Can oauth2-proxy be used as a reverse proxy with no OIDC auth, and just basic auth?

[gohilankit]

This is more of a question rather than an issue. Can I use oauth2-proxy just as a reverse proxy server with basic auth and without any third-party authentication.

I have been using it in my project to authenticate with Gitlab but I want to provide a flexibility to the admin of my application to deploy it with OAuth2 authentication or just plain basic auth. The admin can choose this option at the time of deployment.

I tried using --htpasswd-file option having the basic auth credentials and omit the options like issuer-url, but I can't bring the oauth2-proxy container to be running. It fails with an error

[2022/07/13 21:44:32] [main.go:60] ERROR: Failed to initialise OAuth2 Proxy: error intiailising provider: could not create provider data: error building OIDC ProviderVerifier: invalid provider verifier options: missing required setting: issuer-url

So just wanted to know if it's even possible run this with only basic auth?

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

You might be able to reproduce this bug with my config.
This is the snippet for the args I provide in my yaml.

            - --http-address
            - "0.0.0.0:4180"
            - --upstream
            - http://localhost:8100/1.0.0/,http://localhost:8080/ui/
            - --provider
            - "gitlab"
            - --redirect-url
            - "http://example.com/oauth2/callback"
            - --client-id
            - <some-client-id>
            - --client-secret
            -  <some-secret>
            - --cookie-secret
            - IelBwY6bF_G9oQ7okmCe5A==
            - --oidc-issuer-url
            - https://example.com
            - --cookie-secure=false
            - --email-domain
            - example.com
            - --skip-provider-button=true
            - --skip-oidc-discovery=true
            - --display-htpasswd-form=true
            - --htpasswd-file
            - /etc/oauth2/basicauth_creds

Context

Your Environment

• Version used:
  v 7.3.0

[k7a-tomohiro]

@gohilankit

As far as I know, there is no official way to avoid third-party authentication.
But, it is possible to do so by setting dummy parameters to the required arguments which are checked on startup.

In my case, following setting works well.
v 7.3.0 is used.

http_address="0.0.0.0:4180"

provider = "gitlab"
oidc_issuer_url = "http://dummy.com/"
oidc_jwks_url = "http://dummy.com/"
client_id = "dummy"
client_secret = "dummy"

upstreams = [
    "http://pymocserver.localhost.com:8000/"
]

ssl_insecure_skip_verify = true

cookie_secret = "1234567890123456"
cookie_secure = "false"
cookie_path = "/"
cookie_domains = [
    ".localhost.com",
]

htpasswd_file="/opt/oauth2proxy/src/htpasswd.txt"
skip_oidc_discovery=true

Note: In this case, gitlab's login button is shown in the default sign in page even it does not work.

[JoelSpeed]

I'd be in support of making the basic auth a provider in itself (or at least making it count as one) so that you don't need any additional support. That said, I wonder if you can do this with something like nginx without a need of all the extra OAuth2 Proxy provides?

[gohilankit]

I'd be in support of making the basic auth a provider in itself (or at least making it count as one) so that you don't need any additional support. That said, I wonder if you can do this with something like nginx without a need of all the extra OAuth2 Proxy provides?

I did end up using nginx to provide basic auth support. I was basically looking for a way to circumvent it as I was already using oauth2-proxy(without nginx) in my project. The need to support basic auth as an alternate deployment model made me use nginx also.

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[andrewazores]

Any chance this feature request can be re-examined? Our use case is Cryostat, where in the 3.0 release we are looking to use openshift-oauth-proxy for downstream productized Red Hat builds running on OpenShift, and otherwise for the upstream community builds we will deploy oauth2-proxy. We would eventually like to support configurations where this is a full-fledged proxy instance that the user can configure with their choice of OIDC provider etc., but for the most basic case we are targeting simply using htpasswd to allow the user to configure Basic auth. Right now I'm just relying on using placeholder/dummy config for a non-existing Google OIDC client and labelling the provider button like "Unused - log in below". This setup is also convenient for inner loop development where we can deploy the same set of containers but with minor configuration tweaks so that the oauth2-proxy can simply pass through all requests (using OAUTH2_PROXY_SKIP_AUTH_ROUTES), or can do Basic auth via htpasswd, but we don't need to go through setting up a real OIDC provider.