To defence the internal web or resources use Oauth2 proxy

Mar 18, 2023 · · Authortication OIDC Cloud Native ·

To protect the some internal web resources we can use Oauth2 proxy to integration many identity tools for example: gitlab, github, Open ID, OpenLDAP and so on

Get the Oauth2-proxy helm chat package

1# add the oauth2-pxory helm repo url
2helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
3# decompression the tar package
4tar -xzvf oauth2-proxy-6.10.1.tgz
5# move to chats sub directory
6mv oauth2-proxy /terraform/iac/charts

The oauth2-proxy config

 1resource "helm_release" "oauth2-proxy" {
 2    name = "oauth2-proxy"
 3    chart = "./charts/oauth2-proxy"
 4    namespace = "default"
 5
 6    values = [
 7        <<-EOF
 8        config:
 9            existingSecret: "oauth2-proxy"
10            cookieName: "oauth2"
11            configFile: |-
12                provider="oidc"
13                email_domains=["*"]
14                redirect_url="https://oauth2.test.com/oauth2/callback"
15                oidc_issuer_url="https://dex-oidc.test.com"
16                upstreams=["http://myui:2802/", "http://test2.other:3000/demo/"]
17                insecure_oidc_allow_unverified_email="true"
18                pass_authorization_header="true"
19                pass_access_token="true"
20                pass_basic_auth="true"
21                set_authorization_header="true"
22                custom_sign_in_logo = "https://img.test.com/test.png"
23                provider_display_name = "GitLab login"
24                banner="GitLab"
25                skip_auth_regex=["\\.css$", "\\.js$", "\\.woff2$", "\\.svg$", "\\.png$", "\\.ico$", "\\.json"]                
26        image:
27            repository: "myregistory.com/oauth2-proxy/oauth2-proxy"
28            tag: "v7.4.0"
29        serviceAccount:
30            enabled: false
31        ingress:
32            enabled: true
33            path: /
34            annotations:
35                kubernetes.io/ingress.class: nginx
36            hosts:
37                - oauth2-login.test.com
38        EOF
39    ]
40}

Oauth2-proxy provide the access apis

{HostUrl}/oauth2/userinfo
{HostUrl}/oauth2/sign_in
{HostUrl}/oauth2/sign_out

Oauth2 proxy values template

 1config:
 2  cookieSecret: "XXXXXXXXXXXXXXXX" # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#generating-a-cookie-secret
 3  # cookieName: "_oauth2_proxy"    # Name of the cookie that oauth2-proxy creates, if not set defaults to "_oauth2_proxy"
 4  configFile: |-
 5                email_domains = [ "*" ]        # Restrict to these E-Mail Domains, a wildcard "*" allows any email
 6alphaConfig:
 7  enabled: true
 8  providers:
 9  - clientID:        # IdP Client ID
10    clientSecret:    # IdP Client Secret
11    id: oidc-istio
12    provider: oidc   # We use the generic 'oidc' provider
13    loginURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/auth
14    redeemURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/token
15    profileURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/userinfo
16    validateURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/userinfo
17  scope: "openid email profile groups"
18  allowedGroups:
19  - admins # List all groups managed at our your IdP which should be allowed access
20  # - infrateam
21  # - anothergroup
22  oidcConfig:
23    emailClaim: email.  # Name of the clain in JWT containing the E-Mail
24    groupsClaim: groups # Name of the claim in JWT containing the Groups
25    userIDClaim: email  # Name of the claim in JWT containing the User ID
26    skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it
27    issuerURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>
28    jwksURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/certs
29  upstreamConfig:
30    upstreams:
31      - id: static_200
32        path: /
33        static: true
34        staticCode: 200
35  # Headers that should be added to responses from the proxy
36  injectResponseHeaders: # Send this headers in responses from oauth2-proxy
37    - name: X-Auth-Request-Preferred-Username
38      values:
39        - claim: preferred_username
40    - name: X-Auth-Request-Email
41      values:
42        - claim: email
43extraArgs:
44  cookie-secure: "false"
45  cookie-domain: ".example.com"    # Replace with your base domain
46  cookie-samesite: lax
47  cookie-expire: 12h               # How long our Cookie is valid
48  auth-logging: true               # Enable / Disable auth logs
49  request-logging: true            # Enable / Disable request logs
50  standard-logging: true           # Enable / Disable the standart logs
51  show-debug-on-error: true        # Disable in production setups
52  skip-provider-button: true       # We only have one provider configured (Keycloak)
53  silence-ping-logging: true       # Keeps our logs clean
54  whitelist-domain: ".example.com" # Replace with your base domain

Reference resources

(Oauth2-proxy config example)[https://github.com/oauth2-proxy/oauth2-proxy/blob/6cc7da8993cf81dc0aae475edfd1632fd74d7818/contrib/oauth2-proxy.cfg.example]
(Official docs)[https://oauth2-proxy.github.io/oauth2-proxy/docs/]
(integration the DEX identity)[https://github.com/dexidp/dex]