{"id":38877228,"url":"https://github.com/containerinfra/oauth2-proxy","last_synced_at":"2026-01-17T14:37:07.467Z","repository":{"id":38414933,"uuid":"416893328","full_name":"containerinfra/oauth2-proxy","owner":"containerinfra","description":"Docker build oauth2-proxy using distroless (https://github.com/oauth2-proxy/oauth2-proxy)","archived":false,"fork":false,"pushed_at":"2025-10-27T19:26:03.000Z","size":75,"stargazers_count":4,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-27T21:23:13.460Z","etag":null,"topics":["distroless","docker","oauth2-proxy","oidc"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/containerinfra.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-10-13T20:47:18.000Z","updated_at":"2025-10-27T19:26:06.000Z","dependencies_parsed_at":"2024-05-16T06:52:41.454Z","dependency_job_id":"0d11bceb-33e8-4bd7-9030-d185de1d5aac","html_url":"https://github.com/containerinfra/oauth2-proxy","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/containerinfra/oauth2-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Foauth2-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Foauth2-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Foauth2-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Foauth2-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/containerinfra","download_url":"https://codeload.github.com/containerinfra/oauth2-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Foauth2-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28510108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T13:38:16.342Z","status":"ssl_error","status_checked_at":"2026-01-17T13:37:44.060Z","response_time":85,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["distroless","docker","oauth2-proxy","oidc"],"created_at":"2026-01-17T14:37:07.383Z","updated_at":"2026-01-17T14:37:07.444Z","avatar_url":"https://github.com/containerinfra.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker oauth2-proxy\n\nDocker image build for [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy/), using distroless as a base image instead of alpine.\n\n[![Docker hub](https://img.shields.io/docker/pulls/containerinfra/oauth2-proxy.svg)](https://hub.docker.com/r/containerinfra/oauth2-proxy/) ![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/containerinfra/oauth2-proxy/release.yml?branch=main)\n\n## Table of Contents\n\n- [Usage](#usage)\n- [Contribute](#contribute)\n- [License](#license)\n\n## Usage\n\n### Images\n\n- docker pull docker.io/containerinfra/oauth2-proxy:7.9.0\n- docker pull ghcr.io/containerinfra/oauth2-proxy:7.9.0\n\n### Verify image with cosign\n\nAll containerinfra/oauth2-proxy images are signed by [cosign](https://github.com/sigstore/cosign). You can verify these using `cosign verify`:\n\n```bash\ncat cosign.pub\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYpxYmR6qpyer9WJHhSxd91XMx+A+\neQm/6XSWAMDGeH4hrFpvo8Sw0t+xf0PdRSUEXCyKFXve+Q2s8csVo4eAaA==\n-----END PUBLIC KEY-----\n\n\ncosign verify --key cosign.pub docker.io/containerinfra/oauth2-proxy:7.9.0\ncosign verify --key cosign.pub ghcr.io/containerinfra/oauth2-proxy:7.9.0\n```\n\n### Configuration\n\nSee the [oauth2-proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/docs/).\n\n```bash\nUsage of oauth2-proxy:\n --alpha-config string path to alpha config file (use at your own risk - the structure in this config file may change between minor releases)\n --config string path to config file\n --convert-config-to-alpha if true, the proxy will load configuration as normal and convert existing configuration to the alpha config structure, and print it to stdout\n --version print version string\nUsage of oauth2-proxy:\n --acr-values string acr values string: optional\n --allowed-group strings restrict logins to members of this group (may be given multiple times)\n --alpha-config string path to alpha config file (use at your own risk - the structure in this config file may change between minor releases)\n --approval-prompt string OAuth approval_prompt (default \"force\")\n --auth-logging Log authentication attempts (default true)\n --auth-logging-format string Template for authentication log lines (default \"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}\")\n --authenticated-emails-file string authenticate against emails via file (one per line)\n --azure-tenant string go to a tenant-specific or common (tenant-independent) endpoint. (default \"common\")\n --banner string custom banner string. Use \"-\" to disable default banner.\n --basic-auth-password string the password to set when passing the HTTP Basic Auth header\n --bitbucket-repository string restrict logins to user with access to this repository\n --bitbucket-team string restrict logins to members of this team\n --client-id string the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"\n --client-secret string the OAuth Client Secret\n --client-secret-file string the file with OAuth Client Secret\n --config string path to config file\n --convert-config-to-alpha if true, the proxy will load configuration as normal and convert existing configuration to the alpha config structure, and print it to stdout\n --cookie-domain .yourcompany.com Optional cookie domains to force cookies to (ie: .yourcompany.com). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).\n --cookie-expire duration expire timeframe for cookie (default 168h0m0s)\n --cookie-httponly set HttpOnly cookie flag (default true)\n --cookie-name string the name of the cookie that the oauth_proxy creates (default \"_oauth2_proxy\")\n --cookie-path string an optional cookie path to force cookies to (ie: /poc/)* (default \"/\")\n --cookie-refresh duration refresh the cookie after this duration; 0 to disable\n --cookie-samesite string set SameSite cookie attribute (ie: \"lax\", \"strict\", \"none\", or \"\"). \n --cookie-secret string the seed string for secure cookies (optionally base64 encoded)\n --cookie-secure set secure (HTTPS) cookie flag (default true)\n --custom-sign-in-logo string path to an custom image for the sign_in page logo. Use \"-\" to disable default logo.\n --custom-templates-dir string path to custom html templates\n --display-htpasswd-form display username / password login form if an htpasswd file is provided (default true)\n --email-domain strings authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email\n --errors-to-info-log Log errors to the standard logging channel instead of stderr\n --exclude-logging-path strings Exclude logging requests to paths (eg: '/path1,/path2,/path3')\n --extra-jwt-issuers strings if skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)\n --flush-interval duration period between response flushing when streaming responses (default 1s)\n --footer string custom footer string. Use \"-\" to disable default footer.\n --force-https force HTTPS redirect for HTTP requests\n --gcp-healthchecks Enable GCP/GKE healthcheck endpoints\n --github-org string restrict logins to members of this organisation\n --github-repo string restrict logins to collaborators of this repository\n --github-team string restrict logins to members of this team\n --github-token string the token to use when verifying repository collaborators (must have push access to the repository)\n --github-user strings allow users with these usernames to login even if they do not belong to the specified org and team or collaborators (may be given multiple times)\n --gitlab-group strings restrict logins to members of this group (may be given multiple times)\n --gitlab-project group/project=accesslevel restrict logins to members of this project (may be given multiple times) (eg group/project=accesslevel). Access level should be a value matching Gitlab access levels (see https://docs.gitlab.com/ee/api/members.html#valid-access-levels), defaulted to 20 if absent\n --google-admin-email string the google admin to impersonate for api calls\n --google-group strings restrict logins to members of this google group (may be given multiple times).\n --google-service-account-json string the path to the service account json credentials\n --htpasswd-file string additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -B\" for bcrypt encryption\n --htpasswd-user-group strings the groups to be set on sessions for htpasswd users (may be given multiple times)\n --http-address string [http://]\u003caddr\u003e:\u003cport\u003e or unix://\u003cpath\u003e to listen on for HTTP clients (default \"127.0.0.1:4180\")\n --https-address string \u003caddr\u003e:\u003cport\u003e to listen on for HTTPS clients (default \":443\")\n --insecure-oidc-allow-unverified-email Don't fail if an email address in an id_token is not verified\n --insecure-oidc-skip-issuer-verification Do not verify if issuer matches OIDC discovery URL\n --insecure-oidc-skip-nonce skip verifying the OIDC ID Token's nonce claim (default true)\n --jwt-key string private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov\n --jwt-key-file string path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov\n --keycloak-group strings restrict logins to members of these groups (may be given multiple times)\n --logging-compress Should rotated log files be compressed using gzip\n --logging-filename string File to log requests to, empty for stdout\n --logging-local-time If the time in log files and backup filenames are local or UTC time (default true)\n --logging-max-age int Maximum number of days to retain old log files (default 7)\n --logging-max-backups int Maximum number of old log files to retain; 0 to disable\n --logging-max-size int Maximum size in megabytes of the log file before rotation (default 100)\n --login-url string Authentication endpoint\n --metrics-address string the address /metrics will be served on (e.g. \":9100\")\n --metrics-secure-address string the address /metrics will be served on for HTTPS clients (e.g. \":9100\")\n --metrics-tls-cert-file string path to certificate file for secure metrics server\n --metrics-tls-key-file string path to private key file for secure metrics server\n --oidc-email-claim string which OIDC claim contains the user's email (default \"email\")\n --oidc-groups-claim string which OIDC claim contains the user groups (default \"groups\")\n --oidc-issuer-url string OpenID Connect issuer URL (ie: https://accounts.google.com)\n --oidc-jwks-url string OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)\n --pass-access-token pass OAuth access_token to upstream via X-Forwarded-Access-Token header\n --pass-authorization-header pass the Authorization Header to upstream\n --pass-basic-auth pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)\n --pass-host-header pass the request Host Header to upstream (default true)\n --pass-user-headers pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true)\n --ping-path string the ping endpoint that can be used for basic health checks (default \"/ping\")\n --ping-user-agent string special User-Agent that will be used for basic health checks\n --prefer-email-to-user Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, eg. htaccess authentication. Used in conjunction with -pass-basic-auth and -pass-user-headers\n --profile-url string Profile access endpoint\n --prompt string OIDC prompt\n --provider string OAuth provider (default \"google\")\n --provider-ca-file strings One or more paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.\n --provider-display-name string Provider display name\n --proxy-prefix string the url root path that this proxy should be nested under (e.g. /\u003coauth2\u003e/sign_in) (default \"/oauth2\")\n --proxy-websockets enables WebSocket proxying (default true)\n --pubjwk-url string JWK pubkey access endpoint: required by login.gov\n --real-client-ip-header string Header used to determine the real IP of the client (one of: X-Forwarded-For, X-Real-IP, or X-ProxyUser-IP) (default \"X-Real-IP\")\n --redeem-url string Token redemption endpoint\n --redirect-url string the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"\n --redis-ca-path string Redis custom CA path\n --redis-cluster-connection-urls strings List of Redis cluster connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-cluster\n --redis-connection-url string URL of redis server for redis session storage (eg: redis://HOST[:PORT])\n --redis-insecure-skip-tls-verify Use insecure TLS connection to redis\n --redis-password --redis-connection-url Redis password. Applicable for all Redis configurations. Will override any password set in --redis-connection-url\n --redis-sentinel-connection-urls strings List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel\n --redis-sentinel-master-name string Redis sentinel master name. Used in conjunction with --redis-use-sentinel\n --redis-sentinel-password --redis-password Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use --redis-password\n --redis-use-cluster Connect to redis cluster. Must set --redis-cluster-connection-urls to use this feature\n --redis-use-sentinel Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature\n --request-id-header string Request header to use as the request ID (default \"X-Request-Id\")\n --request-logging Log HTTP requests (default true)\n --request-logging-format string Template for HTTP request log lines (default \"{{.Client}} - {{.RequestID}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}\")\n --resource string The resource that is protected (Azure AD only)\n --reverse-proxy are we running behind a reverse proxy, controls whether headers like X-Real-Ip are accepted\n --scope string OAuth scope specification\n --session-cookie-minimal strip OAuth tokens from cookie session stores if they aren't needed (cookie session store only)\n --session-store-type string the session storage provider to use (default \"cookie\")\n --set-authorization-header set Authorization response headers (useful in Nginx auth_request mode)\n --set-basic-auth set HTTP Basic Auth information in response (useful in Nginx auth_request mode)\n --set-xauthrequest set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)\n --show-debug-on-error show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production)\n --signature-key string GAP-Signature request signature key (algorithm:secretkey)\n --silence-ping-logging Disable logging of requests to ping endpoint\n --skip-auth-preflight will skip authentication for OPTIONS requests\n --skip-auth-regex strings (DEPRECATED for --skip-auth-route) bypass authentication for requests path's that match (may be given multiple times)\n --skip-auth-route strings bypass authentication for requests that match the method \u0026 path. Format: method=path_regex OR path_regex alone for all methods\n --skip-auth-strip-headers strips X-Forwarded-* style authentication headers \u0026 Authorization header if they would be set by oauth2-proxy (default true)\n --skip-jwt-bearer-tokens will skip requests that have verified JWT bearer tokens (default false)\n --skip-oidc-discovery Skip OIDC discovery and use manually supplied Endpoints\n --skip-provider-button will skip sign-in-page to directly reach the next step: oauth/start\n --ssl-insecure-skip-verify skip validation of certificates presented when using HTTPS providers\n --ssl-upstream-insecure-skip-verify skip validation of certificates presented when using HTTPS upstreams\n --standard-logging Log standard runtime information (default true)\n --standard-logging-format string Template for standard log lines (default \"[{{.Timestamp}}] [{{.File}}] {{.Message}}\")\n --tls-cert-file string path to certificate file\n --tls-key-file string path to private key file\n --trusted-ip strings list of IPs or CIDR ranges to allow to bypass authentication. WARNING: trusting by IP has inherent security flaws, read the configuration documentation for more information.\n --upstream strings the http url(s) of the upstream endpoint, file:// paths for static files or static://\u003cstatus_code\u003e for static response. Routing is based on the path\n --user-id-claim oidc-email-claim (DEPRECATED for oidc-email-claim) which claim contains the user ID (default \"email\")\n --validate-url string Access token validation endpoint\n --version print version string\n --whitelist-domain strings allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)\n```\n\n## Automated build\n\nThis image is build at least once a month automatically.\n\n## Contribute\n\nPRs accepted. All issues should be reported in the [Github issue tracker](https://github.com/containerinfra/oauth2-proxy/issues).\n\n## License\n\n[MIT © ContainerInfra](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerinfra%2Foauth2-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainerinfra%2Foauth2-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerinfra%2Foauth2-proxy/lists"}