Google (default)
Config Options
Flag | Toml Field | Type | Description | Default |
---|---|---|---|---|
--google-admin-email | google_admin_email | string | the google admin to impersonate for api calls | |
--google-group | google_groups | string | restrict logins to members of this google group (may be given multiple times). | |
--google-service-account-json | google_service_account_json | string | the path to the service account json credentials | |
--google-use-application-default-credentials | google_use_application_default_credentials | bool | use application default credentials instead of service account json (i.e. GKE Workload Identity) | |
--google-target-principal | google_target_principal | bool | the target principal to impersonate when using ADC | defaults to the service account configured for ADC |
Usage
For Google, the registration steps are:
- Create a new project: https://console.developers.google.com/project
- Choose the new project from the top right project dropdown (only if another project is selected)
- In the project Dashboard center pane, choose "APIs & Services"
- In the left Nav pane, choose "Credentials"
- In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
- In the center pane, choose "Credentials" tab.
- Open the "New credentials" drop down
- Choose "OAuth client ID"
- Choose "Web application"
- Application name is freeform, choose something appropriate
- Authorized JavaScript origins is your domain ex:
https://internal.yourcompany.com
- Authorized redirect URIs is the location of oauth2/callback ex:
https://internal.yourcompany.com/oauth2/callback
- Choose "Create"
- Take note of the Client ID and Client Secret
It's recommended to refresh sessions on a short interval (1h) with cookie-refresh
setting which validates that the
account is still authorized.
Restrict auth to specific Google groups on your domain. (optional)
-
Create a service account and configure it to use Application Default Credentials / Workload Identity / Workload Identity Federation (recommended) or, alternatively download the JSON.
-
Make note of the Client ID for a future step.
-
Under "APIs & Auth", choose APIs.
-
Click on Admin SDK and then Enable API.
-
Follow the steps on https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account and give the client id from step 2 the following oauth scopes:
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly -
Follow the steps on https://support.google.com/a/answer/60757 to enable Admin API access.
-
Create or choose an existing administrative email address on the Gmail domain to assign to the
google-admin-email
flag. This email will be impersonated by this client to make calls to the Admin SDK. See the note on the link from step 5 for the reason why. -
Create or choose an existing email group and set that email to the
google-group
flag. You can pass multiple instances of this flag with different groups and the user will be checked against all the provided groups.
(Only if using a JSON file (see step 1))
- Lock down the permissions on the json file downloaded from step 1 so only oauth2-proxy is able to read the file and
set the path to the file in the
google-service-account-json
flag. - Restart oauth2-proxy.
Note: The user is checked against the group members list on initial authentication and every time the token is refreshed ( about once an hour ).
Using Application Default Credentials (ADC) / Workload Identity / Workload Identity Federation (recommended)
oauth2-proxy can make use of Application Default Credentials. When deployed within GCP, this means that it can automatically use the service account attached to the resource. When deployed to GKE, ADC can be leveraged through a feature called Workload Identity. Follow Google's guide to set up Workload Identity.
When deployed outside of GCP, Workload Identity Federation might be an option.