OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The
/oauth2 prefix can be changed with the
--proxy-prefix config variable.
- /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see robotstxt.org for more info
- /ping - returns a 200 OK response, which is intended for use with health checks
- /metrics - Metrics endpoint for Prometheus to scrape, serve on the address specified by
--metrics-address, disabled by default
- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
- /oauth2/sign_out - this URL is used to clear the session cookie
- /oauth2/start - a URL that will redirect to start the OAuth cycle
- /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
- /oauth2/userinfo - the URL is used to return user's email from the session in JSON format.
- /oauth2/auth - only returns a 202 Accepted response or a 401 Unauthorized response; for use with the Nginx
To sign the user out, redirect them to
/oauth2/sign_out. This endpoint only removes oauth2-proxy's own cookies, i.e. the user is still logged in with the authentication provider and may automatically re-login when accessing the application again. You will also need to redirect the user to the authentication provider's sign out page afterwards using the
rd query parameter, i.e. redirect the user to something like (notice the url-encoding!):
Alternatively, include the redirect URL in the
GET /oauth2/sign_out HTTP/1.1
BEWARE that the domain you want to redirect to (
my-oidc-provider.example.com in the example) must be added to the
--whitelist-domain configuration option otherwise the redirect will be ignored.