Skip to main content
Version: 7.7.x

Google (default)

Config Options

FlagToml FieldTypeDescriptionDefault
--google-admin-emailgoogle_admin_emailstringthe google admin to impersonate for api calls
--google-groupgoogle_groupsstringrestrict logins to members of this google group (may be given multiple times).
--google-service-account-jsongoogle_service_account_jsonstringthe path to the service account json credentials
--google-use-application-default-credentialsgoogle_use_application_default_credentialsbooluse application default credentials instead of service account json (i.e. GKE Workload Identity)
--google-target-principalgoogle_target_principalboolthe target principal to impersonate when using ADCdefaults to the service account configured for ADC

Usage

For Google, the registration steps are:

  1. Create a new project: https://console.developers.google.com/project
  2. Choose the new project from the top right project dropdown (only if another project is selected)
  3. In the project Dashboard center pane, choose "APIs & Services"
  4. In the left Nav pane, choose "Credentials"
  5. In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
  6. In the center pane, choose "Credentials" tab.
    • Open the "New credentials" drop down
    • Choose "OAuth client ID"
    • Choose "Web application"
    • Application name is freeform, choose something appropriate
    • Authorized JavaScript origins is your domain ex: https://internal.yourcompany.com
    • Authorized redirect URIs is the location of oauth2/callback ex: https://internal.yourcompany.com/oauth2/callback
    • Choose "Create"
  7. Take note of the Client ID and Client Secret

It's recommended to refresh sessions on a short interval (1h) with cookie-refresh setting which validates that the account is still authorized.

Restrict auth to specific Google groups on your domain. (optional)

  1. Create a service account and configure it to use Application Default Credentials / Workload Identity / Workload Identity Federation (recommended) or, alternatively download the JSON.

  2. Make note of the Client ID for a future step.

  3. Under "APIs & Auth", choose APIs.

  4. Click on Admin SDK and then Enable API.

  5. Follow the steps on https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account and give the client id from step 2 the following oauth scopes:

    https://www.googleapis.com/auth/admin.directory.group.readonly
    https://www.googleapis.com/auth/admin.directory.user.readonly
  6. Follow the steps on https://support.google.com/a/answer/60757 to enable Admin API access.

  7. Create or choose an existing administrative email address on the Gmail domain to assign to the google-admin-email flag. This email will be impersonated by this client to make calls to the Admin SDK. See the note on the link from step 5 for the reason why.

  8. Create or choose an existing email group and set that email to the google-group flag. You can pass multiple instances of this flag with different groups and the user will be checked against all the provided groups.

(Only if using a JSON file (see step 1))

  1. Lock down the permissions on the json file downloaded from step 1 so only oauth2-proxy is able to read the file and set the path to the file in the google-service-account-json flag.
  2. Restart oauth2-proxy.

Note: The user is checked against the group members list on initial authentication and every time the token is refreshed ( about once an hour ).

oauth2-proxy can make use of Application Default Credentials. When deployed within GCP, this means that it can automatically use the service account attached to the resource. When deployed to GKE, ADC can be leveraged through a feature called Workload Identity. Follow Google's guide to set up Workload Identity.

When deployed outside of GCP, Workload Identity Federation might be an option.