Google authentication for internal services
This proxy handles sessions and makes it easy to secure internal services
behind a Google Authentication. It acts as a gatekeeper to make sure only authenticated users
are allowed to make requests to the origin. All requests are proxied to the origin as is, except
for /login
, /login/return
and /logout
paths.
The origin will receive following headers from the proxy:
x-key: <secret>
Where secret is a shared secret between the proxy and origin. If the secret is correct, the origin can trust other headers.x-user-name: John Doe
Name of the authenticated user.x-user-email: john.doe@company.com
Email of the authenticated user.x-user-photo-url: https://gstatic.google.com/profile.jpg
Profile picture url for the authenticated user.
You redirect the user to /logout
path, which will be handled at proxy level and causes session
to be terminated.
-
Install node environment
-
Follow instructions in https://github.com/bitly/oauth2_proxy to create Google OAuth2 client id and secret
If you host your internal service at https://internal.company.com, you should use following settings:
- Authorized JavaScript origins:
https://internal.company.com
- Authorized redirect URIs:
https://internal.company.com/login/return
This handles the OAuth2 redirect from Google. This should be configured the same as CALLBACK_URL environment variable.
You might need to enable Google+ API for the Google project to make auth working.
- Authorized JavaScript origins:
-
npm i
-
cp .env.sample .env
and fill the blanks -
npm start