Comments (4)
For testing i implemented something in nginx to achieve this:
map $email $conditional_access {
default "/forbidden";
"[email protected]" "@proxy";
}
location /forbidden {
return 403;
}
location / {
# oauth-proxy stuff here
try_files "" $conditional_access;
}
location @proxy {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app backend_server;
set $upstream_port 8080;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
from oauth2-proxy.
No this is not possible. You will have to deploy multiple instances of oauth2-proxy. Each with another email file. It would be a huge security risk exposing this functionality, this way a malicious user could overwrite which email auth file to use just by setting it in the query parameters.
from oauth2-proxy.
If you have so many users and roles that you even need to think about separating them into different files on a path / endpoint level. I would recommend to you to start using keycloak or something similar with user federation to Google and do user grouping / mapping with a proper identity management tool.
from oauth2-proxy.
Thanks. Currently have a couple of users only. Might look into keycloak in the future, looks more scalable and interesting to learn.
from oauth2-proxy.
Related Issues (20)
- [Bug]: 500 (Internal Server Error) on invalid cookie
- [Bug]: Infinite loop if the Csrf cookie is set twice HOT 1
- [Support]: nginx + oauth2-proxy, logout configuration
- [Feature]: options for add files in /oauth2/static/ HOT 4
- [Feature]: Guides for rauthy and/or authelia
- [Bug]: Unable to use hyphen in JSON path for oidc-groups-claim option
- [Bug]: Invalid authentication via OAuth2 via Github for the owner of the organisation HOT 8
- [Bug]: Possible typo in source code for static upstreams HOT 2
- [Bug]: Incomplete source of request urls for skip_auth_routes feature
- [Bug]: Redirect after second google login to home page not working
- [Support]: 401 Authorization Required even finished authentication HOT 1
- [Feature]: use username (or any other attribute from the provider) in basic auth header instead of the ID
- [Feature]: JWT validation only mode HOT 8
- [Bug]: An invalid redirect to a non-whitelisted domain creates a valid session cookie after redirecting to "/"
- Pass bearer token to the backend with nginx
- [Support]: Multi-Domain Forward-Auth with Traefik/k3s
- [Feature]: [Azure] Support certificate-based flow for requesting access token HOT 1
- [Feature]: Support for dry-run
- [Support]: failed to verify id token signature
- [Bug]: Setting `proxy-prefix` in helm seems to break login
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.