March 01, 2022
Édouard Bonlieu
@edouardb_
OAuth2 Proxy is a reverse proxy and static file server that provides authentication using third-party providers like Google, GitHub, and others for validating accounts by email, domain, or group.
Oauth2 Proxy is useful when you want:
In this guide, we will explain how to deploy OAuth2 Proxy on Koyeb to secure access to a sample application. We will configure OAuth2 Proxy to use Google as a provider for the authentication. If you are interested in using other providers, you can find the list of supported providers on the OAuth2 documentation.
For this tutorial, we will make use of the Koyeb service mesh and discovery and will deploy:
Below is the diagram of what our deployment will look like:
To successfully follow and complete this tutorial, you need:
To successfully follow this guide, you need to follow these steps:
First, get started by deploying the sample application that the OAuth2 Proxy will serve once a user is authenticated. In this guide, we will deploy the Koyeb ExpressJS example application available on the following GitHub repository.
Deploy it inside a new Koyeb App, clicking the Deploy to Koyeb button in the readme. You land on the pre-filled App creation page to deploy the application.
In the Ports section, disable the Public exposure of the service by clicking the switch.
Change the application name from express-on-koyeb to oauth2-proxy-on-koyeb and hit the Create App button.
Our Koyeb App is created, and our sample application is being deployed. We can now move to the next section.
Before deploying the OAuth Proxy service, we need to create a new Google OAuth application we will use to authenticate our users.
Go to https://console.developers.google.com/project and create a new project that will own our application by clicking New project on the project dropdown menu in the navigation bar. Once your project is created, in the search bar, type OAuth consent screen and press Enter.
You land on the OAuth consent screen creation page.
Once the configuration is completed, click the Save button.
Then, in the search bar, type Credentials and press Enter to create a new OAuth2 client. On the Credentials page, click the Create credentials button and select OAuth client ID.
https://<yourApp>-<yourOrg>.koyeb.app/oauth2/callback
where <yourApp>
is your Koyeb App name and <yourOrg>
your Koyeb organization nameClick the Create button, your OAuth client ID and Secret appear. You can also download them as a JSON file. Save them in a safe place. We will need them in a future step.
Our application is now ready and will allow us to obtain limited access to Google user accounts by delegating user authentication to Google.
We are now ready to deploy the OAuth2 Proxy service on Koyeb. Go to the Koyeb Control Panel and select the App you previously created.
On the chosen App page, click the Create Service button to deploy the OAuth2 Proxy service.
quay.io/oauth2-proxy/oauth2-proxy
OAUTH2_PROXY_COOKIE_SECRET
: with a seed string for secure cookie as value. You can create the following shell command to generate once: dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_'; echo
OAUTH2_PROXY_CLIENT_ID
: with Google Oauth2 client ID you previously created as valueOAUTH2_PROXY_CLIENT_SECRET
: with Google Oauth2 client Secret you previously created as valueOAUTH2_PROXY_PROVIDER
: with the Oauth provider name as value, here google
OAUTH2_PROXY_EMAIL_DOMAINS
: with the authenticate emails domains as value, here *
OAUTH2_PROXY_HTTP_ADDRESS
: with 0.0.0.0:8080
to ensure the OAuth2 Proxy is listening on all interfacesOAUTH2_PROXY_UPSTREAMS
: with the private domain of the Koyeb Service you want to restrict access, example: http://<myService>.<myApp>.koyeb:3000
Once the service configuration is completed, click the Create Service button.
The Oauth Proxy service is being deployed and will be up and running in a few seconds.
With the OAuth2 Proxy deployed, we are now ready to test the authentication flow.
In your browser, open your Koyeb App URL of form https://<yourApp>-<yourOrg>.koyeb.app/
.
You land the OAuth2 Proxy landing page, where you can authenticate with your Google account.
Click the Sign in with Google button and select the Google account you want to use to authenticate. Once the authentication has succeeded, the Oauth2 Proxy will proxy requests to your private sample application.
In this guide, we demonstrate how OAuth Proxy helps to delegate user authentication to a third-party provider and secure applications without any code changes in your existing application.
We took advantage of the Koyeb Mesh and discovery to make our OAuth2 Proxy and the sample application services communicate effortlessly and securely.
OAuth2 Proxy provides many options you can use to fine-tune the authentication flow and more. You can learn more about what you can achieve by reading the configuration options available in the documentation.
Koyeb is a developer-friendly serverless platform to deploy any apps globally.
Start for freeDeploy 2 services for free and enjoy our predictable pricing as you grow
Get up and running in 5 minutes