oauth2_proxy
oauth2_proxy copied to clipboard
bitly
All users are authenticated, regardless of setting in authenticated
All users are authenticated and passed upstream. I have no email-domains set, and one user in my authenticated_emails_file. What am I doing wrong?
cookie-domain = "remcam.net"
http_address = "127.0.0.1:4180"
upstreams = ["https://127.0.0.1:8090/"]
email-domains = [""]
cookie-secure = true
cookie_secret = "secretsecret"
redirect_url = "https://search.remcam.net/oauth2/callback"
provider = "google"
client_id = "______________.apps.googleusercontent.com"
client_secret = "____________" ```
The ```emails``` file contains one user: [email protected].
I've tried using google-groups with authenticated-emails-file = "emails_file" and email-domain = "" and all users are still validated.
I am using these cmd line settings:
-email-domain=remcam.net
-cookie-secure=true
-cookie-domain=remcam.net
-cookie-expire=24h
-authenticated-emails-file="emails"
Still validating every user. I have a cookie remover which removes all cookies for the site, so that can't be the problem. Anybody have any idea? PS. The email-domain setting isn't read correctly fron the config file. Only cli is not throwing an exception.
Someone please tell me where I'm screwing up. Config:
-http_address "127.0.0.1:4180"
-upstreams [ "https://127.0.0.1:8090/" ]
-cookie_secret "secretsecret"
-client_id "_________.apps.googleusercontent.com"
-client_secret "____________"
-redirect_url "https://127.0.0.1/oauth2/callback"
-provider=google
-email-domain=remcam.net
-cookie-secure=true
-cookie-domain=search.remcam.net
-cookie-expire=24h
-authenticated-emails-file=/somewhere/emails
Would really appreciate it.
I've gone to using /auth which works. Nagging suspicion that my nginx config may be to blame. Haven't fully examined what is returned to /oauth2/callback. If anybody could shed some light on this it would be much appreciated. I feel I should have had a test for a 403 somewhere before proxying to the upstream. Thank you for a lovely product. Saved me lots of pain.
@svanschalkwyk , I have used this successfully... you need to have a valid location block in your nginx config to handle the oauth2 calls. You also need to be using the proper nginx http_auth module (I think that's it ?) and then I have valid domains filtered and set up in oauth. GCE oauth2 creds. Configured redirect URL in GCE as well.
Does that help ?
Thank you John.It does help. I configured nginx to redirect to oauth2proxy from 433/ and then added a block (with upstream) for the callback from google. I'm not redirecting to local from oauth2proxy, only from the callback block in nginx. It seems to be working fine that way. Is there a better way?
@svanschalkwyk , can you paste your nginx config here? or into a github gist? I'm sure I can provide you an answer, but definitely helps to see it before I can confirm.
Can someone confirm that you can use the google-group=user@domain AND the --authenticated-email-file together to provide valid authorization. I am finding that users in the Google Group are authenticated but users in the --authenticated-email-file are NOT unless they are also in the Google Group (effectively a no-op). I do see in the log where it read the file for validation use.
2018/11/01 17:10:00 validator.go:23: using authenticated emails file /auth-emails/authenticated.emails
