Documentation
¶
Index ¶
- Constants
- Variables
- func Load(configFileName string, flagSet *pflag.FlagSet, into interface{}) error
- func LoadYAML(configFileName string, into interface{}) error
- func NewFlagSet() *pflag.FlagSet
- func NewLegacyFlagSet() *pflag.FlagSet
- type ADFSOptions
- type AlphaOptions
- type AzureOptions
- type BitbucketOptions
- type ClaimSource
- type Cookie
- type CookieStoreOptions
- type Duration
- type GitHubOptions
- type GitLabOptions
- type GoogleOptions
- type Header
- type HeaderValue
- type KeycloakOptions
- type LegacyHeaders
- type LegacyOptions
- type LegacyProvider
- type LegacyServer
- type LegacyUpstreams
- type LogFileOptions
- type Logging
- type LoginGovOptions
- type LoginURLParameter
- type OIDCOptions
- type Options
- func (o *Options) GetJWTBearerVerifiers() []internaloidc.IDTokenVerifier
- func (o *Options) GetOIDCVerifier() internaloidc.IDTokenVerifier
- func (o *Options) GetRealClientIPParser() ipapi.RealClientIPParser
- func (o *Options) GetRedirectURL() *url.URL
- func (o *Options) GetSignatureData() *SignatureData
- func (o *Options) SetJWTBearerVerifiers(s []internaloidc.IDTokenVerifier)
- func (o *Options) SetOIDCVerifier(s internaloidc.IDTokenVerifier)
- func (o *Options) SetRealClientIPParser(s ipapi.RealClientIPParser)
- func (o *Options) SetRedirectURL(s *url.URL)
- func (o *Options) SetSignatureData(s *SignatureData)
- type Provider
- type ProviderType
- type Providers
- type RedisStoreOptions
- type SecretSource
- type Server
- type SessionOptions
- type SignatureData
- type TLS
- type Templates
- type URLParameterRule
- type Upstream
- type UpstreamConfig
Constants ¶
View Source
const ( // OIDCEmailClaim is the generic email claim used by the OIDC provider. OIDCEmailClaim = "email" // OIDCGroupsClaim is the generic groups claim used by the OIDC provider. OIDCGroupsClaim = "groups" )
View Source
const ( // DefaultUpstreamFlushInterval is the default value for the Upstream FlushInterval. DefaultUpstreamFlushInterval = 1 * time.Second // DefaultUpstreamTimeout is the maximum duration a network dial to a upstream server for a response. DefaultUpstreamTimeout = 30 * time.Second )
Variables ¶
View Source
var CookieSessionStoreType = "cookie"
CookieSessionStoreType is used to indicate the CookieSessionStore should be used for storing sessions.
View Source
var OIDCAudienceClaims = []string{"aud"}
OIDCAudienceClaims is the generic audience claim list used by the OIDC provider.
View Source
var RedisSessionStoreType = "redis"
RedisSessionStoreType is used to indicate the RedisSessionStore should be used for storing sessions.
Functions ¶
func Load ¶
Load reads in the config file at the path given, then merges in environment variables (prefixed with `OAUTH2_PROXY`) and finally merges in flags from the flagSet. If a config value is unset and the flag has a non-zero value default, this default will be used. Eg. A field defined:
FooBar `cfg:"foo_bar" flag:"foo-bar"`
Can be set in the config file as `foo_bar="baz"`, in the environment as `OAUTH2_PROXY_FOO_BAR=baz`, or via the command line flag `--foo-bar=baz`.
func LoadYAML ¶
LoadYAML will load a YAML based configuration file into the options interface provided.
func NewFlagSet ¶
NewFlagSet creates a new FlagSet with all of the flags required by Options
func NewLegacyFlagSet ¶
Types ¶
type ADFSOptions ¶
type ADFSOptions struct {
// Skip adding the scope parameter in login request
// Default value is 'false'
SkipScope bool `json:"skipScope,omitempty"`
}
type AlphaOptions ¶
type AlphaOptions struct {
// UpstreamConfig is used to configure upstream servers.
// Once a user is authenticated, requests to the server will be proxied to
// these upstream servers based on the path mappings defined in this list.
UpstreamConfig UpstreamConfig `json:"upstreamConfig,omitempty"`
// InjectRequestHeaders is used to configure headers that should be added
// to requests to upstream servers.
// Headers may source values from either the authenticated user's session
// or from a static secret value.
InjectRequestHeaders []Header `json:"injectRequestHeaders,omitempty"`
// InjectResponseHeaders is used to configure headers that should be added
// to responses from the proxy.
// This is typically used when using the proxy as an external authentication
// provider in conjunction with another proxy such as NGINX and its
// auth_request module.
// Headers may source values from either the authenticated user's session
// or from a static secret value.
InjectResponseHeaders []Header `json:"injectResponseHeaders,omitempty"`
// Server is used to configure the HTTP(S) server for the proxy application.
// You may choose to run both HTTP and HTTPS servers simultaneously.
// This can be done by setting the BindAddress and the SecureBindAddress simultaneously.
// To use the secure server you must configure a TLS certificate and key.
Server Server `json:"server,omitempty"`
// MetricsServer is used to configure the HTTP(S) server for metrics.
// You may choose to run both HTTP and HTTPS servers simultaneously.
// This can be done by setting the BindAddress and the SecureBindAddress simultaneously.
// To use the secure server you must configure a TLS certificate and key.
MetricsServer Server `json:"metricsServer,omitempty"`
// Providers is used to configure multiple providers.
Providers Providers `json:"providers,omitempty"`
}
AlphaOptions contains alpha structured configuration options. Usage of these options allows users to access alpha features that are not available as part of the primary configuration structure for OAuth2 Proxy.
:::warning The options within this structure are considered alpha. They may change between releases without notice. :::
func (*AlphaOptions) ExtractFrom ¶
func (a *AlphaOptions) ExtractFrom(opts *Options)
ExtractFrom populates the fields in the AlphaOptions with the values from the Options
func (*AlphaOptions) MergeInto ¶
func (a *AlphaOptions) MergeInto(opts *Options)
MergeInto replaces alpha options in the Options struct with the values from the AlphaOptions
type AzureOptions ¶
type AzureOptions struct {
// Tenant directs to a tenant-specific or common (tenant-independent) endpoint
// Default value is 'common'
Tenant string `json:"tenant,omitempty"`
// GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph
// Default value is 'id'
GraphGroupField string `json:"graphGroupField,omitempty"`
}
type BitbucketOptions ¶
type ClaimSource ¶
type ClaimSource struct {
// Claim is the name of the claim in the session that the value should be
// loaded from.
Claim string `json:"claim,omitempty"`
// Prefix is an optional prefix that will be prepended to the value of the
// claim if it is non-empty.
Prefix string `json:"prefix,omitempty"`
// BasicAuthPassword converts this claim into a basic auth header.
// Note the value of claim will become the basic auth username and the
// basicAuthPassword will be used as the password value.
BasicAuthPassword *SecretSource `json:"basicAuthPassword,omitempty"`
}
ClaimSource allows loading a header value from a claim within the session
type Cookie ¶
type Cookie struct {
Name string `flag:"cookie-name" cfg:"cookie_name"`
Secret string `flag:"cookie-secret" cfg:"cookie_secret"`
Domains []string `flag:"cookie-domain" cfg:"cookie_domains"`
Path string `flag:"cookie-path" cfg:"cookie_path"`
Expire time.Duration `flag:"cookie-expire" cfg:"cookie_expire"`
Refresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh"`
Secure bool `flag:"cookie-secure" cfg:"cookie_secure"`
HTTPOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
SameSite string `flag:"cookie-samesite" cfg:"cookie_samesite"`
CSRFPerRequest bool `flag:"cookie-csrf-per-request" cfg:"cookie_csrf_per_request"`
CSRFExpire time.Duration `flag:"cookie-csrf-expire" cfg:"cookie_csrf_expire"`
}
Cookie contains configuration options relating to Cookie configuration
type CookieStoreOptions ¶
type CookieStoreOptions struct {
Minimal bool `flag:"session-cookie-minimal" cfg:"session_cookie_minimal"`
}
CookieStoreOptions contains configuration options for the CookieSessionStore.
type Duration ¶
Duration is as string representation of a period of time. A duration string is a is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". +reference-gen:alias-name=string
func (*Duration) MarshalJSON ¶
MarshalJSON ensures that when the string is marshalled to JSON as a human readable string.
func (*Duration) UnmarshalJSON ¶
UnmarshalJSON parses the duration string and sets the value of duration to the value of the duration string.
type GitHubOptions ¶
type GitHubOptions struct {
// Org sets restrict logins to members of this organisation
Org string `json:"org,omitempty"`
// Team sets restrict logins to members of this team
Team string `json:"team,omitempty"`
// Repo sets restrict logins to collaborators of this repository
Repo string `json:"repo,omitempty"`
// Token is the token to use when verifying repository collaborators
// it must have push access to the repository
Token string `json:"token,omitempty"`
// Users allows users with these usernames to login
// even if they do not belong to the specified org and team or collaborators
Users []string `json:"users,omitempty"`
}
type GitLabOptions ¶
type GoogleOptions ¶
type GoogleOptions struct {
// Groups sets restrict logins to members of this google group
Groups []string `json:"group,omitempty"`
// AdminEmail is the google admin to impersonate for api calls
AdminEmail string `json:"adminEmail,omitempty"`
// ServiceAccountJSON is the path to the service account json credentials
ServiceAccountJSON string `json:"serviceAccountJson,omitempty"`
}
type Header ¶
type Header struct {
// Name is the header name to be used for this set of values.
// Names should be unique within a list of Headers.
Name string `json:"name,omitempty"`
// PreserveRequestValue determines whether any values for this header
// should be preserved for the request to the upstream server.
// This option only applies to injected request headers.
// Defaults to false (headers that match this header will be stripped).
PreserveRequestValue bool `json:"preserveRequestValue,omitempty"`
// Values contains the desired values for this header
Values []HeaderValue `json:"values,omitempty"`
}
Header represents an individual header that will be added to a request or response header.
type HeaderValue ¶
type HeaderValue struct {
// Allow users to load the value from a secret source
*SecretSource `json:",omitempty"`
// Allow users to load the value from a session claim
*ClaimSource `json:",omitempty"`
}
HeaderValue represents a single header value and the sources that can make up the header value
type KeycloakOptions ¶
type LegacyHeaders ¶
type LegacyHeaders struct {
PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"`
PassUserHeaders bool `flag:"pass-user-headers" cfg:"pass_user_headers"`
PassAuthorization bool `flag:"pass-authorization-header" cfg:"pass_authorization_header"`
SetBasicAuth bool `flag:"set-basic-auth" cfg:"set_basic_auth"`
SetXAuthRequest bool `flag:"set-xauthrequest" cfg:"set_xauthrequest"`
SetAuthorization bool `flag:"set-authorization-header" cfg:"set_authorization_header"`
PreferEmailToUser bool `flag:"prefer-email-to-user" cfg:"prefer_email_to_user"`
BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password"`
SkipAuthStripHeaders bool `flag:"skip-auth-strip-headers" cfg:"skip_auth_strip_headers"`
}
type LegacyOptions ¶
type LegacyOptions struct {
// Legacy options related to upstream servers
LegacyUpstreams LegacyUpstreams `cfg:",squash"`
// Legacy options for injecting request/response headers
LegacyHeaders LegacyHeaders `cfg:",squash"`
// Legacy options for the server address and TLS
LegacyServer LegacyServer `cfg:",squash"`
// Legacy options for single provider
LegacyProvider LegacyProvider `cfg:",squash"`
Options Options `cfg:",squash"`
}
func NewLegacyOptions ¶
func NewLegacyOptions() *LegacyOptions
func (*LegacyOptions) ToOptions ¶
func (l *LegacyOptions) ToOptions() (*Options, error)
type LegacyProvider ¶
type LegacyProvider struct {
ClientID string `flag:"client-id" cfg:"client_id"`
ClientSecret string `flag:"client-secret" cfg:"client_secret"`
ClientSecretFile string `flag:"client-secret-file" cfg:"client_secret_file"`
KeycloakGroups []string `flag:"keycloak-group" cfg:"keycloak_groups"`
AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"`
AzureGraphGroupField string `flag:"azure-graph-group-field" cfg:"azure_graph_group_field"`
BitbucketTeam string `flag:"bitbucket-team" cfg:"bitbucket_team"`
BitbucketRepository string `flag:"bitbucket-repository" cfg:"bitbucket_repository"`
GitHubOrg string `flag:"github-org" cfg:"github_org"`
GitHubTeam string `flag:"github-team" cfg:"github_team"`
GitHubRepo string `flag:"github-repo" cfg:"github_repo"`
GitHubToken string `flag:"github-token" cfg:"github_token"`
GitHubUsers []string `flag:"github-user" cfg:"github_users"`
GitLabGroup []string `flag:"gitlab-group" cfg:"gitlab_groups"`
GitLabProjects []string `flag:"gitlab-project" cfg:"gitlab_projects"`
GoogleGroups []string `flag:"google-group" cfg:"google_group"`
GoogleAdminEmail string `flag:"google-admin-email" cfg:"google_admin_email"`
GoogleServiceAccountJSON string `flag:"google-service-account-json" cfg:"google_service_account_json"`
// These options allow for other providers besides Google, with
// potential overrides.
ProviderType string `flag:"provider" cfg:"provider"`
ProviderName string `flag:"provider-display-name" cfg:"provider_display_name"`
ProviderCAFiles []string `flag:"provider-ca-file" cfg:"provider_ca_files"`
OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url"`
InsecureOIDCAllowUnverifiedEmail bool `flag:"insecure-oidc-allow-unverified-email" cfg:"insecure_oidc_allow_unverified_email"`
InsecureOIDCSkipIssuerVerification bool `flag:"insecure-oidc-skip-issuer-verification" cfg:"insecure_oidc_skip_issuer_verification"`
InsecureOIDCSkipNonce bool `flag:"insecure-oidc-skip-nonce" cfg:"insecure_oidc_skip_nonce"`
SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"`
OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url"`
OIDCEmailClaim string `flag:"oidc-email-claim" cfg:"oidc_email_claim"`
OIDCGroupsClaim string `flag:"oidc-groups-claim" cfg:"oidc_groups_claim"`
OIDCAudienceClaims []string `flag:"oidc-audience-claim" cfg:"oidc_audience_claims"`
OIDCExtraAudiences []string `flag:"oidc-extra-audience" cfg:"oidc_extra_audiences"`
LoginURL string `flag:"login-url" cfg:"login_url"`
RedeemURL string `flag:"redeem-url" cfg:"redeem_url"`
ProfileURL string `flag:"profile-url" cfg:"profile_url"`
ProtectedResource string `flag:"resource" cfg:"resource"`
ValidateURL string `flag:"validate-url" cfg:"validate_url"`
ValidateURLspecial string `flag:"validate-url-special" cfg:"validate_url_special"`
Scope string `flag:"scope" cfg:"scope"`
Prompt string `flag:"prompt" cfg:"prompt"`
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"` // Deprecated by OIDC 1.0
UserIDClaim string `flag:"user-id-claim" cfg:"user_id_claim"`
AllowedGroups []string `flag:"allowed-group" cfg:"allowed_groups"`
AllowedRoles []string `flag:"allowed-role" cfg:"allowed_roles"`
AcrValues string `flag:"acr-values" cfg:"acr_values"`
JWTKey string `flag:"jwt-key" cfg:"jwt_key"`
JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file"`
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url"`
// PKCE Code Challenge method to use (either S256 or plain)
CodeChallengeMethod string `flag:"code-challenge-method" cfg:"code_challenge_method"`
// Provided for legacy reasons, to be dropped in newer version see #1667
ForceCodeChallengeMethod string `flag:"force-code-challenge-method" cfg:"force_code_challenge_method"`
}
type LegacyServer ¶
type LegacyServer struct {
MetricsAddress string `flag:"metrics-address" cfg:"metrics_address"`
MetricsSecureAddress string `flag:"metrics-secure-address" cfg:"metrics_secure_address"`
MetricsTLSCertFile string `flag:"metrics-tls-cert-file" cfg:"metrics_tls_cert_file"`
MetricsTLSKeyFile string `flag:"metrics-tls-key-file" cfg:"metrics_tls_key_file"`
HTTPAddress string `flag:"http-address" cfg:"http_address"`
HTTPSAddress string `flag:"https-address" cfg:"https_address"`
TLSCertFile string `flag:"tls-cert-file" cfg:"tls_cert_file"`
TLSKeyFile string `flag:"tls-key-file" cfg:"tls_key_file"`
TLSMinVersion string `flag:"tls-min-version" cfg:"tls_min_version"`
TLSCipherSuites []string `flag:"tls-cipher-suite" cfg:"tls_cipher_suites"`
}
type LegacyUpstreams ¶
type LegacyUpstreams struct {
FlushInterval time.Duration `flag:"flush-interval" cfg:"flush_interval"`
PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"`
ProxyWebSockets bool `flag:"proxy-websockets" cfg:"proxy_websockets"`
SSLUpstreamInsecureSkipVerify bool `flag:"ssl-upstream-insecure-skip-verify" cfg:"ssl_upstream_insecure_skip_verify"`
Upstreams []string `flag:"upstream" cfg:"upstreams"`
Timeout time.Duration `flag:"upstream-timeout" cfg:"upstream_timeout"`
}
type LogFileOptions ¶
type LogFileOptions struct {
Filename string `flag:"logging-filename" cfg:"logging_filename"`
MaxSize int `flag:"logging-max-size" cfg:"logging_max_size"`
MaxAge int `flag:"logging-max-age" cfg:"logging_max_age"`
MaxBackups int `flag:"logging-max-backups" cfg:"logging_max_backups"`
Compress bool `flag:"logging-compress" cfg:"logging_compress"`
}
LogFileOptions contains options for configuring logging to a file
type Logging ¶
type Logging struct {
AuthEnabled bool `flag:"auth-logging" cfg:"auth_logging"`
AuthFormat string `flag:"auth-logging-format" cfg:"auth_logging_format"`
RequestEnabled bool `flag:"request-logging" cfg:"request_logging"`
RequestFormat string `flag:"request-logging-format" cfg:"request_logging_format"`
StandardEnabled bool `flag:"standard-logging" cfg:"standard_logging"`
StandardFormat string `flag:"standard-logging-format" cfg:"standard_logging_format"`
ErrToInfo bool `flag:"errors-to-info-log" cfg:"errors_to_info_log"`
ExcludePaths []string `flag:"exclude-logging-path" cfg:"exclude_logging_paths"`
LocalTime bool `flag:"logging-local-time" cfg:"logging_local_time"`
SilencePing bool `flag:"silence-ping-logging" cfg:"silence_ping_logging"`
RequestIDHeader string `flag:"request-id-header" cfg:"request_id_header"`
File LogFileOptions `cfg:",squash"`
}
Logging contains all options required for configuring the logging
type LoginGovOptions ¶
type LoginGovOptions struct {
// JWTKey is a private key in PEM format used to sign JWT,
JWTKey string `json:"jwtKey,omitempty"`
// JWTKeyFile is a path to the private key file in PEM format used to sign the JWT
JWTKeyFile string `json:"jwtKeyFile,omitempty"`
// PubJWKURL is the JWK pubkey access endpoint
PubJWKURL string `json:"pubjwkURL,omitempty"`
}
type LoginURLParameter ¶
type LoginURLParameter struct {
// Name specifies the name of the query parameter.
Name string `json:"name"`
// Default specifies a default value or values that will be
// passed to the IdP if not overridden.
//+optional
Default []string `json:"default,omitempty"`
// Allow specifies rules about how the default (if any) may be
// overridden via the query string to `/oauth2/start`. Only
// values that match one or more of the allow rules will be
// forwarded to the IdP.
//+optional
Allow []URLParameterRule `json:"allow,omitempty"`
}
LoginURLParameter is the configuration for a single query parameter that can be passed through from the `/oauth2/start` endpoint to the IdP login URL. The "default" option specifies the default value or values (if any) that will be passed to the IdP for this parameter, and "allow" is a list of options for ways in which this parameter can be set or overridden via the query string to `/oauth2/start`. If _only_ a default is specified and no "allow" then the parameter is effectively fixed - the default value will always be used and anything passed to the start URL will be ignored. If _only_ "allow" is specified but no default then the parameter will only be passed on to the IdP if the caller provides it, and no value will be sent otherwise.
Examples:
A parameter whose value is fixed ¶
``` name: organization default: - myorg ```
A parameter that is not passed by default, but may be set to one of a fixed set of values
``` name: prompt allow: - value: login - value: consent - value: select_account ```
A parameter that is passed by default but may be overridden by one of a fixed set of values
``` name: prompt default: ["login"] allow: - value: consent - value: select_account ```
A parameter that may be overridden, but only by values that match a regular expression. For example to restrict `login_hint` to email addresses in your organization's domain:
``` name: login_hint allow: - pattern: '^[^@]*@example\.com$' # this allows at most one "@" sign, and requires "example.com" domain. ```
Note that the YAML rules around exactly which characters are allowed and/or require escaping in different types of string literals are convoluted. For regular expressions the single quoted form is simplest as backslash is not considered to be an escape character. Alternatively use the "chomped block" format `|-`:
```
- pattern: |- ^[^@]*@example\.com$
```
The hyphen is important, a `|` block would have a trailing newline character.
type OIDCOptions ¶
type OIDCOptions struct {
// IssuerURL is the OpenID Connect issuer URL
// eg: https://accounts.google.com
IssuerURL string `json:"issuerURL,omitempty"`
// InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified
// default set to 'false'
InsecureAllowUnverifiedEmail bool `json:"insecureAllowUnverifiedEmail,omitempty"`
// InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
// default set to 'false'
InsecureSkipIssuerVerification bool `json:"insecureSkipIssuerVerification,omitempty"`
// InsecureSkipNonce skips verifying the ID Token's nonce claim that must match
// the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
// after the initial OAuth redeem & subsequent token refreshes.
// default set to 'true'
// Warning: In a future release, this will change to 'false' by default for enhanced security.
InsecureSkipNonce bool `json:"insecureSkipNonce,omitempty"`
// SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
// default set to 'false'
SkipDiscovery bool `json:"skipDiscovery,omitempty"`
// JwksURL is the OpenID Connect JWKS URL
// eg: https://www.googleapis.com/oauth2/v3/certs
JwksURL string `json:"jwksURL,omitempty"`
// EmailClaim indicates which claim contains the user email,
// default set to 'email'
EmailClaim string `json:"emailClaim,omitempty"`
// GroupsClaim indicates which claim contains the user groups
// default set to 'groups'
GroupsClaim string `json:"groupsClaim,omitempty"`
// UserIDClaim indicates which claim contains the user ID
// default set to 'email'
UserIDClaim string `json:"userIDClaim,omitempty"`
// AudienceClaim allows to define any claim that is verified against the client id
// By default `aud` claim is used for verification.
AudienceClaims []string `json:"audienceClaims,omitempty"`
// ExtraAudiences is a list of additional audiences that are allowed
// to pass verification in addition to the client id.
ExtraAudiences []string `json:"extraAudiences,omitempty"`
}
type Options ¶
type Options struct {
ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix"`
PingPath string `flag:"ping-path" cfg:"ping_path"`
PingUserAgent string `flag:"ping-user-agent" cfg:"ping_user_agent"`
ReadyPath string `flag:"ready-path" cfg:"ready_path"`
ReverseProxy bool `flag:"reverse-proxy" cfg:"reverse_proxy"`
RealClientIPHeader string `flag:"real-client-ip-header" cfg:"real_client_ip_header"`
TrustedIPs []string `flag:"trusted-ip" cfg:"trusted_ips"`
ForceHTTPS bool `flag:"force-https" cfg:"force_https"`
RawRedirectURL string `flag:"redirect-url" cfg:"redirect_url"`
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
WhitelistDomains []string `flag:"whitelist-domain" cfg:"whitelist_domains"`
HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"`
HtpasswdUserGroups []string `flag:"htpasswd-user-group" cfg:"htpasswd_user_groups"`
Cookie Cookie `cfg:",squash"`
Session SessionOptions `cfg:",squash"`
Logging Logging `cfg:",squash"`
Templates Templates `cfg:",squash"`
// Not used in the legacy config, name not allowed to match an external key (upstreams)
// TODO(JoelSpeed): Rename when legacy config is removed
UpstreamServers UpstreamConfig `cfg:",internal"`
InjectRequestHeaders []Header `cfg:",internal"`
InjectResponseHeaders []Header `cfg:",internal"`
Server Server `cfg:",internal"`
MetricsServer Server `cfg:",internal"`
Providers Providers `cfg:",internal"`
APIRoutes []string `flag:"api-route" cfg:"api_routes"`
SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
SkipAuthRoutes []string `flag:"skip-auth-route" cfg:"skip_auth_routes"`
SkipJwtBearerTokens bool `flag:"skip-jwt-bearer-tokens" cfg:"skip_jwt_bearer_tokens"`
ExtraJwtIssuers []string `flag:"extra-jwt-issuers" cfg:"extra_jwt_issuers"`
SkipProviderButton bool `flag:"skip-provider-button" cfg:"skip_provider_button"`
SSLInsecureSkipVerify bool `flag:"ssl-insecure-skip-verify" cfg:"ssl_insecure_skip_verify"`
SkipAuthPreflight bool `flag:"skip-auth-preflight" cfg:"skip_auth_preflight"`
ForceJSONErrors bool `flag:"force-json-errors" cfg:"force_json_errors"`
SignatureKey string `flag:"signature-key" cfg:"signature_key"`
GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks"`
// This is used for backwards compatibility for basic auth users
LegacyPreferEmailToUser bool `cfg:",internal"`
// contains filtered or unexported fields
}
Options holds Configuration Options that can be set by Command Line Flag, or Config File
func NewOptions ¶
func NewOptions() *Options
NewOptions constructs a new Options with defaulted values
func (*Options) GetJWTBearerVerifiers ¶
func (o *Options) GetJWTBearerVerifiers() []internaloidc.IDTokenVerifier
func (*Options) GetOIDCVerifier ¶
func (o *Options) GetOIDCVerifier() internaloidc.IDTokenVerifier
func (*Options) GetRealClientIPParser ¶
func (o *Options) GetRealClientIPParser() ipapi.RealClientIPParser
func (*Options) GetRedirectURL ¶
Options for Getting internal values
func (*Options) GetSignatureData ¶
func (o *Options) GetSignatureData() *SignatureData
func (*Options) SetJWTBearerVerifiers ¶
func (o *Options) SetJWTBearerVerifiers(s []internaloidc.IDTokenVerifier)
func (*Options) SetOIDCVerifier ¶
func (o *Options) SetOIDCVerifier(s internaloidc.IDTokenVerifier)
func (*Options) SetRealClientIPParser ¶
func (o *Options) SetRealClientIPParser(s ipapi.RealClientIPParser)
func (*Options) SetRedirectURL ¶
Options for Setting internal values
func (*Options) SetSignatureData ¶
func (o *Options) SetSignatureData(s *SignatureData)
type Provider ¶
type Provider struct {
// ClientID is the OAuth Client ID that is defined in the provider
// This value is required for all providers.
ClientID string `json:"clientID,omitempty"`
// ClientSecret is the OAuth Client Secret that is defined in the provider
// This value is required for all providers.
ClientSecret string `json:"clientSecret,omitempty"`
// ClientSecretFile is the name of the file
// containing the OAuth Client Secret, it will be used if ClientSecret is not set.
ClientSecretFile string `json:"clientSecretFile,omitempty"`
// KeycloakConfig holds all configurations for Keycloak provider.
KeycloakConfig KeycloakOptions `json:"keycloakConfig,omitempty"`
// AzureConfig holds all configurations for Azure provider.
AzureConfig AzureOptions `json:"azureConfig,omitempty"`
// ADFSConfig holds all configurations for ADFS provider.
ADFSConfig ADFSOptions `json:"ADFSConfig,omitempty"`
// BitbucketConfig holds all configurations for Bitbucket provider.
BitbucketConfig BitbucketOptions `json:"bitbucketConfig,omitempty"`
// GitHubConfig holds all configurations for GitHubC provider.
GitHubConfig GitHubOptions `json:"githubConfig,omitempty"`
// GitLabConfig holds all configurations for GitLab provider.
GitLabConfig GitLabOptions `json:"gitlabConfig,omitempty"`
// GoogleConfig holds all configurations for Google provider.
GoogleConfig GoogleOptions `json:"googleConfig,omitempty"`
// OIDCConfig holds all configurations for OIDC provider
// or providers utilize OIDC configurations.
OIDCConfig OIDCOptions `json:"oidcConfig,omitempty"`
// LoginGovConfig holds all configurations for LoginGov provider.
LoginGovConfig LoginGovOptions `json:"loginGovConfig,omitempty"`
// ID should be a unique identifier for the provider.
// This value is required for all providers.
ID string `json:"id,omitempty"`
// Type is the OAuth provider
// must be set from the supported providers group,
// otherwise 'Google' is set as default
Type ProviderType `json:"provider,omitempty"`
// Name is the providers display name
// if set, it will be shown to the users in the login page.
Name string `json:"name,omitempty"`
// CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
// If not specified, the default Go trust sources are used instead
CAFiles []string `json:"caFiles,omitempty"`
// LoginURL is the authentication endpoint
LoginURL string `json:"loginURL,omitempty"`
// LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL
LoginURLParameters []LoginURLParameter `json:"loginURLParameters,omitempty"`
// RedeemURL is the token redemption endpoint
RedeemURL string `json:"redeemURL,omitempty"`
// ProfileURL is the profile access endpoint
ProfileURL string `json:"profileURL,omitempty"`
// ProtectedResource is the resource that is protected (Azure AD and ADFS only)
ProtectedResource string `json:"resource,omitempty"`
// ValidateURL is the access token validation endpoint
ValidateURL string `json:"validateURL,omitempty"`
// ValidateURLspecial is the optional access token validation endpoint in special cases
ValidateURLspecial string `json:"validateURLspecial,omitempty"`
// Scope is the OAuth scope specification
Scope string `json:"scope,omitempty"`
// AllowedGroups is a list of restrict logins to members of this group
AllowedGroups []string `json:"allowedGroups,omitempty"`
// The code challenge method
CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
}
Provider holds all configuration for a single provider
type ProviderType ¶
type ProviderType string
ProviderType is used to enumerate the different provider type options Valid options are: adfs, azure, bitbucket, digitalocean facebook, github, gitlab, google, keycloak, keycloak-oidc, linkedin, login.gov, nextcloud and oidc.
const ( // ADFSProvider is the provider type for ADFS ADFSProvider ProviderType = "adfs" // AzureProvider is the provider type for Azure AzureProvider ProviderType = "azure" // BitbucketProvider is the provider type for Bitbucket BitbucketProvider ProviderType = "bitbucket" // DigitalOceanProvider is the provider type for DigitalOcean DigitalOceanProvider ProviderType = "digitalocean" // FacebookProvider is the provider type for Facebook FacebookProvider ProviderType = "facebook" // GitHubProvider is the provider type for GitHub GitHubProvider ProviderType = "github" // GitLabProvider is the provider type for GitLab GitLabProvider ProviderType = "gitlab" // GoogleProvider is the provider type for GoogleProvider GoogleProvider ProviderType = "google" // KeycloakProvider is the provider type for Keycloak KeycloakProvider ProviderType = "keycloak" // KeycloakOIDCProvider is the provider type for Keycloak OIDC KeycloakOIDCProvider ProviderType = "keycloak-oidc" // LinkedInProvider is the provider type for LinkedIn LinkedInProvider ProviderType = "linkedin" // LoginGovProvider is the provider type for LoginGov LoginGovProvider ProviderType = "login.gov" // NextCloudProvider is the provider type for NextCloud NextCloudProvider ProviderType = "nextcloud" // OIDCProvider is the provider type for OIDC OIDCProvider ProviderType = "oidc" )
type RedisStoreOptions ¶
type RedisStoreOptions struct {
ConnectionURL string `flag:"redis-connection-url" cfg:"redis_connection_url"`
Password string `flag:"redis-password" cfg:"redis_password"`
UseSentinel bool `flag:"redis-use-sentinel" cfg:"redis_use_sentinel"`
SentinelPassword string `flag:"redis-sentinel-password" cfg:"redis_sentinel_password"`
SentinelMasterName string `flag:"redis-sentinel-master-name" cfg:"redis_sentinel_master_name"`
SentinelConnectionURLs []string `flag:"redis-sentinel-connection-urls" cfg:"redis_sentinel_connection_urls"`
UseCluster bool `flag:"redis-use-cluster" cfg:"redis_use_cluster"`
ClusterConnectionURLs []string `flag:"redis-cluster-connection-urls" cfg:"redis_cluster_connection_urls"`
CAPath string `flag:"redis-ca-path" cfg:"redis_ca_path"`
InsecureSkipTLSVerify bool `flag:"redis-insecure-skip-tls-verify" cfg:"redis_insecure_skip_tls_verify"`
IdleTimeout int `flag:"redis-connection-idle-timeout" cfg:"redis_connection_idle_timeout"`
}
RedisStoreOptions contains configuration options for the RedisSessionStore.
type SecretSource ¶
type SecretSource struct {
// Value expects a base64 encoded string value.
Value []byte `json:"value,omitempty"`
// FromEnv expects the name of an environment variable.
FromEnv string `json:"fromEnv,omitempty"`
// FromFile expects a path to a file containing the secret value.
FromFile string `json:"fromFile,omitempty"`
}
SecretSource references an individual secret value. Only one source within the struct should be defined at any time.
type Server ¶
type Server struct {
// BindAddress is the address on which to serve traffic.
// Leave blank or set to "-" to disable.
BindAddress string
// SecureBindAddress is the address on which to serve secure traffic.
// Leave blank or set to "-" to disable.
SecureBindAddress string
// TLS contains the information for loading the certificate and key for the
// secure traffic and further configuration for the TLS server.
TLS *TLS
}
Server represents the configuration for an HTTP(S) server
type SessionOptions ¶
type SessionOptions struct {
Type string `flag:"session-store-type" cfg:"session_store_type"`
Cookie CookieStoreOptions `cfg:",squash"`
Redis RedisStoreOptions `cfg:",squash"`
}
SessionOptions contains configuration options for the SessionStore providers.
type SignatureData ¶
SignatureData holds hmacauth signature hash and key
type TLS ¶
type TLS struct {
// Key is the TLS key data to use.
// Typically this will come from a file.
Key *SecretSource
// Cert is the TLS certificate data to use.
// Typically this will come from a file.
Cert *SecretSource
// MinVersion is the minimal TLS version that is acceptable.
// E.g. Set to "TLS1.3" to select TLS version 1.3
MinVersion string
// CipherSuites is a list of TLS cipher suites that are allowed.
// E.g.:
// - TLS_RSA_WITH_RC4_128_SHA
// - TLS_RSA_WITH_AES_256_GCM_SHA384
// If not specified, the default Go safe cipher list is used.
// List of valid cipher suites can be found in the [crypto/tls documentation](https://pkg.go.dev/crypto/tls#pkg-constants).
CipherSuites []string
}
TLS contains the information for loading a TLS certificate and key as well as an optional minimal TLS version that is acceptable.
type Templates ¶
type Templates struct {
// Path is the path to a folder containing a sign_in.html and an error.html
// template.
// These files will be used instead of the default templates if present.
// If either file is missing, the default will be used instead.
Path string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
// CustomLogo is the path or a URL to a logo that should replace the default logo
// on the sign_in page template.
// Supported formats are .svg, .png, .jpg and .jpeg.
// If URL is used the format support depends on the browser.
// To disable the default logo, set this value to "-".
CustomLogo string `flag:"custom-sign-in-logo" cfg:"custom_sign_in_logo"`
// Banner overides the default sign_in page banner text. If unspecified,
// the message will give users a list of allowed email domains.
Banner string `flag:"banner" cfg:"banner"`
Footer string `flag:"footer" cfg:"footer"`
// DisplayLoginForm determines whether the sign_in page should render a
// password form if a static passwords file (htpasswd file) has been
// configured.
DisplayLoginForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
// Debug renders detailed errors when an error page is shown.
// It is not advised to use this in production as errors may contain sensitive
// information.
// Use only for diagnosing backend errors.
Debug bool `flag:"show-debug-on-error" cfg:"show_debug_on_error"`
}
Templates includes options for configuring the sign in and error pages appearance.
type URLParameterRule ¶
type URLParameterRule struct {
// A Value rule matches just this specific value
Value *string `json:"value,omitempty"`
// A Pattern rule gives a regular expression that must be matched by
// some substring of the value. The expression is _not_ automatically
// anchored to the start and end of the value, if you _want_ to restrict
// the whole parameter value you must anchor it yourself with `^` and `$`.
Pattern *string `json:"pattern,omitempty"`
}
URLParameterRule represents a rule by which query parameters passed to the `/oauth2/start` endpoint are checked to determine whether they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.
type Upstream ¶
type Upstream struct {
// ID should be a unique identifier for the upstream.
// This value is required for all upstreams.
ID string `json:"id,omitempty"`
// Path is used to map requests to the upstream server.
// The closest match will take precedence and all Paths must be unique.
// Path can also take a pattern when used with RewriteTarget.
// Path segments can be captured and matched using regular experessions.
// Eg:
// - `^/foo$`: Match only the explicit path `/foo`
// - `^/bar/$`: Match any path prefixed with `/bar/`
// - `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget
Path string `json:"path,omitempty"`
// RewriteTarget allows users to rewrite the request path before it is sent to
// the upstream server.
// Use the Path to capture segments for reuse within the rewrite target.
// Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite
// the request `/baz/abc/123` to `/foo/abc/123` before proxying to the
// upstream server.
RewriteTarget string `json:"rewriteTarget,omitempty"`
// The URI of the upstream server. This may be an HTTP(S) server of a File
// based URL. It may include a path, in which case all requests will be served
// under that path.
// Eg:
// - http://localhost:8080
// - https://service.localhost
// - https://service.localhost/path
// - file://host/path
// If the URI's path is "/base" and the incoming request was for "/dir",
// the upstream request will be for "/base/dir".
URI string `json:"uri,omitempty"`
// InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
// This option is insecure and will allow potential Man-In-The-Middle attacks
// betweem OAuth2 Proxy and the usptream server.
// Defaults to false.
InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
// Static will make all requests to this upstream have a static response.
// The response will have a body of "Authenticated" and a response code
// matching StaticCode.
// If StaticCode is not set, the response will return a 200 response.
Static bool `json:"static,omitempty"`
// StaticCode determines the response code for the Static response.
// This option can only be used with Static enabled.
StaticCode *int `json:"staticCode,omitempty"`
// FlushInterval is the period between flushing the response buffer when
// streaming response from the upstream.
// Defaults to 1 second.
FlushInterval *Duration `json:"flushInterval,omitempty"`
// PassHostHeader determines whether the request host header should be proxied
// to the upstream server.
// Defaults to true.
PassHostHeader *bool `json:"passHostHeader,omitempty"`
// ProxyWebSockets enables proxying of websockets to upstream servers
// Defaults to true.
ProxyWebSockets *bool `json:"proxyWebSockets,omitempty"`
// Timeout is the maximum duration the server will wait for a response from the upstream server.
// Defaults to 30 seconds.
Timeout *Duration `json:"timeout,omitempty"`
}
Upstream represents the configuration for an upstream server. Requests will be proxied to this upstream if the path matches the request path.
type UpstreamConfig ¶
type UpstreamConfig struct {
// ProxyRawPath will pass the raw url path to upstream allowing for url's
// like: "/%2F/" which would otherwise be redirected to "/"
ProxyRawPath bool `json:"proxyRawPath,omitempty"`
// Upstreams represents the configuration for the upstream servers.
// Requests will be proxied to this upstream if the path matches the request path.
Upstreams []Upstream `json:"upstreams,omitempty"`
}
UpstreamConfig is a collection of definitions for upstream servers.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.