-
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathoauth2-proxy.cfg
26 lines (23 loc) · 1.29 KB
/
oauth2-proxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
http_address="0.0.0.0:4180"
cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
email_domains=["*"]
cookie_secure="false"
upstreams="http://haproxy:8080"
cookie_domains=[".localtest.me"] # Required so cookie can be read on all subdomains.
whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
# pass JWT token to upstream
pass_authorization_header=true
# JWT access token expires after 15m however the oauth2-proxy cookie by default expires after 168h (7 days)
# this would result in oauth2-proxy thinking that session is still valid while JWT access token would long be expired
# oauth2-proxy would keep sending JWT access tokens and haproxy would reject it and show 403 Forbidden error
# we need to sync JWT access token expiry and oauth2-proxy cookie expiry providing a much better user experience
cookie_expire="15m"
# keycloak provider
client_secret="72341b6d-7065-4518-a0e4-50ee15025608"
client_id="oauth2-proxy"
redirect_url="http://gateway.localtest.me:4180/oauth2/callback"
# in this case oauth2-proxy is going to visit
# http://keycloak.localtest.me:9080/auth/realms/master/.well-known/openid-configuration for configuration
oidc_issuer_url="http://keycloak.localtest.me:9080/auth/realms/master"
provider="oidc"
provider_display_name="Keycloak"