required for all providers. |
clientSecret | string | ClientSecret is the OAuth Client Secret that is defined in the provider This value is required for all providers. |
clientSecretFile | string | ClientSecretFile is the name of the file containing the OAuth Client Secret, it will be used if ClientSecret is not set. |
keycloakConfig | KeycloakOptions | KeycloakConfig holds all configurations for Keycloak provider. |
azureConfig | AzureOptions | AzureConfig holds all configurations for Azure provider. |
ADFSConfig | ADFSOptions | ADFSConfig holds all configurations for ADFS provider. |
bitbucketConfig | BitbucketOptions | BitbucketConfig holds all configurations for Bitbucket provider. |
githubConfig | GitHubOptions | GitHubConfig holds all configurations for GitHubC provider. |
gitlabConfig | GitLabOptions | GitLabConfig holds all configurations for GitLab provider. |
googleConfig | GoogleOptions | GoogleConfig holds all configurations for Google provider. |
oidcConfig | OIDCOptions | OIDCConfig holds all configurations for OIDC provider or providers utilize OIDC configurations. |
loginGovConfig | LoginGovOptions | LoginGovConfig holds all configurations for LoginGov provider. |
id | string | ID should be a unique identifier for the provider. This value is required for all providers. |
provider | string | Type is the OAuth provider must be set from the supported providers group, otherwise 'Google' is set as default |
name | string | Name is the providers display name if set, it will be shown to the users in the login page. |
caFiles | []string | CAFiles is a list of paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead |
loginURL | string | LoginURL is the authentication endpoint |
redeemURL | string | RedeemURL is the token redemption endpoint |
profileURL | string | ProfileURL is the profile access endpoint |
resource | string | ProtectedResource is the resource that is protected (Azure AD and ADFS only) |
validateURL | string | ValidateURL is the access token validation endpoint |
scope | string | Scope is the OAuth scope specification |
prompt | string | Prompt is OIDC prompt |
approvalPrompt | string | ApprovalPrompt is the OAuth approval_prompt default is set to 'force' |
allowedGroups | []string | AllowedGroups is a list of restrict logins to members of this group |
acrValues | string | AcrValues is a string of acr values |
Providers
([]Provider alias)
(Appears on: AlphaOptions)
Providers is a collection of definitions for providers.
SecretSource
(Appears on: ClaimSource, HeaderValue, TLS)
SecretSource references an individual secret value. Only one source within the struct should be defined at any time.
| Field | Type | Description |
|---|---|---|
value | []byte | Value expects a base64 encoded string value. |
fromEnv | string | FromEnv expects the name of an environment variable. |
fromFile | string | FromFile expects a path to a file containing the secret value. |
Server
(Appears on: AlphaOptions)
Server represents the configuration for an HTTP(S) server
| Field | Type | Description |
|---|---|---|
BindAddress | string | BindAddress is the address on which to serve traffic. Leave blank or set to "-" to disable. |
SecureBindAddress | string | SecureBindAddress is the address on which to serve secure traffic. Leave blank or set to "-" to disable. |
TLS | TLS | TLS contains the information for loading the certificate and key for the secure traffic. |
TLS
(Appears on: Server)
TLS contains the information for loading a TLS certifcate and key.
| Field | Type | Description |
|---|---|---|
Key | SecretSource | Key is the TLS key data to use. Typically this will come from a file. |
Cert | SecretSource | Cert is the TLS certificate data to use. Typically this will come from a file. |
Upstream
(Appears on: UpstreamConfig)
Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.
| Field | Type | Description |
|---|---|---|
id | string | ID should be a unique identifier for the upstream. This value is required for all upstreams. |
path | string | Path is used to map requests to the upstream server. The closest match will take precedence and all Paths must be unique. Path can also take a pattern when used with RewriteTarget. Path segments can be captured and matched using regular experessions. Eg: - ^/foo$: Match only the explicit path /foo- ^/bar/$: Match any path prefixed with /bar/- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget |
rewriteTarget | string | RewriteTarget allows users to rewrite the request path before it is sent to the upstream server. Use the Path to capture segments for reuse within the rewrite target. Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewritethe request /baz/abc/123 to /foo/abc/123 before proxying to theupstream server. |
uri | string | The URI of the upstream server. This may be an HTTP(S) server of a File based URL. It may include a path, in which case all requests will be served under that path. Eg: - http://localhost:8080 - https://service.localhost - https://service.localhost/path - file://host/path If the URI's path is "/base" and the incoming request was for "/dir", the upstream request will be for "/base/dir". |
insecureSkipTLSVerify | bool | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts. This option is insecure and will allow potential Man-In-The-Middle attacks betweem OAuth2 Proxy and the usptream server. Defaults to false. |
static | bool | Static will make all requests to this upstream have a static response. The response will have a body of "Authenticated" and a response code matching StaticCode. If StaticCode is not set, the response will return a 200 response. |
staticCode | int | StaticCode determines the response code for the Static response. This option can only be used with Static enabled. |
flushInterval | Duration | FlushInterval is the period between flushing the response buffer when streaming response from the upstream. Defaults to 1 second. |
passHostHeader | bool | PassHostHeader determines whether the request host header should be proxied to the upstream server. Defaults to true. |
proxyWebSockets | bool | ProxyWebSockets enables proxying of websockets to upstream servers Defaults to true. |
UpstreamConfig
(Appears on: AlphaOptions)
UpstreamConfig is a collection of definitions for upstream servers.
| Field | Type | Description |
|---|---|---|
proxyRawPath | bool | ProxyRawPath will pass the raw url path to upstream allowing for url's like: "/%2F/" which would otherwise be redirected to "/" |
upstreams | []Upstream | Upstreams represents the configuration for the upstream servers. Requests will be proxied to this upstream if the path matches the request path. |