A simple ready to Go service, that reverse-proxies your Token endpoint requests to configured OAuth2 providers and attaches the client secret to the request. This is useful for when the Authorization servers don't support the non client secret authorization flows but the client application is required to be run on the end-user device.
A valid installation of Go is required. This installs the latest version of
the oauthproxy cmd tool from the master branch.
go install github.com/gume1a/oauthproxy@latest
You can also download the binary from the releases page of the repository. Each release contains the binary for the supported platforms.
The configuration is done via a yaml file and environment variables. The default path is ./oauthconfig.yaml, if none
provided the server will start on localhost:8081 with no configured providers. Example configuration is as follows:
# config/.template.oauthconfig.yaml
host: localhost
port: 8081
providers:
supported:
- id: github
client_secret: GITHUB_SECRET
- id: google
client_secret: GOOGLE_SECRET
custom:
- id: custom
client_secret: CUSTOM_SECRET
token_endpoint: https://example.com/oauth2/authorizeAs seen above, the configuration is split into two parts. The first part is the supported providers. These are the
providers that are already configured in the code and can be used without any additional configuration. The second part
is the custom providers. These are the definitions of the custom providers. The supported providers just have the token
endpoint set.
The client_secret is the name of the environment variable that contains the client secret for the provider. It supports
loading from the dotenv file .env but it's not required.
# config/.template.env
GITHUB_SECRET=github_secret
GOOGLE_SECRET=google_secret
CUSTOM_SECRET=custom_secretWith this configuration, the proxy will be able to handle requests for the github, google and the custom provider.
Arbitrarily many providers can be configured.
After installation the server can be started by running the oauth-proxy command. The proxy will start listening on
the configured host and port.
$ aouth-proxy
_ _
___ __ _ _ _| |_| |__ _ __ _ __ _____ ___ _
/ _ \ / _` | | | | __| '_ \| '_ \| '__/ _ \ \/ / | | |
| (_) | (_| | |_| | |_| | | | |_) Who let the secrets OUT?
\___/ \__,_|\__,_|\__|_| |_| .__/|_| \___/_/\_\\__, |
|_| v0.2.0 |___/
2023/02/20 08:04:17 INIT .env loaded
2023/02/20 08:04:17 PROVIDERS [github google custom]
2023/02/20 08:04:17 SERVER starting listening on http://localhost:8081
The proxy currently exposes two endpoints:
/oauth/<client_id>- This endpoint is used to get the token for the client with the given id. The client id is the id of the provider in the configuration file. The request is forwarded to the configured token endpoint and the client secret is attached to the request. The response is then returned to the client./supported- This endpoint returns a list of the supported providers. The list is the same as the list of the providers in the configuration file.
All the basic commands are in the Makefile.
------------------------------------------------------------------------
Container commands:
docker/build # Builds oauthproxy:latest image.
docker/build/% # Builds oauthproxy:% image.
docker/run # Runs oauthproxy:latest image.
docker/run/% # Runs oauthproxy:% image.
------------------------------------------------------------------------