Skip to main content
Version: Next

Overview

oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).

To generate a strong cookie secret use one of the below commands:

python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

Config File

Every command line argument can be specified in a config file by replacing hyphens (-) with underscores (_). If the argument can be specified multiple times, the config option should be plural (trailing s).

An example oauth2-proxy.cfg config file is in the contrib directory. It can be used by specifying --config=/etc/oauth2-proxy.cfg

Config Options

Command Line Options

FlagDescription
--configpath to config file
--versionprint version string

General Provider Options

Provider specific options can be found on their respective subpages.

Flag / Config FieldTypeDescriptionDefault
flag: --acr-values
toml: acr_values
stringoptional, see docs""
flag: --allowed-group
toml: allowed_groups
string | listRestrict login to members of a group or list of groups. Furthermore, if you aren't setting the scope and use allowed_groups with the generic OIDC provider the scope groups gets added implicitly.
flag: --approval-prompt
toml: approval_prompt
stringOAuth approval_prompt"force"
flag: --backend-logout-url
toml: backend_logout_url
stringURL to perform backend logout, if you use {id_token} in the url it will be replaced by the actual id_token of the user session
flag: --client-id
toml: client_id
stringthe OAuth Client ID, e.g. "123456.apps.googleusercontent.com"
flag: --client-secret-file
toml: client_secret_file
stringthe file with OAuth Client Secret
flag: --client-secret
toml: client_secret
stringthe OAuth Client Secret
flag: --code-challenge-method
toml: code_challenge_method
stringuse PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended)
flag: --insecure-oidc-allow-unverified-email
toml: insecure_oidc_allow_unverified_email
booldon't fail if an email address in an id_token is not verifiedfalse
flag: --insecure-oidc-skip-issuer-verification
toml: insecure_oidc_skip_issuer_verification
boolallow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility)false
flag: --insecure-oidc-skip-nonce
toml: insecure_oidc_skip_nonce
boolskip verifying the OIDC ID Token's nonce claimtrue
flag: --jwt-key-file
toml: jwt_key_file
stringpath to the private key file in PEM format used to sign the JWT so that you can say something like --jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov
flag: --jwt-key
toml: jwt_key
stringprivate key in PEM format used to sign JWT, so that you can say something like --jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov
flag: --login-url
toml: login_url
stringAuthentication endpoint
flag: --oidc-audience-claim
toml: oidc_audience_claims
stringwhich OIDC claim contains the audience"aud"
flag: --oidc-email-claim
toml: oidc_email_claim
stringwhich OIDC claim contains the user's email"email"
flag: --oidc-extra-audience
toml: oidc_extra_audiences
string | listadditional audiences which are allowed to pass verification"[]"
flag: --oidc-groups-claim
toml: oidc_groups_claim
stringwhich OIDC claim contains the user groups"groups"
flag: --oidc-issuer-url
toml: oidc_issuer_url
stringthe OpenID Connect issuer URL, e.g. "https://accounts.google.com"
flag: --oidc-jwks-url
toml: oidc_jwks_url
stringOIDC JWKS URI for token verification; required if OIDC discovery is disabled
flag: --profile-url
toml: profile_url
stringProfile access endpoint
flag: --prompt
toml: prompt
stringOIDC prompt; if present, approval-prompt is ignored""
flag: --provider-ca-file
toml: provider_ca_files
string | listPaths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.
flag: --provider-display-name
toml: provider_display_name
stringOverride the provider's name with the given string; used for the sign-in page(depends on provider)
flag: --provider
toml: provider
stringOAuth providergoogle
flag: --pubjwk-url
toml: pubjwk_url
stringJWK pubkey access endpoint: required by login.gov
flag: --redeem-url
toml: redeem_url
stringToken redemption endpoint
flag: --scope
toml:scope
stringOAuth scope specification. Every provider has a default list of scopes which will be used in case no scope is configured.
flag: --skip-claims-from-profile-url
toml: skip_claims_from_profile_url
boolskip request to Profile URL for resolving claims not present in id_tokenfalse
flag: --skip-oidc-discovery
toml: skip_oidc_discovery
boolbypass OIDC endpoint discovery. --login-url, --redeem-url and --oidc-jwks-url must be configured in this casefalse
flag: --use-system-trust-store
toml: use_system_trust_store
boolDetermines if provider-ca-file files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files.false
flag: --validate-url
toml: validate_url
stringAccess token validation endpoint
Flag / Config FieldTypeDescriptionDefault
flag: --cookie-csrf-expire
toml: cookie_csrf_expire
durationexpire timeframe for CSRF cookie15m
flag: --cookie-csrf-per-request
toml:cookie_csrf_per_request
boolEnable having different CSRF cookies per request, making it possible to have parallel requests.false
flag: --cookie-domain
toml: cookie_domains
string | listOptional cookie domains to force cookies to (e.g. .yourcompany.com). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).
flag: --cookie-expire
toml: cookie_expire
durationexpire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed.168h0m0s
flag: --cookie-httponly
toml: cookie_httponly
boolset HttpOnly cookie flagtrue
flag: --cookie-name
toml: cookie_name
stringthe name of the cookie that the oauth_proxy creates. Should be changed to use a cookie prefix (__Host- or __Secure-) if --cookie-secure is set."_oauth2_proxy"
flag: --cookie-path
toml: cookie_path
stringan optional cookie path to force cookies to (e.g. /poc/)"/"
flag: --cookie-refresh
toml: cookie_refresh
durationrefresh the cookie after this duration; 0 to disable; not supported by all providers 1
flag: --cookie-samesite
toml: cookie_samesite
stringset SameSite cookie attribute ("lax", "strict", "none", or "").""
flag: --cookie-secret
toml: cookie_secret
stringthe seed string for secure cookies (optionally base64 encoded)
flag: --cookie-secure
toml: cookie_secure
boolset secure (HTTPS only) cookie flagtrue

Header Options

Flag / Config FieldTypeDescriptionDefault
flag: --basic-auth-password
toml: basic_auth_password
stringthe password to set when passing the HTTP Basic Auth header
flag: --set-xauthrequest
toml: set_xauthrequest
boolset X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with --pass-access-token, X-Auth-Request-Access-Token is added to response headers.false
flag: --set-authorization-header
toml: set_authorization_header
boolset Authorization Bearer response header (useful in Nginx auth_request mode)false
flag: --set-basic-auth
toml: set_basic_auth
boolset HTTP Basic Auth information in response (useful in Nginx auth_request mode)false
flag: --skip-auth-strip-headers
toml: skip_auth_strip_headers
boolstrips X-Forwarded-* style authentication headers & Authorization header if they would be set by oauth2-proxytrue
flag: --pass-access-token
toml: pass_access_token
boolpass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with --set-xauthrequest this adds the X-Auth-Request-Access-Token header to the responsefalse
flag: --pass-authorization-header
toml: pass_authorization_header
boolpass OIDC IDToken to upstream via Authorization Bearer headerfalse
flag: --pass-basic-auth
toml: pass_basic_auth
boolpass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstreamtrue
flag: --prefer-email-to-user
toml: prefer_email_to_user
boolPrefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with --pass-basic-auth and --pass-user-headersfalse
flag: --pass-user-headers
toml: pass_user_headers
boolpass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstreamtrue

Logging Options

Flag / Config FieldTypeDescriptionDefault
flag: --auth-logging-format
toml: auth_logging_format
stringTemplate for authentication log linessee Logging Configuration
flag: --auth-logging
toml: auth_logging
boolLog authentication attemptstrue
flag: --errors-to-info-log
toml: errors_to_info_log
boolredirects error-level logging to default log channel instead of stderrfalse
flag: --exclude-logging-path
toml: exclude_logging_paths
stringcomma separated list of paths to exclude from logging, e.g. "/ping,/path2""" (no paths excluded)
flag: --logging-compress
toml: logging_compress
boolShould rotated log files be compressed using gzipfalse
flag: --logging-filename
toml: logging_filename
stringFile to log requests to, empty for stdout"" (stdout)
flag: --logging-local-time
toml: logging_local_time
boolUse local time in log files and backup filenames instead of UTCtrue (local time)
flag: --logging-max-age
toml: logging_max_age
intMaximum number of days to retain old log files7
flag: --logging-max-backups
toml: logging_max_backups
intMaximum number of old log files to retain; 0 to disable0
flag: --logging-max-size
toml: logging_max_size
intMaximum size in megabytes of the log file before rotation100
flag: --request-id-header
toml: request_id_header
stringRequest header to use as the request ID in loggingX-Request-Id
flag: --request-logging-format
toml: request_logging_format
stringTemplate for request log linessee Logging Configuration
flag: --request-logging
toml: request_logging
boolLog requeststrue
flag: --silence-ping-logging
toml: silence_ping_logging
booldisable logging of requests to ping & ready endpointsfalse
flag: --standard-logging-format
toml: standard_logging_format
stringTemplate for standard log linessee Logging Configuration
flag: --standard-logging
toml: standard_logging
boolLog standard runtime informationtrue

Page Template Options

Flag / Config FieldTypeDescriptionDefault
flag: --banner
toml: banner
stringcustom (html) banner string. Use "-" to disable default banner.
flag: --custom-sign-in-logo
toml: custom_sign_in_logo
stringpath or a URL to an custom image for the sign_in page logo. Use "-" to disable default logo.
flag: --custom-templates-dir
toml: custom_templates_dir
stringpath to custom html templates
flag: --display-htpasswd-form
toml: display_htpasswd_form
booldisplay username / password login form if an htpasswd file is providedtrue
flag: --footer
toml: footer
stringcustom (html) footer string. Use "-" to disable default footer.
flag: --show-debug-on-error
toml: show_debug_on_error
boolshow detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)false

Probe Options

Flag / Config FieldTypeDescriptionDefault
flag: --ping-path
toml: ping_path
stringthe ping endpoint that can be used for basic health checks"/ping"
flag: --ping-user-agent
toml: ping_user_agent
stringa User-Agent that can be used for basic health checks"" (don't check user agent)
flag: --ready-path
toml: ready_path
stringthe ready endpoint that can be used for deep health checks"/ready"
flag: --gcp-healthchecks
toml: gcp_healthchecks
boolEnable GCP/GKE healthcheck endpoints (deprecated)false

Proxy Options

Flag / Config FieldTypeDescriptionDefault
flag: --allow-query-semicolons
toml: allow_query_semicolons
boolallow the use of semicolons in query args (required for some legacy applications)false
flag: --api-route
toml: api_routes
string | listreturn HTTP 401 instead of redirecting to authentication server if token is not valid. Format: path_regex
flag: --authenticated-emails-file
toml: authenticated_emails_file
stringauthenticate against emails via file (one per line)
flag: --email-domain
toml: email_domains
string | listauthenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
flag: --encode-state
toml: encode_state
boolencode the state parameter as UrlEncodedBase64false
flag: --extra-jwt-issuers
toml: extra_jwt_issuers
stringif --skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience (see a token's iss, aud fields) pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)
flag: --force-https
toml: force_https
boolenforce https redirectfalse
flag: --force-json-errors
toml: force_json_errors
boolforce JSON errors instead of HTTP error pages or redirectsfalse
flag: --htpasswd-file
toml: htpasswd_file
stringadditionally authenticate against a htpasswd file. Entries must be created with htpasswd -B for bcrypt encryption
flag: --htpasswd-user-group
toml: htpasswd_user_groups
string | listthe groups to be set on sessions for htpasswd users
flag: --proxy-prefix
toml: proxy_prefix
stringthe url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)"/oauth2"
flag: --real-client-ip-header
toml: real_client_ip_header
stringHeader used to determine the real IP of the client, requires --reverse-proxy to be set (one of: X-Forwarded-For, X-Real-IP, X-ProxyUser-IP, X-Envoy-External-Address, or CF-Connecting-IP)X-Real-IP
flag: --redirect-url
toml: redirect_url
stringthe OAuth Redirect URL, e.g. "https://internalapp.yourcompany.com/oauth2/callback"
flag: --relative-redirect-url
toml: relative_redirect_url
boolallow relative OAuth Redirect URL.`false
flag: --reverse-proxy
toml: reverse_proxy
boolare we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selectionfalse
flag: --signature-key
toml: signature_key
stringGAP-Signature request signature key (algorithm:secretkey)
flag: --skip-auth-preflight
toml: skip_auth_preflight
boolwill skip authentication for OPTIONS requestsfalse
flag: --skip-auth-regex
toml: skip_auth_regex
string | list(DEPRECATED for --skip-auth-route) bypass authentication for requests paths that match (may be given multiple times)
flag: --skip-auth-route
toml: skip_auth_routes
string | listbypass authentication for requests that match the method & path. Format: method=path_regex OR method!=path_regex. For all methods: path_regex OR !=path_regex
flag: --skip-jwt-bearer-tokens
toml: skip_jwt_bearer_tokens
boolwill skip requests that have verified JWT bearer tokens (the token must have aud that matches this client id or one of the extras from extra-jwt-issuers)false
flag: --skip-provider-button
toml: skip_provider_button
boolwill skip sign-in-page to directly reach the next step: oauth/startfalse
flag: --ssl-insecure-skip-verify
toml: ssl_insecure_skip_verify
boolskip validation of certificates presented when using HTTPS providersfalse
flag: --trusted-ip
toml: trusted_ips
boolencode the state parameter as UrlEncodedBase64false
flag: --whitelist-domain
toml: whitelist_domains
string | listallowed domains for redirection after authentication. Prefix domain with a . or a *. to allow subdomains (e.g. .example.com, *.example.com2

Server Options

Flag / Config FieldTypeDescriptionDefault
flag: --http-address
toml: http_address
string[http://]<addr>:<port> or unix://<path> or fd:<int> (case insensitive) to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. http://[::1]:4180"127.0.0.1:4180"
flag: --https-address
toml: https_address
string[https://]<addr>:<port> to listen on for HTTPS clients. Square brackets are required for ipv6 address, e.g. https://[::1]:443":443"
flag: --metrics-address
toml: metrics_address
stringthe address prometheus metrics will be scraped from""
flag: --metrics-secure-address
toml: metrics_secure_address
stringthe address prometheus metrics will be scraped from if using HTTPS""
flag: --metrics-tls-cert-file
toml: metrics_tls_cert_file
stringpath to certificate file for secure metrics server""
flag: --metrics-tls-key-file
toml: metrics_tls_key_file
stringpath to private key file for secure metrics server""
flag: --tls-cert-file
toml: tls_cert_file
stringpath to certificate file
flag: --tls-key-file
toml: tls_key_file
stringpath to private key file
flag: --tls-cipher-suite
toml: tls_cipher_suites
string | listRestricts TLS cipher suites used by server to those listed (e.g. TLS_RSA_WITH_RC4_128_SHA) (may be given multiple times). If not specified, the default Go safe cipher list is used. List of valid cipher suites can be found in the crypto/tls documentation.
flag: --tls-min-version
toml: tls_min_version
stringminimum TLS version that is acceptable, either "TLS1.2" or "TLS1.3""TLS1.2"

Session Options

Flag / Config FieldTypeDescriptionDefault
flag: --session-cookie-minimal
toml: session_cookie_minimal
boolstrip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)false
flag: --session-store-type
toml: session_store_type
stringSession data storage backend; redis or cookiecookie
flag: --redis-cluster-connection-urls
toml: redis_cluster_connection_urls
string | listList of Redis cluster connection URLs (e.g. redis://HOST[:PORT]). Used in conjunction with --redis-use-cluster
flag: --redis-connection-url
toml: redis_connection_url
stringURL of redis server for redis session storage (e.g. redis://HOST[:PORT])
flag: --redis-insecure-skip-tls-verify
toml: redis_insecure_skip_tls_verify
boolskip TLS verification when connecting to Redisfalse
flag: --redis-password
toml: redis_password
stringRedis password. Applicable for all Redis configurations. Will override any password set in --redis-connection-url
flag: --redis-sentinel-password
toml: redis_sentinel_password
stringRedis sentinel password. Used only for sentinel connection; any redis node passwords need to use --redis-password
flag: --redis-sentinel-master-name
toml: redis_sentinel_master_name
stringRedis sentinel master name. Used in conjunction with --redis-use-sentinel
flag: --redis-sentinel-connection-urls
toml: redis_sentinel_connection_urls
string | listList of Redis sentinel connection URLs (e.g. redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel
flag: --redis-use-cluster
toml: redis_use_cluster
boolConnect to redis cluster. Must set --redis-cluster-connection-urls to use this featurefalse
flag: --redis-use-sentinel
toml: redis_use_sentinel
boolConnect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this featurefalse
flag: --redis-connection-idle-timeout
toml: redis_connection_idle_timeout
intRedis connection idle timeout seconds. If Redis timeout option is set to non-zero, the --redis-connection-idle-timeout must be less than Redis timeout option. Example: if either redis.conf includes timeout 15 or using CONFIG SET timeout 15 the --redis-connection-idle-timeout must be at least --redis-connection-idle-timeout=140

Upstream Options

Flag / Config FieldTypeDescriptionDefault
flag: --flush-interval
toml: flush_interval
durationperiod between flushing response buffers when streaming responses"1s"
flag: --pass-host-header
toml: pass_host_header
boolpass the request Host Header to upstreamtrue
flag: --proxy-websockets
toml: proxy_websockets
boolenables WebSocket proxyingtrue
flag: --ssl-upstream-insecure-skip-verify
toml: ssl_upstream_insecure_skip_verify
boolskip validation of certificates presented when using HTTPS upstreamsfalse
flag: --upstream-timeout
toml: upstream_timeout
durationmaximum amount of time the server will wait for a response from the upstream30s
flag: --upstream
toml: upstreams
string | listthe http url(s) of the upstream endpoint, file:// paths for static files or static://<status_code> for static response. Routing is based on the path

Upstreams Configuration

oauth2-proxy supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers, unix socket or serve static files from the file system.

To configure HTTP and HTTPS upstreams, provide such a URL in --upstream=URL. The scheme+host portion and the path portion are extracted to configure proxying behavior. When processing incoming requests, the path portion becomes a lookup key for selecting the destination server of the proxied request.

  • Upstream URLs without a trailing slash, like in --upstream=http://service2.internal/foo, will match an incoming request exactly to /foo in https://this.o2p.example.com/foo, and forward the request on to service2.internal, but not match a request to https://this.o2p.example.com/foo/more nor ....com/food.
  • Upstream URLs with a trailing slash, like in --upstream=http://service1.internal/foo/, will match any incoming request to any incoming requests's path starting with /foo/, like /foo/ and /foo/more and /foo/lots/more?etc.

If multiple --upstream URLs' paths match an incoming request, the one with the longest matching path (the most specific match) takes priority over shorter (less specific) ones.

Unix socket upstreams are configured as unix:///path/to/unix.sock.

Static file paths are configured as a file:// URL. file:///var/www/static/ will serve the files from that directory at http://[oauth2-proxy url]/var/www/static/, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. file:///var/www/static/#/static/ will make /var/www/static/ available at http://[oauth2-proxy url]/static/.

Multiple upstreams can either be configured by supplying a comma separated list to the --upstream parameter, supplying the parameter multiple times or providing a list in the config file. When multiple upstreams are used routing to them will be based on the path they are set up with.

Environment variables

Every command line argument can be specified as an environment variable by prefixing it with OAUTH2_PROXY_, capitalising it, and replacing hyphens (-) with underscores (_). If the argument can be specified multiple times, the environment variable should be plural (trailing S).

This is particularly useful for storing secrets outside a configuration file or the command line.

For example, the --cookie-secret flag becomes OAUTH2_PROXY_COOKIE_SECRET. If a flag has the type string | list like the --email-domain flag it is available as an environment variable in plural form e.g. OAUTH2_PROXY_EMAIL_DOMAINS

Values for type string | list usually have a plural environment variable name and need to be seperated by , e.g. OAUTH2_PROXY_SKIP_AUTH_ROUTES="GET=^/api/status,POST=^/api/saved_objects/_import"

Please check the type for each config option first.

Logging Configuration

By default, OAuth2 Proxy logs all output to stdout. Logging can be configured to output to a rotating log file using the --logging-filename command.

If logging to a file you can also configure the maximum file size (--logging-max-size), age (--logging-max-age), max backup logs (--logging-max-backups), and if backup logs should be compressed (--logging-compress).

There are three different types of logging: standard, authentication, and HTTP requests. These can each be enabled or disabled with --standard-logging, --auth-logging, and --request-logging.

Each type of logging has its own configurable format and variables. By default, these formats are similar to the Apache Combined Log.

Logging of requests to the /ping endpoint (or using --ping-user-agent) and the /ready endpoint can be disabled with --silence-ping-logging reducing log volume.

Auth Log Format

Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:

<REMOTE_ADDRESS> - <REQUEST ID> - <user@domain.com> [2015/03/19 17:20:19] [<STATUS>] <MESSAGE>

The status block will contain one of the below strings:

  • AuthSuccess If a user has authenticated successfully by any method
  • AuthFailure If the user failed to authenticate explicitly
  • AuthError If there was an unexpected error during authentication

If you require a different format than that, you can configure it with the --auth-logging-format flag. The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}

Available variables for auth logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
MessageAuthenticated via OAuth2The details of the auth attempt.
ProtocolHTTP/1.0The request protocol.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
Timestamp2015/03/19 17:20:19The date and time of the logging event.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.
StatusAuthSuccessThe status of the auth request. See above for details.

Request Log Format

HTTP request logs will output by default in the below format:

<REMOTE_ADDRESS> - <REQUEST ID> - <user@domain.com> [2015/03/19 17:20:19] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>

If you require a different format than that, you can configure it with the --request-logging-format flag. The default format is configured as follows:

{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}

Available variables for request logging:

VariableExampleDescription
Client74.125.224.72The client/remote IP address. Will use the X-Real-IP header it if exists & reverse-proxy is set to true.
Hostdomain.comThe value of the Host header.
ProtocolHTTP/1.0The request protocol.
RequestDuration0.001The time in seconds that a request took to process.
RequestID00010203-0405-4607-8809-0a0b0c0d0e0fThe request ID pulled from the --request-id-header. Random UUID if empty
RequestMethodGETThe request method.
RequestURI"/oauth2/auth"The URI path of the request.
ResponseSize12The size in bytes of the response.
StatusCode200The HTTP status code of the response.
Timestamp2015/03/19 17:20:19The date and time of the logging event.
Upstream-The upstream data of the HTTP request.
UserAgent-The full user agent as reported by the requesting client.
Usernameusername@email.comThe email or username of the auth request.

Standard Log Format

All other logging that is not covered by the above two types of logging will be output in this standard logging format. This includes configuration information at startup and errors that occur outside of a session. The default format is below:

[2015/03/19 17:20:19] [main.go:40] <MESSAGE>

If you require a different format than that, you can configure it with the --standard-logging-format flag. The default format is configured as follows:

[{{.Timestamp}}] [{{.File}}] {{.Message}}

Available variables for standard logging:

VariableExampleDescription
Timestamp2015/03/19 17:20:19The date and time of the logging event.
Filemain.go:40The file and line number of the logging statement.
MessageHTTP: listening on 127.0.0.1:4180The details of the log statement.

Footnotes

  1. The following providers support --cookie-refresh: ADFS, Azure, GitLab, Google, Keycloak and all other Identity Providers which support the full OIDC specification

  2. When using the whitelist-domain option, any domain prefixed with a . or a *. will allow any subdomain of the specified domain as a valid redirect URL. By default, only empty ports are allowed. This translates to allowing the default port of the URL's protocol (80 for HTTP, 443 for HTTPS, etc.) since browsers omit them. To allow only a specific port, add it to the whitelisted domain: example.com:8080. To allow any port, use *: example.com:*.