public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
2,283 Commits 37 Branches 45 Tags 56 MiB
Go 98.2%
Makefile 0.8%
HTML 0.5%
Shell 0.3%
Dockerfile 0.2%
Go to file
Stefan Markmann 9c61c49ec2
fix: skip provider button auth only redirect (#3309) 
* fix: Return 302 redirect from AuthOnly when skip-provider-button is true

When SkipProviderButton is enabled and a user needs to login, the AuthOnly
endpoint now returns a 302 redirect directly to the OAuth provider instead
of returning 401.

This fixes an issue with nginx auth_request architecture where 401 triggers
error_page handling, which can break redirect flows because nginx overrides
the status code (e.g., to 403), and browsers don't follow Location headers
for non-3xx responses.

Fixes: #334
Signed-off-by: Stefan Markmann <stefan@markmann.net>

* update docs and changelog

Signed-off-by: Stefan Markmann <stefan@markmann.net>

* test: Add specific OAuth redirect assertions per code review feedback

Improve TestAuthOnlyEndpointRedirectWithSkipProviderButton to verify
that the Location header actually redirects to the OAuth provider's
authorize endpoint with required parameters (client_id, redirect_uri,
state), not just that a Location header exists.

Signed-off-by: Stefan Markmann <stefan@markmann.net>

* refactor: Flatten AuthOnly error handling structure

Move the SkipProviderButton check outside of the nested err != nil block
using an if-else structure. This makes the special case more visible and
reduces nesting depth without changing behavior.

Signed-off-by: Stefan Markmann <stefan@markmann.net>

* doc: backport to v7.14.x

Signed-off-by: Jan Larwig <jan@larwig.com>

---------

Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
 		2026-01-17 14:35:44 +01:00
.devcontainer feat: allow to set non-default authorization request response mode (#3001) 2025-03-31 10:04:19 +02:00
.github chore(deps): update dependency golangci/golangci-lint to v2.7.2 (#3254) 2026-01-04 10:23:26 +01:00
.vscode Improved dev environment (#2211) 2024-01-20 20:10:37 +00:00
contrib update to release version v7.14.0 2026-01-17 11:04:42 +01:00
docs fix: skip provider button auth only redirect (#3309) 2026-01-17 14:35:44 +01:00
pkg docs: add todo for revamping the usage / naming of PassHostHeader 2026-01-17 11:06:24 +01:00
providers fix: session refresh handling in OIDC provider (#3267) 2026-01-14 23:18:27 +01:00
static Embed static stylesheets and dependencies 2023-08-24 20:50:17 -04:00
testdata Rename test directory to testdata 2020-10-06 21:37:25 +09:00
.dockerignore Parameterise runtime image (#1478) 2022-04-14 14:10:59 +01:00
.gitignore feat: allow use more possible google admin-sdk api scopes (#2743) 2025-07-21 09:06:17 +02:00
.golangci.yml introduce mapstructure decoder for yaml parsing 2025-11-16 22:37:37 +01:00
.pre-commit-config.yaml Improved dev environment (#2211) 2024-01-20 20:10:37 +00:00
CHANGELOG.md fix: skip provider button auth only redirect (#3309) 2026-01-17 14:35:44 +01:00
CODE_OF_CONDUCT.md doc: cncf onboarding and sponsor update 2026-01-17 11:04:43 +01:00
CONTRIBUTING.md Drop configure script in favour of native Makefile env and checks (#515) 2020-05-09 16:07:46 +01:00
DCO.md doc: cncf onboarding and sponsor update 2026-01-17 11:04:43 +01:00
Dockerfile chore(build): retrieve go version from go.mod as single point of truth 2025-01-20 20:45:45 +01:00
LICENSE add MIT license for google_auth_proxy 2014-06-09 16:25:26 -04:00
MAINTAINERS doc: cncf onboarding and sponsor update 2026-01-17 11:04:43 +01:00
MAINTAINERS.md doc: cncf onboarding and sponsor update 2026-01-17 11:04:43 +01:00
Makefile chore(deps): update alpine docker tag to v3.23.2 (#3296) 2026-01-06 19:42:27 +01:00
README.md doc: cncf onboarding and sponsor update 2026-01-17 11:04:43 +01:00
RELEASE.md chore(build): refactoring makefile for better usability and introducing a default help target (#2930) 2025-04-27 20:09:52 +02:00
SECURITY.md Update SECURITY.md 2024-07-07 18:29:14 -03:00
dist.sh feature/s390x architecture support (#2734) 2024-08-23 09:02:02 +02:00
go.mod chore(deps): upgrade gomod and bump to golang v1.25.5 (#3292) 2025-12-24 11:30:23 +01:00
go.sum chore(deps): upgrade gomod and bump to golang v1.25.5 (#3292) 2025-12-24 11:30:23 +01:00
main.go deref everything... but why? 2025-11-16 22:38:54 +01:00
main_suite_test.go chore(deps): Updated to ginkgo v2 (#2459) 2024-07-18 22:41:02 +02:00
main_test.go feat: migrate google used organization id and header normalization booleans to pointers 2025-11-16 22:39:01 +01:00
oauthproxy.go fix: skip provider button auth only redirect (#3309) 2026-01-17 14:35:44 +01:00
oauthproxy_test.go fix: skip provider button auth only redirect (#3309) 2026-01-17 14:35:44 +01:00
validator.go Watch the `htpasswd` file for changes and update the `htpasswdMap` (#1701) 2022-09-01 19:46:00 +01:00
validator_test.go Fix Linting Errors (#1835) 2022-10-21 11:57:51 +01:00

README.md

Continuous Integration Go Report Card GoDoc MIT licensed Maintainability Code Coverage OpenSSF Scorecard OpenSSF Best Practices FOSSA Status

OAuth2 Proxy

OAuth2 Proxy is a flexible, open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. It provides a simple and secure way to protect your web applications with OAuth2 / OIDC authentication. As a reverse proxy, it intercepts requests to your application and redirects users to an OAuth2 provider for authentication. As a middleware, it can be seamlessly integrated into your existing infrastructure to handle authentication for multiple applications.

OAuth2 Proxy supports a lot of OAuth2 as well as OIDC providers. Either through a generic OIDC client or a specific implementation for Google, Microsoft Entra ID, GitHub, login.gov and others. Through specialised provider implementations oauth2-proxy can extract more details about the user like preferred usernames and groups. Those details can then be forwarded as HTTP headers to your upstream applications.

Simplified Architecture

Get Started

OAuth2 Proxy's Installation Docs cover how to install and configure your setup. Additionally you can take a further look at the example setup files.

Releases

Binaries

We publish oauth2-proxy as compiled binaries on GitHub for all major architectures as well as more exotic ones like ppc64le as well as s390x.

Check out the latest release.

Images

From v7.6.0 and up the base image has been changed from Alpine to GoogleContainerTools/distroless. This image comes with even fewer installed dependencies and thus should improve security. The image therefore is also slightly smaller than Alpine. For debugging purposes (and those who really need it. e.g. armv6) we still provide images based on Alpine. The tags of these images are suffixed with -alpine.

Since 2023-11-18 we build nightly images directly from the master branch and provide them at quay.io/oauth2-proxy/oauth2-proxy-nightly. These images are considered unstable and therefore should NOT be used for production purposes unless you know what you're doing.

Sponsors

Would you like to sponsor the project then please contact us at sponsors@oauth2-proxy.dev

SAP

SAP Open Source Program

Former Sponsors

Microsoft

Microsoft Azure credits for open source projects

Getting Involved

Slack

Join the #oauth2-proxy Slack channel to chat with other users of oauth2-proxy or reach out to the maintainers directly. Use the public invite link to get an invite for the Gopher Slack space.

OAuth2 Proxy is a community-driven project. We rely on the contributions of our users to continually improve it. While review times can vary, we appreciate your patience and understanding. As a volunteer-driven project, we strive to keep this project stable and might take longer to merge changes.

If you want to contribute to the project. Please see our Contributing guide.

Thanks to all the people who already contributed ❤

Made with contrib.rocks.

Security

If you believe you have found a vulnerability within OAuth2 Proxy or any of its dependencies, please do NOT open an issue or PR on GitHub, please do NOT post any details publicly.

Security disclosures MUST be done in private. If you have found an issue that you would like to bring to the attention of the maintainers, please compose an email and send it to the list of people listed in our MAINTAINERS.md file.

For more details read our full Security Docs

Security Notice for v6.0.0 and older

If you are running a version older than v6.0.0 we strongly recommend to the current version.

See open redirect vulnerability for details.

Repository History

2018-11-27: This repository was forked from bitly/OAuth2_Proxy. Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork. A list of changes can be seen in the CHANGELOG.

2020-03-29: This project was formerly hosted as pusher/oauth2_proxy but has been renamed to oauth2-proxy/oauth2-proxy. Going forward, all images shall be available at quay.io/oauth2-proxy/oauth2-proxy and binaries will be named oauth2-proxy.

Code of Conduct

Participation in the OAuth2 Proxy project is governed by the CNCF Code of Conduct.

License

OAuth2 Proxy is distributed under The MIT License.

FOSSA Status

Trademarks

OAuth2 Proxy is a Cloud Native Computing Foundation Sandbox project.

CNCF

The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see Trademark Usage.