Skip to content

Commit 53bfcca

Browse files
ikethecoderikethecoder
authored
Feature oauth2 proxy upgrade (#1240)
1 parent 49fd220 commit 53bfcca

File tree

7 files changed

+255
-71
lines changed

7 files changed

+255
-71
lines changed

.github/workflows/ci-build-deploy.yaml

Lines changed: 89 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -197,29 +197,97 @@ jobs:
197197
198198
oauthProxy:
199199
enabled: true
200-
image:
201-
repository: ${{ env.REGISTRY }}/bcgov-dss/api-serv-infra/oauth2-proxy
202-
tag: 7.2.1-8c743f0c
203-
pullPolicy: IfNotPresent
204200
205201
config:
206-
upstream: http://127.0.0.1:3000
207-
client-id: ${{ secrets.OIDC_CLIENT_ID }}
208-
client-secret: ${{ secrets.OIDC_CLIENT_SECRET }}
209-
oidc-issuer-url: ${{ secrets.OIDC_ISSUER }}
210-
redirect-url: https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca/oauth2/callback
211-
skip-auth-regex: '/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/feed/|/signout|/content|^[/]$'
212-
whitelist-domain: authz-apps-gov-bc-ca.dev.api.gov.bc.ca
213-
skip-provider-button: 'true'
214-
profile-url: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/userinfo
215-
insecure-oidc-allow-unverified-email: 'true'
216-
oidc-email-claim: 'sub'
217-
pass-basic-auth: 'false'
218-
pass-access-token: 'true'
219-
set-xauthrequest: 'true'
220-
skip-jwt-bearer-tokens: 'false'
221-
set-authorization-header: 'false'
222-
pass-authorization-header: 'false'
202+
- filename: oauth2-proxy.cfg
203+
mountPath: /oauth2-proxy.cfg
204+
contents: |-
205+
cookie_expire='24h'
206+
cookie_refresh='3m'
207+
cookie_secure='true'
208+
cookie_samesite='strict'
209+
cookie_secret='not_secretenough'
210+
email_domains='*'
211+
redirect_url='https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca/oauth2/callback'
212+
skip_auth_regex='/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/feed|/metrics|/signout|/gw/api|/content|^[/]$'
213+
skip_jwt_bearer_tokens='false'
214+
skip_provider_button='true'
215+
whitelist_domains='authz-apps-gov-bc-ca.dev.api.gov.bc.ca'
216+
# redis_connection_url="redis://redis-headless:6379"
217+
# session_store_type="redis"
218+
# redis_password=""
219+
# insecure-oidc-allow-unverified-email: 'true'
220+
# insecure-oidc-skip-issuer-verification: 'true'
221+
# oidc-email-claim: 'sub'
222+
# pass-authorization-header: 'false'
223+
# set-authorization-header: 'false'
224+
225+
- filename: oauth2-proxy.yaml
226+
mountPath: /oauth2-proxy.yaml
227+
yaml:
228+
injectRequestHeaders:
229+
- name: X-Forwarded-Groups
230+
values:
231+
- claim: groups
232+
- name: X-Forwarded-User
233+
values:
234+
- claim: user
235+
- name: X-Forwarded-Email
236+
values:
237+
- claim: email
238+
- name: X-Forwarded-Preferred-Username
239+
values:
240+
- claim: preferred_username
241+
- name: X-Forwarded-Access-Token
242+
values:
243+
- claim: access_token
244+
injectResponseHeaders: []
245+
metricsServer:
246+
BindAddress: ""
247+
SecureBindAddress: ""
248+
TLS: null
249+
providers:
250+
- clientID: ${{ secrets.OIDC_CLIENT_ID }}
251+
clientSecret: ${{ secrets.OIDC_CLIENT_SECRET }}
252+
loginURL: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/auth
253+
id: oidc=aps-portal
254+
loginURLParameters:
255+
- default:
256+
- force
257+
name: approval_prompt
258+
- allow:
259+
- pattern: ".*$"
260+
name: kc_idp_hint
261+
oidcConfig:
262+
audienceClaims:
263+
- aud
264+
emailClaim: sub
265+
groupsClaim: groups
266+
insecureAllowUnverifiedEmail: true
267+
insecureSkipNonce: true
268+
issuerURL: ${{ secrets.OIDC_ISSUER }}
269+
userIDClaim: sub
270+
271+
profileURL: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/userinfo
272+
provider: oidc
273+
redeemURL: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/token
274+
scope: openid
275+
validateURL: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/userinfo
276+
277+
server:
278+
BindAddress: 0.0.0.0:7999
279+
SecureBindAddress: ""
280+
TLS: null
281+
upstreamConfig:
282+
upstreams:
283+
- flushInterval: 1s
284+
id: /
285+
passHostHeader: true
286+
path: /
287+
proxyWebSockets: true
288+
timeout: 30s
289+
uri: http://127.0.0.1:3000
290+
223291
env:
224292
SESSION_SECRET:
225293
value: '234873290483290'

README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,9 +76,10 @@ hostip=$(ifconfig en0 | awk '$1 == "inet" {print $2}')
7676

7777
docker run -ti --rm --name proxy --net=host \
7878
--add-host portal.localtest.me:$hostip \
79+
-v `pwd`/local/oauth2-proxy/oauth2-proxy-dev.yaml:/oauth2.yaml \
7980
-v `pwd`/local/oauth2-proxy/oauth2-proxy-dev.cfg:/oauth2.config \
80-
quay.io/oauth2-proxy/oauth2-proxy:v7.2.0 \
81-
--config /oauth2.config
81+
quay.io/oauth2-proxy/oauth2-proxy:v7.8.1 \
82+
--alpha-config /oauth2.yaml --config /oauth2.config
8283
```
8384

8485
1. Start the Portal locally:

docker-compose.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,18 +42,17 @@ services:
4242
aliases:
4343
- keycloak.localtest.me
4444
oauth2-proxy:
45-
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
45+
image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
4646
container_name: oauth2-proxy
47-
command: --config ./oauth2-proxy.cfg
47+
command: --alpha-config /oauth2-proxy.yaml --config /oauth2-proxy.cfg
4848
depends_on:
4949
- keycloak
5050
ports:
5151
- 4180:4180/tcp
5252
volumes:
53+
- ./local/oauth2-proxy/oauth2-proxy-local.yaml:/oauth2-proxy.yaml
5354
- ./local/oauth2-proxy/oauth2-proxy-local.cfg:/oauth2-proxy.cfg
5455
restart: unless-stopped
55-
env_file:
56-
- .env.local
5756
networks:
5857
aps-net:
5958
aliases:

local/oauth2-proxy/oauth2-proxy-dev.cfg

Lines changed: 5 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,10 @@
1-
http_address="0.0.0.0:4180"
1+
cookie_expire="24h"
2+
cookie_refresh="3m"
23
cookie_secret="abcd1234!@#$$++="
4+
cookie_secure="false"
35
email_domains="*"
4-
provider="oidc"
5-
insecure_oidc_allow_unverified_email="true"
6-
client_id="aps-portal"
7-
client_secret="8e1a17ed-cb93-4806-ac32-e303d1c86018"
8-
scope="openid"
9-
oidc_issuer_url="http://keycloak.localtest.me:9081/auth/realms/master"
10-
login_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/auth"
11-
redeem_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/token"
12-
validate_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo"
136
redirect_url="http://oauth2proxy.localtest.me:4180/oauth2/callback"
14-
profile_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo"
15-
cookie_secure="false"
16-
cookie_refresh="3m"
17-
cookie_expire="24h"
18-
pass_basic_auth="false"
19-
pass_access_token="true"
20-
set_xauthrequest="true"
21-
skip_jwt_bearer_tokens="false"
22-
set_authorization_header="false"
23-
pass_authorization_header="false"
247
skip_auth_regex="/__coverage__|/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/gw/api|/feed/|/signout|^[/]$"
25-
whitelist_domains="keycloak.localtest.me:9081"
26-
upstreams=["http://portal.localtest.me:3000"]
8+
skip_jwt_bearer_tokens="false"
279
skip_provider_button='true'
10+
whitelist_domains="keycloak.localtest.me:9081"

local/oauth2-proxy/oauth2-proxy-dev.yaml

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
injectRequestHeaders:
2+
- name: X-Forwarded-Groups
3+
values:
4+
- claim: groups
5+
- name: X-Forwarded-User
6+
values:
7+
- claim: user
8+
- name: X-Forwarded-Email
9+
values:
10+
- claim: email
11+
- name: X-Forwarded-Preferred-Username
12+
values:
13+
- claim: preferred_username
14+
- name: X-Forwarded-Access-Token
15+
values:
16+
- claim: access_token
17+
injectResponseHeaders:
18+
- name: X-Auth-Request-User
19+
values:
20+
- claim: user
21+
- name: X-Auth-Request-Email
22+
values:
23+
- claim: email
24+
- name: X-Auth-Request-Preferred-Username
25+
values:
26+
- claim: preferred_username
27+
- name: X-Auth-Request-Groups
28+
values:
29+
- claim: groups
30+
- name: X-Auth-Request-Access-Token
31+
values:
32+
- claim: access_token
33+
metricsServer:
34+
BindAddress: ''
35+
SecureBindAddress: ''
36+
TLS: null
37+
providers:
38+
- clientID: aps-portal
39+
clientSecret: 8e1a17ed-cb93-4806-ac32-e303d1c86018
40+
id: oidc=aps-portal
41+
loginURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/auth
42+
loginURLParameters:
43+
- default:
44+
- force
45+
name: approval_prompt
46+
- allow:
47+
- pattern: '.*$'
48+
name: kc_idp_hint
49+
oidcConfig:
50+
audienceClaims:
51+
- aud
52+
emailClaim: email
53+
groupsClaim: groups
54+
insecureAllowUnverifiedEmail: true
55+
insecureSkipNonce: true
56+
issuerURL: http://keycloak.localtest.me:9081/auth/realms/master
57+
userIDClaim: email
58+
profileURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo
59+
provider: oidc
60+
redeemURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/token
61+
scope: openid
62+
validateURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo
63+
server:
64+
BindAddress: 0.0.0.0:4180
65+
SecureBindAddress: ''
66+
TLS: null
67+
upstreamConfig:
68+
upstreams:
69+
- flushInterval: 1s
70+
id: /
71+
passHostHeader: true
72+
path: /
73+
proxyWebSockets: true
74+
timeout: 30s
75+
uri: http://portal.localtest.me:3000

local/oauth2-proxy/oauth2-proxy-local.cfg

Lines changed: 5 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,30 +1,13 @@
1-
http_address="0.0.0.0:4180"
1+
cookie_expire="24h"
2+
cookie_refresh="3m"
23
cookie_secret="abcd1234!@#$$++="
4+
cookie_secure="false"
35
email_domains="*"
4-
provider="oidc"
5-
insecure_oidc_allow_unverified_email="true"
6-
client_id="aps-portal"
7-
client_secret="8e1a17ed-cb93-4806-ac32-e303d1c86018"
8-
scope="openid"
9-
oidc_issuer_url="http://keycloak.localtest.me:9081/auth/realms/master"
10-
login_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/auth"
11-
redeem_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/token"
12-
validate_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo"
136
redirect_url="http://oauth2proxy.localtest.me:4180/oauth2/callback"
14-
profile_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo"
15-
cookie_secure="false"
16-
cookie_refresh="3m"
17-
cookie_expire="24h"
18-
pass_basic_auth="false"
19-
pass_access_token="true"
20-
set_xauthrequest="true"
21-
skip_jwt_bearer_tokens="false"
22-
set_authorization_header="false"
23-
pass_authorization_header="false"
247
skip_auth_regex="/__coverage__|/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/gw/api|/feed/|/signout|^[/]$"
25-
whitelist_domains="keycloak.localtest.me:9081"
26-
upstreams=["http://apsportal.localtest.me:3000"]
8+
skip_jwt_bearer_tokens="false"
279
skip_provider_button='true'
10+
whitelist_domains="keycloak.localtest.me:9081"
2811
redis_connection_url="redis://redis-master:6379"
2912
session_store_type='redis'
3013
redis_password='s3cr3t'

local/oauth2-proxy/oauth2-proxy-local.yaml

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
injectRequestHeaders:
2+
- name: X-Forwarded-Groups
3+
values:
4+
- claim: groups
5+
- name: X-Forwarded-User
6+
values:
7+
- claim: user
8+
- name: X-Forwarded-Email
9+
values:
10+
- claim: email
11+
- name: X-Forwarded-Preferred-Username
12+
values:
13+
- claim: preferred_username
14+
- name: X-Forwarded-Access-Token
15+
values:
16+
- claim: access_token
17+
injectResponseHeaders:
18+
- name: X-Auth-Request-User
19+
values:
20+
- claim: user
21+
- name: X-Auth-Request-Email
22+
values:
23+
- claim: email
24+
- name: X-Auth-Request-Preferred-Username
25+
values:
26+
- claim: preferred_username
27+
- name: X-Auth-Request-Groups
28+
values:
29+
- claim: groups
30+
- name: X-Auth-Request-Access-Token
31+
values:
32+
- claim: access_token
33+
metricsServer:
34+
BindAddress: ''
35+
SecureBindAddress: ''
36+
TLS: null
37+
providers:
38+
- clientID: aps-portal
39+
clientSecret: 8e1a17ed-cb93-4806-ac32-e303d1c86018
40+
id: oidc=aps-portal
41+
loginURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/auth
42+
loginURLParameters:
43+
- default:
44+
- force
45+
name: approval_prompt
46+
- allow:
47+
- pattern: '.*$'
48+
name: kc_idp_hint
49+
oidcConfig:
50+
audienceClaims:
51+
- aud
52+
emailClaim: email
53+
groupsClaim: groups
54+
insecureAllowUnverifiedEmail: true
55+
insecureSkipNonce: true
56+
issuerURL: http://keycloak.localtest.me:9081/auth/realms/master
57+
userIDClaim: email
58+
profileURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo
59+
provider: oidc
60+
redeemURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/token
61+
scope: openid
62+
validateURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo
63+
server:
64+
BindAddress: 0.0.0.0:4180
65+
SecureBindAddress: ''
66+
TLS: null
67+
upstreamConfig:
68+
upstreams:
69+
- flushInterval: 1s
70+
id: /
71+
passHostHeader: true
72+
path: /
73+
proxyWebSockets: true
74+
timeout: 30s
75+
uri: http://apsportal.localtest.me:3000

0 commit comments

Comments
 (0)