Unfortunately because the set-up needs to deal with secret values and also OAuth2 sign-up (Azure AD), we cannot simply push every value as default values and be able to just spin up the docker-compose configuration without any initialization work.
The guide here will tell exactly which values are required to do the above initialization work:
Before starting, make a copy of .env.sample
into .env
. The .env
is git-ignored by default, and
will be automatically fed into the docker-compose.yml
later.
This can be any reasonably cryptographically secure value, so you can generate like this on Bash:
dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_'; echo
Ref: https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview:
Unfortunately this section is the hardest. You will need Microsoft Azure (with access to Azure AD), which does provide free trial for a year.
You will be required to create a new tenant and set up a new OAuth2 application in Azure AD, which you can follow the guides:
- https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant
- https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Roughly, you should be:
- Log in and getting into Azure AD (Active Directory) at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade
- Register an application:
https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/isMSAApp~/false
- Change the Redirect URI to
http://localhost:8080/oauth2/callback
.
- Change the Redirect URI to
- Copy the following values:
Application (client) ID
asOAUTH2_PROXY_CLIENT_ID
in.env
Directory (tenant) ID
asOAUTH2_PROXY_AZURE_TENANT
in.env
- For
OAUTH2_PROXY_CLIENT_SECRET
, go to:Certificates & secrets
on the left pane,Client secrets
,+ New client secret
and enter any description text and any reasonable expiration date. It should create a new secret entry. Copy theValue
(not theSecret ID
) asOAUTH2_PROXY_CLIENT_SECRET
in.env
.
Finally with all the secret values in place, run both services with:
docker-compose up --build
Then use your web browser and go into: http://localhost:8080
If you have not logged in before, you should see a OAuth2 Proxy page with Sign in with Azure
button.
If the above doesn't appear, and you instead see the NGINX page Welcome to nginx!
, it means you
have already logged in. If you prefer to want to retry the log in step to confirm the root page is
being secured by OAuth Proxy 2, you can either:
- Use an incognito mode to start a new session
- Remove all the following cookies in http://localhost:8080, in particular:
_oauth2_proxy_0
_oauth2_proxy_1