Skip to main content
Version: 7.5.x

Alpha Configuration

warning

This page contains documentation for alpha features. We reserve the right to make breaking changes to the features detailed within this page with no notice.

Options described in this page may be changed, removed, renamed or moved without prior warning. Please beware of this before you use alpha configuration options.

This page details a set of alpha configuration options in a new format. Going forward we are intending to add structured configuration in YAML format to replace the existing TOML based configuration file and flags.

Below is a reference for the structure of the configuration, with AlphaOptions as the root of the configuration.

When using alpha configuration, your config file will look something like below:

upstreams:
- id: ...
...
injectRequestHeaders:
- name: ...
...
injectResponseHeaders:
- name: ...
...

Please browse the reference below for the structure of the new configuration format.

Using Alpha Configuration

To use the new alpha configuration, generate a YAML file based on the format described in the reference below.

Provide the path to this file using the --alpha-config flag.

note

When using the --alpha-config flag, some options are no longer available. See removed options below for more information.

Converting configuration to the new structure

Before adding the new --alpha-config option, start OAuth2 Proxy using the convert-config-to-alpha flag to convert existing configuration to the new format.

oauth2-proxy --convert-config-to-alpha --config ./path/to/existing/config.cfg

This will convert any options supported by the new format to YAML and print the new configuration to STDOUT.

Copy this to a new file, remove any options from your existing configuration noted in removed options and then start OAuth2 Proxy using the new config.

oauth2-proxy --alpha-config ./path/to/new/config.yaml --config ./path/to/existing/config.cfg

Removed options

The following flags/options and their respective environment variables are no longer available when using alpha configuration:

  • flush-interval/flush_interval
  • pass-host-header/pass_host_header
  • proxy-websockets/proxy_websockets
  • ssl-upstream-insecure-skip-verify/ssl_upstream_insecure_skip_verify
  • upstream/upstreams
  • pass-basic-auth/pass_basic_auth
  • pass-access-token/pass_access_token
  • pass-user-headers/pass_user_headers
  • pass-authorization-header/pass_authorization_header
  • set-basic-auth/set_basic_auth
  • set-xauthrequest/set_xauthrequest
  • set-authorization-header/set_authorization_header
  • prefer-email-to-user/prefer_email_to_user
  • basic-auth-password/basic_auth_password
  • skip-auth-strip-headers/skip_auth_strip_headers
  • client-id/client_id
  • client-secret/client_secret, and client-secret-file/client_secret_file
  • provider
  • provider-display-name/provider_display_name
  • provider-ca-file/provider_ca_files
  • login-url/login_url
  • redeem-url/redeem_url
  • profile-url/profile_url
  • resource
  • validate-url/validate_url
  • scope
  • prompt
  • approval-prompt/approval_prompt
  • acr-values/acr_values
  • user-id-claim/user_id_claim
  • allowed-group/allowed_groups
  • allowed-role/allowed_roles
  • jwt-key/jwt_key
  • jwt-key-file/jwt_key_file
  • pubjwk-url/pubjwk_url

and all provider-specific options, i.e. any option whose name includes oidc, azure, bitbucket, github, gitlab, google or keycloak. Attempting to use any of these options via flags or via config when --alpha-config is set will result in an error.

important

You must remove these options before starting OAuth2 Proxy with --alpha-config

Configuration Reference

ADFSOptions

(Appears on: Provider)

FieldTypeDescription
skipScopeboolSkip adding the scope parameter in login request
Default value is 'false'

AlphaOptions

AlphaOptions contains alpha structured configuration options. Usage of these options allows users to access alpha features that are not available as part of the primary configuration structure for OAuth2 Proxy.

warning

The options within this structure are considered alpha. They may change between releases without notice.

FieldTypeDescription
upstreamConfigUpstreamConfigUpstreamConfig is used to configure upstream servers.
Once a user is authenticated, requests to the server will be proxied to
these upstream servers based on the path mappings defined in this list.
injectRequestHeaders[]HeaderInjectRequestHeaders is used to configure headers that should be added
to requests to upstream servers.
Headers may source values from either the authenticated user's session
or from a static secret value.
injectResponseHeaders[]HeaderInjectResponseHeaders is used to configure headers that should be added
to responses from the proxy.
This is typically used when using the proxy as an external authentication
provider in conjunction with another proxy such as NGINX and its
auth_request module.
Headers may source values from either the authenticated user's session
or from a static secret value.
serverServerServer is used to configure the HTTP(S) server for the proxy application.
You may choose to run both HTTP and HTTPS servers simultaneously.
This can be done by setting the BindAddress and the SecureBindAddress simultaneously.
To use the secure server you must configure a TLS certificate and key.
metricsServerServerMetricsServer is used to configure the HTTP(S) server for metrics.
You may choose to run both HTTP and HTTPS servers simultaneously.
This can be done by setting the BindAddress and the SecureBindAddress simultaneously.
To use the secure server you must configure a TLS certificate and key.
providersProvidersProviders is used to configure multiple providers.

AzureOptions

(Appears on: Provider)

FieldTypeDescription
tenantstringTenant directs to a tenant-specific or common (tenant-independent) endpoint
Default value is 'common'
graphGroupFieldstringGraphGroupField configures the group field to be used when building the groups list from Microsoft Graph
Default value is 'id'

BitbucketOptions

(Appears on: Provider)

FieldTypeDescription
teamstringTeam sets restrict logins to members of this team
repositorystringRepository sets restrict logins to user with access to this repository

ClaimSource

(Appears on: HeaderValue)

ClaimSource allows loading a header value from a claim within the session

FieldTypeDescription
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

Duration

(string alias)

(Appears on: Upstream)

Duration is as string representation of a period of time. A duration string is a is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

GitHubOptions

(Appears on: Provider)

FieldTypeDescription
orgstringOrg sets restrict logins to members of this organisation
teamstringTeam sets restrict logins to members of this team
repostringRepo sets restrict logins to collaborators of this repository
tokenstringToken is the token to use when verifying repository collaborators
it must have push access to the repository
users[]stringUsers allows users with these usernames to login
even if they do not belong to the specified org and team or collaborators

GitLabOptions

(Appears on: Provider)

FieldTypeDescription
group[]stringGroup sets restrict logins to members of this group
projects[]stringProjects restricts logins to members of any of these projects

GoogleOptions

(Appears on: Provider)

FieldTypeDescription
group[]stringGroups sets restrict logins to members of this google group
adminEmailstringAdminEmail is the google admin to impersonate for api calls
serviceAccountJsonstringServiceAccountJSON is the path to the service account json credentials
useApplicationDefaultCredentialsboolUseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON

(Appears on: AlphaOptions)

Header represents an individual header that will be added to a request or response header.

FieldTypeDescription
namestringName is the header name to be used for this set of values.
Names should be unique within a list of Headers.
preserveRequestValueboolPreserveRequestValue determines whether any values for this header
should be preserved for the request to the upstream server.
This option only applies to injected request headers.
Defaults to false (headers that match this header will be stripped).
values[]HeaderValueValues contains the desired values for this header

HeaderValue

(Appears on: Header)

HeaderValue represents a single header value and the sources that can make up the header value

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.
claimstringClaim is the name of the claim in the session that the value should be
loaded from.
prefixstringPrefix is an optional prefix that will be prepended to the value of the
claim if it is non-empty.
basicAuthPasswordSecretSourceBasicAuthPassword converts this claim into a basic auth header.
Note the value of claim will become the basic auth username and the
basicAuthPassword will be used as the password value.

KeycloakOptions

(Appears on: Provider)

FieldTypeDescription
groups[]stringGroup enables to restrict login to members of indicated group
roles[]stringRole enables to restrict login to users with role (only available when using the keycloak-oidc provider)

LoginGovOptions

(Appears on: Provider)

FieldTypeDescription
jwtKeystringJWTKey is a private key in PEM format used to sign JWT,
jwtKeyFilestringJWTKeyFile is a path to the private key file in PEM format used to sign the JWT
pubjwkURLstringPubJWKURL is the JWK pubkey access endpoint

LoginURLParameter

(Appears on: Provider)

LoginURLParameter is the configuration for a single query parameter that can be passed through from the /oauth2/start endpoint to the IdP login URL. The "default" option specifies the default value or values (if any) that will be passed to the IdP for this parameter, and "allow" is a list of options for ways in which this parameter can be set or overridden via the query string to /oauth2/start. If only a default is specified and no "allow" then the parameter is effectively fixed - the default value will always be used and anything passed to the start URL will be ignored. If only "allow" is specified but no default then the parameter will only be passed on to the IdP if the caller provides it, and no value will be sent otherwise.

Examples:

A parameter whose value is fixed

name: organization
default:
- myorg

A parameter that is not passed by default, but may be set to one of a fixed set of values

name: prompt
allow:
- value: login
- value: consent
- value: select_account

A parameter that is passed by default but may be overridden by one of a fixed set of values

name: prompt
default: ["login"]
allow:
- value: consent
- value: select_account

A parameter that may be overridden, but only by values that match a regular expression. For example to restrict login_hint to email addresses in your organization's domain:

name: login_hint
allow:
- pattern: '^[^@]*@example\.com$'
# this allows at most one "@" sign, and requires "example.com" domain.

Note that the YAML rules around exactly which characters are allowed and/or require escaping in different types of string literals are convoluted. For regular expressions the single quoted form is simplest as backslash is not considered to be an escape character. Alternatively use the "chomped block" format |-:

  - pattern: |-
^[^@]*@example\.com$

The hyphen is important, a | block would have a trailing newline character.

FieldTypeDescription
namestringName specifies the name of the query parameter.
default[]string(Optional) Default specifies a default value or values that will be
passed to the IdP if not overridden.
allow[]URLParameterRule(Optional) Allow specifies rules about how the default (if any) may be
overridden via the query string to /oauth2/start. Only
values that match one or more of the allow rules will be
forwarded to the IdP.

OIDCOptions

(Appears on: Provider)

FieldTypeDescription
issuerURLstringIssuerURL is the OpenID Connect issuer URL
eg: https://accounts.google.com
insecureAllowUnverifiedEmailboolInsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified
default set to 'false'
insecureSkipIssuerVerificationboolInsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
default set to 'false'
insecureSkipNonceboolInsecureSkipNonce skips verifying the ID Token's nonce claim that must match
the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
after the initial OAuth redeem & subsequent token refreshes.
default set to 'true'
Warning: In a future release, this will change to 'false' by default for enhanced security.
skipDiscoveryboolSkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
default set to 'false'
jwksURLstringJwksURL is the OpenID Connect JWKS URL
eg: https://www.googleapis.com/oauth2/v3/certs
emailClaimstringEmailClaim indicates which claim contains the user email,
default set to 'email'
groupsClaimstringGroupsClaim indicates which claim contains the user groups
default set to 'groups'
userIDClaimstringUserIDClaim indicates which claim contains the user ID
default set to 'email'
audienceClaims[]stringAudienceClaim allows to define any claim that is verified against the client id
By default aud claim is used for verification.
extraAudiences[]stringExtraAudiences is a list of additional audiences that are allowed
to pass verification in addition to the client id.

Provider

(Appears on: Providers)

Provider holds all configuration for a single provider

FieldTypeDescription
clientIDstringClientID is the OAuth Client ID that is defined in the provider
This value is required for all providers.
clientSecretstringClientSecret is the OAuth Client Secret that is defined in the provider
This value is required for all providers.
clientSecretFilestringClientSecretFile is the name of the file
containing the OAuth Client Secret, it will be used if ClientSecret is not set.
keycloakConfigKeycloakOptionsKeycloakConfig holds all configurations for Keycloak provider.
azureConfigAzureOptionsAzureConfig holds all configurations for Azure provider.
ADFSConfigADFSOptionsADFSConfig holds all configurations for ADFS provider.
bitbucketConfigBitbucketOptionsBitbucketConfig holds all configurations for Bitbucket provider.
githubConfigGitHubOptionsGitHubConfig holds all configurations for GitHubC provider.
gitlabConfigGitLabOptionsGitLabConfig holds all configurations for GitLab provider.
googleConfigGoogleOptionsGoogleConfig holds all configurations for Google provider.
oidcConfigOIDCOptionsOIDCConfig holds all configurations for OIDC provider
or providers utilize OIDC configurations.
loginGovConfigLoginGovOptionsLoginGovConfig holds all configurations for LoginGov provider.
idstringID should be a unique identifier for the provider.
This value is required for all providers.
providerProviderTypeType is the OAuth provider
must be set from the supported providers group,
otherwise 'Google' is set as default
namestringName is the providers display name
if set, it will be shown to the users in the login page.
caFiles[]stringCAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
If not specified, the default Go trust sources are used instead
loginURLstringLoginURL is the authentication endpoint
loginURLParameters[]LoginURLParameterLoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL
redeemURLstringRedeemURL is the token redemption endpoint
profileURLstringProfileURL is the profile access endpoint
resourcestringProtectedResource is the resource that is protected (Azure AD and ADFS only)
validateURLstringValidateURL is the access token validation endpoint
scopestringScope is the OAuth scope specification
allowedGroups[]stringAllowedGroups is a list of restrict logins to members of this group
code_challenge_methodstringThe code challenge method

ProviderType

(string alias)

(Appears on: Provider)

ProviderType is used to enumerate the different provider type options Valid options are: adfs, azure, bitbucket, digitalocean facebook, github, gitlab, google, keycloak, keycloak-oidc, linkedin, login.gov, nextcloud and oidc.

Providers

([]Provider alias)

(Appears on: AlphaOptions)

Providers is a collection of definitions for providers.

SecretSource

(Appears on: ClaimSource, HeaderValue, TLS)

SecretSource references an individual secret value. Only one source within the struct should be defined at any time.

FieldTypeDescription
value[]byteValue expects a base64 encoded string value.
fromEnvstringFromEnv expects the name of an environment variable.
fromFilestringFromFile expects a path to a file containing the secret value.

Server

(Appears on: AlphaOptions)

Server represents the configuration for an HTTP(S) server

FieldTypeDescription
BindAddressstringBindAddress is the address on which to serve traffic.
Leave blank or set to "-" to disable.
SecureBindAddressstringSecureBindAddress is the address on which to serve secure traffic.
Leave blank or set to "-" to disable.
TLSTLSTLS contains the information for loading the certificate and key for the
secure traffic and further configuration for the TLS server.

TLS

(Appears on: Server)

TLS contains the information for loading a TLS certificate and key as well as an optional minimal TLS version that is acceptable.

FieldTypeDescription
KeySecretSourceKey is the TLS key data to use.
Typically this will come from a file.
CertSecretSourceCert is the TLS certificate data to use.
Typically this will come from a file.
MinVersionstringMinVersion is the minimal TLS version that is acceptable.
E.g. Set to "TLS1.3" to select TLS version 1.3
CipherSuites[]stringCipherSuites is a list of TLS cipher suites that are allowed.
E.g.:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
If not specified, the default Go safe cipher list is used.
List of valid cipher suites can be found in the crypto/tls documentation.

URLParameterRule

(Appears on: LoginURLParameter)

URLParameterRule represents a rule by which query parameters passed to the /oauth2/start endpoint are checked to determine whether they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.

FieldTypeDescription
valuestringA Value rule matches just this specific value
patternstringA Pattern rule gives a regular expression that must be matched by
some substring of the value. The expression is not automatically
anchored to the start and end of the value, if you want to restrict
the whole parameter value you must anchor it yourself with ^ and $.

Upstream

(Appears on: UpstreamConfig)

Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.

FieldTypeDescription
idstringID should be a unique identifier for the upstream.
This value is required for all upstreams.
pathstringPath is used to map requests to the upstream server.
The closest match will take precedence and all Paths must be unique.
Path can also take a pattern when used with RewriteTarget.
Path segments can be captured and matched using regular experessions.
Eg:
- ^/foo$: Match only the explicit path /foo
- ^/bar/$: Match any path prefixed with /bar/
- ^/baz/(.*)$: Match any path prefixed with /baz and capture the remaining path for use with RewriteTarget
rewriteTargetstringRewriteTarget allows users to rewrite the request path before it is sent to
the upstream server.
Use the Path to capture segments for reuse within the rewrite target.
Eg: With a Path of ^/baz/(.*), a RewriteTarget of /foo/$1 would rewrite
the request /baz/abc/123 to /foo/abc/123 before proxying to the
upstream server.
uristringThe URI of the upstream server. This may be an HTTP(S) server of a File
based URL. It may include a path, in which case all requests will be served
under that path.
Eg:
- http://localhost:8080
- https://service.localhost
- https://service.localhost/path
- file://host/path
If the URI's path is "/base" and the incoming request was for "/dir",
the upstream request will be for "/base/dir".
insecureSkipTLSVerifyboolInsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
This option is insecure and will allow potential Man-In-The-Middle attacks
betweem OAuth2 Proxy and the usptream server.
Defaults to false.
staticboolStatic will make all requests to this upstream have a static response.
The response will have a body of "Authenticated" and a response code
matching StaticCode.
If StaticCode is not set, the response will return a 200 response.
staticCodeintStaticCode determines the response code for the Static response.
This option can only be used with Static enabled.
flushIntervalDurationFlushInterval is the period between flushing the response buffer when
streaming response from the upstream.
Defaults to 1 second.
passHostHeaderboolPassHostHeader determines whether the request host header should be proxied
to the upstream server.
Defaults to true.
proxyWebSocketsboolProxyWebSockets enables proxying of websockets to upstream servers
Defaults to true.
timeoutDurationTimeout is the maximum duration the server will wait for a response from the upstream server.
Defaults to 30 seconds.

UpstreamConfig

(Appears on: AlphaOptions)

UpstreamConfig is a collection of definitions for upstream servers.

FieldTypeDescription
proxyRawPathboolProxyRawPath will pass the raw url path to upstream allowing for url's
like: "/%2F/" which would otherwise be redirected to "/"
upstreams[]UpstreamUpstreams represents the configuration for the upstream servers.
Requests will be proxied to this upstream if the path matches the request path.