oauth2-proxy icon indicating copy to clipboard operation
oauth2-proxy copied to clipboard

Published 20 hours ago verified publisher icon oauth2-proxy

Dynamic OIDC issuer based on subdomain

Open HeneryHawk opened this issue 3 years ago • 3 comments

Hi, first of all, thanks for this great project!

I'm writing this issue as a question. We develop multi-tenant solutions and provide them to multiple customers. To secure our services we would like to use the oauth2 proxy.

The authentication of the tenants will be implemented using Keycloak (keycloak-oidc). Each tenant gets its own realm in the Keycloak instance. The users of the tenants should access our platform with a subdomain (tenant1.app.com, tenant2.app.com). In order to be able to use the oauth2 proxy, it should be possible to forward the users to the correct realm based on the tenant identifier in the subdomain.

tenant1.app.com -> keycloak.app.com/realms/tenant1 tenant2.app.com -> keycloak.app.com/realms/tenant2

{tenant-id}.app.com -> keycloak.app.com/realms/{tenant-id}

Is this possible with the oauth2 proxy?

PS: We would prefer a dynamic configuration. That is, that an instance of the oauth2 proxy dynamically redirects users to the correct realm based on the subdomain. We do not want to implement multiple instances of the oauth2 proxy for each subdomain, each with the necessary configuration.

Thanks again

HeneryHawk avatar Jun 03 '22 10:06 HeneryHawk

At the moment this isn't possible and isn't something on our minds to implement, for the most part, we recommend setup up an OAuth2 Proxy per domain you'd like to host.

In the future we are looking at having multiple provider support, this may become possible as a part of that, though I'd expect the decision making to be achieved some place outside of OAuth2 Proxy, and the features such as whitelist domains, upstream etc, will be global

JoelSpeed avatar Jun 05 '22 12:06 JoelSpeed

Thank you very much for the answer. Is there a timeframe by when this might be available? A rough estimate (possibly by the end of the year) would suffice.

HeneryHawk avatar Jun 05 '22 13:06 HeneryHawk

I can't give a timeline at the moment. This project is run by volunteers in their spare time and, we are all struggling to find significant periods of time to work on the project at the moment. I believe a PR is being worked on by a community member, but it will need review from myself and others as it will be a fairly significant change

JoelSpeed avatar Jun 26 '22 16:06 JoelSpeed

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

github-actions[bot] avatar Aug 26 '22 00:08 github-actions[bot]