Oauth2-proxy: Feature Request: Ingress level authentication

Created on 14 Sep 2020  路  3Comments  路  Source: oauth2-proxy/oauth2-proxy

Current Behavior

Right now current authentication model is all in or nothing. For example: If I enabled oauth2-proxy protection on some nginx ingress resource, all of the oauth2-proxy users that are declared in configuration file would have access to it.

Possible Solution

I'm wondering it would be so useful if oauth2-proxy also allows to deny / allow access to certain nginx ingress resource.
For example: Let's say I've 2 different endpoint that's oauth2-proxy enabled.

  1. admin.mydomain.com (Only admins are allowed to access this website)
  2. members.mydomain.com (All other users are allowed to access this website)

At the moment, this kind of configuration is not possible.

Edit: I'm using Github application btw, maybe if there is another auth provider that could achieve this functionality or if this is ridiculous idea please let me know, ty.

Stale enhancement help wanted

Most helpful comment

We have been looking at this recently and were having some discussions in the slack about integrating OPA into the proxy so that once a user is authenticated, they could also be authorized based on the details from their session and their request.

This would replace the existing checks that perform request authentication/authorization and we would hopefully have a simple syntax to allow users to configure rules, and then an expert mode where people could pass the config as rego.

Do you think that would solve your issue?

All 3 comments

We have been looking at this recently and were having some discussions in the slack about integrating OPA into the proxy so that once a user is authenticated, they could also be authorized based on the details from their session and their request.

This would replace the existing checks that perform request authentication/authorization and we would hopefully have a simple syntax to allow users to configure rules, and then an expert mode where people could pass the config as rego.

Do you think that would solve your issue?

That sounds awesome. I also discovered this repo. They look like implemented authorization part but looks quite complex :/

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

Was this page helpful?
0 / 5 - 0 ratings