Skip to main content

One post tagged with "zero trust"

View All Tags

ยท 3 min read

If you want to free yourself from coding authentication for your apps, or just want to servce protected files only for your users, a reverse proxy with identity awareness can be a good fit.

Such reverse proxy, like oauth2-proxy is able to authenicate users before forwarding the requests to your app.

The proxy enhances each request with headers that identifies the the authenticated user, so your app can simply reply on those headers to establish some identity context.

This post explains how to configure and run oauth2-proxy in a docker container and authenticate users by Crossid.

Architecture

sequenceDiagram; autonumber Browser->>+Oauth2-Proxy: GET: /myapp Browser->>+Crossid: User not authenticated Crossid->>Crossid: User Signin Crossid->>Browser: User Session Created Browser->>App: GET /myapp Note right of App: forwarded-user: foo@bar.com
  1. An anonymous visitor tries to access the app.
  2. oauth2-proxy has no session for the visitor, so it redirects the user to Crossid for login.
  3. Crossid asks the user to login.
  4. oauth2-proxy creates a session for the authenticated user.
  5. oauth2-proxy proxies the request to the app with some identity headers.

Let's get started!

Add oauth2-proxy integration

First, we need to tell Crossid about our oauth2-proxy.

Login to your existing crossid tenant or signup for free.

  • In Admin console, navigate to Integration โ†’ Marketplace
  • Choose oauth2-proxy and click on Add Integration
  • Follow wizard steps.
note
  • For this example, the redirect URL should be http://127.0.0.1:4180/oauth2/callback, which is where the oauth2-proxy is located.
  • Save client_id and client_secret for the next step.

Grant your user access to proxy

Lets grant your user access to the proxy.

  • In proxy's app page, navigate to Users tab and click the Add User Assignment button.
  • Select your user and press save.

httpbin as our app

For the sake of example, we use http://httpbin.org/anything as our app. try clicking on it, it just renders our HTTP request as JSON.

Run oauth2-proxy

Lets configure and run oauth2-proxy in a docker container:

docker run --rm -p 4180:4180 \
-e OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 \
-e OAUTH2_PROXY_REDIRECT_URL=http://127.0.0.1:4180/oauth2/callback \
-e OAUTH2_PROXY_PROVIDER=oidc \
-e OAUTH2_PROXY_OIDC_ISSUER_URL=https://<tenant>.crossid.io/oauth2/ \
-e OAUTH2_PROXY_EMAIL_DOMAINS=* \
-e OAUTH2_PROXY_COOKIE_SECRET=someSecret123456 \
-e OAUTH2_PROXY_COOKIE_SECURE=true \
-e OAUTH2_PROXY_CLIENT_ID=<client_id> \
-e OAUTH2_PROXY_CLIENT_SECRET=<client_secret> \
-e OAUTH2_PROXY_UPSTREAMS=http://httpbin.org/anything \
-e OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true \
quay.io/oauth2-proxy/oauth2-proxy:latest

Replace <tenant> with your tenant (e.g., acme.crossid.io/....).

Replace <client_id> and <client_secret> from previous step.

With this configuration, every request to http://127.0.0.1:4180/anything will be proxied to the upstream (our app). We simply use httpbin.org that simply echos the request info.

Tip: for a random cookie secret run python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(16)).decode())'

Accessing our app

Navigate to http://127.0.0.1:4180/anything should redirect user to crossid for login. Upon successful login, the request should be proxied to our app (httpbin.org).

Partial response example:

{
...
"headers": {
"X-Forwarded-Email": "asaf@crossid.io",
"X-Forwarded-User": "EN6vzb5dNBuc6fUAkYeKZ8"
},
"method": "GET",
"url": "http://127.0.0.1/anything"
}

X-Forwarded-User should be the crossid user id and X-Forwarded-Email should be user's email.

Tips

Recap

We have seen how we can free our app from auth complexity by lifting the auth complexity to oauth2-proxy.

For more info about oauth2-proxy, visit https://oauth2-proxy.github.io/oauth2-proxy/docs.