a5huynh / oauth2_proxy Goto Github PK

Dockerization of bitly's oauth2_proxy

License: MIT License

Makefile 11.78% Shell 23.41% Dockerfile 64.81%

oauth2-proxy dockerization nginx-proxy upstream

oauth2_proxy's Introduction

Official fork for `bitly/oauth2_proxy`

FYI for those coming here, as of 03/2019 the bitly project is no longer getting updated and has been officially forked to a new project: https://github.com/pusher/oauth2_proxy

This new project has been getting updates and has it's own Docker image. If you're interested in using the latest and greatest, please check them out! Otherwise this repo + Docker image will stay as is 🙂.

oauth2_proxy dockerization

This is a Dockerization of the handy dandy bitly OAuth Proxy.

Check out the bitly github page for more details on the different command line options that can be passed in.

This is also an automated Docker Hub build

Supported tags and respective `Dockerfile` links

2.2-debian (Dockerfile)
2.2 (Dockerfile)
2.1 (Dockerfile)

Quickstart with Docker Compose

First, configure your client secret/id/cookie secret in the docker-compose.yml file and replace all references to example.com with your domain.

Then simply run:

docker-compose up

The container will be built and an nginx proxy automatically configure to connect to the oauth2 proxy. Navigate to http://localhost:4180/ping to check out whether the proxy is up and running.

You will be asked to authenticated and if successful, redirected to the upstream nginx container serving a simple HTML page.

Quickstart without Docker Compose

The following example assumes you have your upstream host located at upstream:80

docker run -P a5huynh/oauth2_proxy \
    --cookie-secure=false \
    --upstream="http://upstream:80" \
    --http-address="0.0.0.0:4180" \
    --redirect-url="http://example.com/oauth2/callback" \
    --email-domain="example.com" \
    --cookie-secret=<cookie-secret> \
    --client-id=<client-id> \
    --client-secret=<client-secret>

Configuration

By default I set the upstream and http-address to the following:

--upstream=http://0.0.0.0:8080/
--http-address=0.0.0.0:4180

This allows us to easily configure our upstream or nginx proxy to those addresses.

Environment Variables

Alternatively you can set the cookie-secret, client-id, and/or client-secret as environment variables using the following variables below:

OAUTH2_PROXY_COOKIE_SECRET     # The seed string for secure cookies
OAUTH2_PROXY_CLIENT_ID         # The Google OAuth Client ID
OAUTH2_PROXY_CLIENT_SECRET     # The Google OAuth Client Secret

Example Usage w/ environment variables

docker run -e OAUTH2_PROXY_COOKIE_SECRET=<cookie-secret> \
    -e OAUTH2_PROXY_CLIENT_ID=<client-id> \
    -e OAUTH2_PROXY_CLIENT_SECRET=<client-secret> \
    a5huynh/oauth2_proxy

oauth2_proxy's People

Contributors

Stargazers

Watchers

oauth2_proxy's Issues

New error occurring with latest...

I get the following error with the latest build:

oauthproxy.go:527: error redeeming code Post https://github.com/login/oauth/access_token: x509: failed to load system roots and no roots provided

I quick search recommends this:

http://blog.cloud66.com/x509-error-when-using-https-inside-a-docker-container/

Thanks!

DNS resolution failure causing Cookie "_oauth2_proxy" not present

When I access test.basement.netzolt.com I am prompted to login to github and after logging in I receive an Internal Server 500 error and it appears to be DNS related as the container cannot lookup github.com.

Here is the docker stack:

version: "3"
services:
  web:
    image: emilevauge/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        - traefik.port=80
        - traefik.frontend.rule=Host:whoamistack.basement.netzolt.com

  web2:
    image: emilevauge/whoami
    networks:
      - traefik_public

  web2_proxy:
    image: a5huynh/oauth2_proxy
    env_file : /mnt/vault/docker/config/test/test.env
    dns_search: basement.netzolt.com
    networks:
      - internal
      - traefik_public
    deploy:
      labels:
        - traefik.frontend.rule=Host:test.basement.netzolt.com
        - traefik.docker.network=traefik_public
        - traefik.port=4180
    volumes:
      - /mnt/vault/docker/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
    command: |
      -cookie-secure=false
      -upstream=http://web2:80
      -redirect-url=https://test.basement.netzolt.com
      -http-address=http://0.0.0.0:4180
      -email-domain=netzolt.com
      -provider=github
      -authenticated-emails-file=/authenticated-emails.txt

networks:
  traefik_public:
    external: true
  internal:
    driver: overlay
    ipam:
      config:
        - subnet: 172.16.111.0/24

Here are the logs from the container:

whoami_web2_proxy.1.dkgadr0p8a4w@docker02    | 172.16.200.75 - - [18/May/2018:15:41:40 +0000] test.basement.netzolt.com GET - "/oauth2/callback?code=XXXXXXXXXXXXXXXXXX&state=%2F" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" 500 331 20.002
whoami_web2_proxy.1.dkgadr0p8a4w@docker02    | 2018/05/18 15:42:00 oauthproxy.go:527: 172.16.200.75:54382 error redeeming code Post https://github.com/login/oauth/access_token: dial tcp: lookup github.com on 127.0.0.11:53: read udp 127.0.0.1:36175->127.0.0.11:53: i/o timeout
whoami_web2_proxy.1.dkgadr0p8a4w@docker02    | 2018/05/18 15:42:00 oauthproxy.go:349: ErrorPage 500 Internal Error Internal Error
whoami_web2_proxy.1.dkgadr0p8a4w@docker02    | 2018/05/18 15:42:00 oauthproxy.go:527: 172.16.200.75:54380 error redeeming code Post https://github.com/login/oauth/access_token: dial tcp: lookup github.com on 127.0.0.11:53: read udp 127.0.0.1:36175->127.0.0.11:53: i/o timeout
whoami_web2_proxy.1.dkgadr0p8a4w@docker02    | 2018/05/18 15:42:00 oauthproxy.go:349: ErrorPage 500 Internal Error Internal Error
whoami_web2_proxy.1.dkgadr0p8a4w@docker02    | 2018/05/18 15:42:00 oauthproxy.go:602: 172.16.200.75:54382 Cookie "_oauth2_proxy" not present

You can see resolution is broken inside the container:

spider@docker02:~$ docker exec -it 03b9db7e85d4 sh
/ # ping google.com
ping: bad address 'google.com'

However it appears the defined nameserver does work for discovery of other containers in the stack:

/ # cat /etc/resolv.conf
search basement.netzolt.com
nameserver 127.0.0.11
options ndots:0

# ping 127.0.0.11
PING 127.0.0.11 (127.0.0.11): 56 data bytes
64 bytes from 127.0.0.11: seq=0 ttl=64 time=0.073 ms
64 bytes from 127.0.0.11: seq=1 ttl=64 time=0.082 ms
^C
--- 127.0.0.11 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.073/0.077/0.082 ms

/ # nslookup web2
nslookup: can't resolve '(null)': Name does not resolve

Name:      web2
Address 1: 172.16.200.29

However other tests show external resolution fails:

/ # nslookup github.com
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'github.com': Try again

/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=58 time=7.384 ms
64 bytes from 8.8.8.8: seq=1 ttl=58 time=7.675 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7.384/7.529/7.675 ms
/ # nslookup github.com 8.8.8.8
Server:    8.8.8.8
Address 1: 8.8.8.8

nslookup: can't resolve 'github.com': Try again
/ #

Upgrade to Bitly OAuthProxy v2.2

I noticed that Bitly have released a version 2.2

Tag 2.2.1 does not reflect oauth2_proxy version

Image tags should reflect version of application installed inside the image. Therefore, image 2.2.1 should have been tagged as 2.2. Having image version 2.2.1 of oauth2_proxy version 2.2 is just confusing.

Getting a 502 after hitting callback URL

For some reason I can authenticate correctly with the third party, but when it hits my callback URL I'm getting a 502. Any ideas why this would be happening?

Tag current master please

This project has been really useful for us but we need a specific version number to depend on.

Current master has a much smaller footprint and updated CA certificates. In order to avoid depending on latest (and keep control over new image versions introduced into our system), we've forked and tagged the current master branch as 2.2.1 and set up a Dockerhub automated build for it.

It might be a good idea to do a minor release tag and docker hub build for any significant improvements or bugfixes.