status-im
/
infra-role-oauth-proxy
mirror of https://github.com/status-im/infra-role-oauth-proxy.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Ansible role for configuring oauth2_proxy Docker container https://github.com/pusher/oauth2_proxy
43 Commits 1 Branch 0 Tags 119 KiB
Jinja 100%
Go to file
markoburcul fcddc3c2d1
readme: Add known issues paragraph 
Add new paragraph with an explanation of an issue we had recently with
oauth2 proxy setup.

Signed-off-by: markoburcul <marko@status.im>
 		2024-09-13 14:57:52 +02:00
defaults docker: configure oauth-proxy to be included in another docker compose 2024-08-21 10:05:13 +02:00
meta meta: use full names of Ansible roles 2024-03-10 13:40:17 +01:00
tasks docker: configure oauth-proxy to be included in another docker compose 2024-08-21 10:05:13 +02:00
templates keycloak-oidc: Correct filtering by group 2024-08-19 08:08:41 +00:00
README.md readme: Add known issues paragraph 2024-09-13 14:57:52 +02:00

README.md

Description

This role configures an oauth2_proxy container for GitHub based OAuth.

Configuration

These settings are all mandatory:

oauth_service_name: 'example-oauth'
oauth_service_path: '/docker/example/oauth'
oauth_domain: 'oauth.example.org'
oauth_upstream_port: 4321
oauth_local_port: 1234
oauth_cookie_secret: '123qweASD'
oauth_provider: 'github'
oauth_id: 'some-id'
oauth_secret: 'some-secret'

Some options are optional:

oauth_local_addr: '0.0.0.0'
oauth_cont_volumes: ['/docker/example/www:/www']
oauth_upstream_url: 'file:///www#/'
oauth_cont_networks: ['other-container-network']

Different providers have different mandatory settings.

GitHub

oauth_github_org: 'example-org'
oauth_github_teams: ['devops', 'security']

Google

oauth_google_domain: 'example.org'

Keycloak

oauth_keycloak_url: 'https://keycloak.example.org'
oauth_keycloak_realm: 'example-org'
oauth_keycloak_domain: 'example.org'
oauth_keycloak_groups: ['admins', 'security']
oauth_keycloak_roles: ['admin']
oauth_scope: 'openid'

In order for Keycloak client to work with oauth-proxy, the way to set up the Keycloak client is described here under Keycloak new admin console. Important part is to configure the dedicated audience mapper for your client.

Nested docker Compose

To include the oauth-proxy into another docker compose:

oauth_compose_skip_start: true
oauth_upstream_addr:  'container-webui'

Management

The container is reated using Docker Compose:

admin@host.example.org:/docker/example % dc ps
       Name                Command               State           Ports         
-------------------------------------------------------------------------------
example-oauth   /bin/oauth2-proxy --provid ...   Up      0.0.0.0:9292->9292/tcp

Known issues

Provider: keycloak-oidc, Service: Prometheus UI

The setup is composed out of Nginx proxy in front of OAuth2 proxy container. After logging in, we got 502 Bad Gateway on Nginx proxy. By inspecting Nginx error logs there was this error:

2024/09/13 12:27:40 [error] 1699601#1699601: *28212 upstream sent too big header while reading response header from upstream...

We just had to increase proxy buffer sizes in the Nginx config and everything was working normal:

  proxy_buffering on;
  proxy_buffers 16 256k;
  proxy_buffer_size 128k;