{"id":19341879,"url":"https://github.com/matchory/oauth2-authenticating-proxy","last_synced_at":"2025-09-13T16:26:55.814Z","repository":{"id":57615387,"uuid":"302648288","full_name":"matchory/oauth2-authenticating-proxy","owner":"matchory","description":"Simple proxy application to add an OAuth2 access token to any request passing through","archived":false,"fork":false,"pushed_at":"2020-10-14T08:53:09.000Z","size":36,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-06T11:45:19.675Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/matchory.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-09T13:24:31.000Z","updated_at":"2020-10-14T08:53:11.000Z","dependencies_parsed_at":"2022-09-13T16:01:09.024Z","dependency_job_id":null,"html_url":"https://github.com/matchory/oauth2-authenticating-proxy","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matchory%2Foauth2-authenticating-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matchory%2Foauth2-authenticating-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matchory%2Foauth2-authenticating-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matchory%2Foauth2-authenticating-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/matchory","download_url":"https://codeload.github.com/matchory/oauth2-authenticating-proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240449421,"owners_count":19803120,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T03:32:58.730Z","updated_at":"2025-02-24T08:42:02.512Z","avatar_url":"https://github.com/matchory.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"OAuth2 Authenticating Proxy ![Publish Docker image](https://github.com/matchory/oauth2-authenticating-proxy/workflows/Publish%20Docker%20image/badge.svg)\n===========================\n\u003e Simple proxy application to add an OAuth2 access token to any request passing through\n\nThis application will take any incoming HTTP request and attach a valid OAuth2 token in a standard `Authorization`\nheader as `Bearer {{TOKEN}}`. This comes in handy if you have a trusted application making requests that should be\nauthorized automatically.  \nTo do so, the proxy automatically fetches an access token from the authorization server you configured. It will try to\nrefresh it automatically and reuse an existing token, if possible.\n\n**Attention: Using this proxy can be dangerous. Make sure you strictly limit access to it!**\n\nInstallation\n------------\nWe strongly recommend using the proxy in a Docker stack, e.g. `docker-compose`:\n\n```yaml\nversion: 3.7\nservices:\n  proxy:\n    image: ghcr.io/matchory/oauth2-authenticating-proxy:latest\n    expose:\n      - 8080\n    volumes:\n      - \"./proxy.yaml:/proxy/config.yaml:ro\"\n```\n\nConfiguration\n-------------\nThe proxy supports passing configuration from environment variables or from a YAML configuration file. Environment\nvariables will always take precedence over values found in the configuration file.  \nThe following options are supported:\n\n| Option            | Environment variable  | Default | Description                                                 |\n|:------------------|:----------------------|:-------:|:------------------------------------------------------------|\n| `listen_port`     | `LISTEN_PORT`         | `8080`  | Network port to listen on.                                  |\n| `skip_tls_verify` | `SKIP_TLS_VERIFY`     | `false` | Whether to skip TLS certificate validation.                 |\n| `client_id`       | `CLIENT_ID`           |    -    | OAuth2 client ID to authenticate with.                      |\n| `client_secret`   | `CLIENT_SECRET`       |    -    | OAuth2 client secret to authenticate with.                  |\n| `token_endpoint`  | `TOKEN_ENDPOINT`      |    -    | Fully qualified URL of your OAuth2 token endpoint.          |\n| `scopes`          | `SCOPES`              |    -    | List of scopes to request for the token.                    |\n| `upstream_scheme` | `UPSTREAM_SCHEME`     | `https` | URL scheme to use for _upstream_ connections.               |\n| `upstream_host`   | `UPSTREAM_HOST`       |    -    | Host to forward requests to. [Optional](#upstream-hosts).   |\n| `allowed_hosts`   | `ALLOWED_HOSTS`       |    -    | List of allowed hosts to forward to. Optional.              |\n\nUsage\n-----\nAfter spinning up the image with correct configuration, you should be able to send HTTP requests _without_ an\n`Authorization` header to the proxy and see requests _with_ the header, and a valid token arrive at your back service.\n\n### Upstream hosts\n\nWhen proxying a request, it needs to be sent to the proxy host instead of the actual, intended host. To make this\npossible, you'll need some way to tell the proxy server where to send the modified request to. The OAuth2 proxy provides\nyou with three different ways to resolve the target host:\n\n1. **Set the `upstream_host` configuration directive**  \n   If all you ever need to do is send requests to a single upstream, you can set the hostname (without a protocol) in\n   your configuration file (or using the `UPSTREAM_HOST` environment variable), and all requests will be forwarded to\n   that host.\n2. **Set the `Forward` request header**  \n   To dynamically set the forward host, you can set the `Forward` header on your requests. This will even take\n   precedence over the configured upstream host from variant 1. To make it harder to shoot yourself in the foot, you\n   can (and should!) configure the `allowed_hosts` setting with all hosts you explicitly want to talk to.\n3. **Set the `Host` request header independently**  \n   Depending on the type of library you use, you have the possibility to set the `Host` header independently of the\n   request URI: The proxy uses the value of the host header as the fallback value, if none of the other two methods\n   resolved a hostname.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatchory%2Foauth2-authenticating-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmatchory%2Foauth2-authenticating-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatchory%2Foauth2-authenticating-proxy/lists"}