This repository builds a Docker Image that protects an upstream server using Okta's OpenID Connect Authorization Code
flow
Images can be found at ghcr.io/boxboat/okta-nginx
Note images are no longer published to Docker Hub
- Okta Developer account
- An Open ID Connect application supporting the
Authorization Code
flow
PROXY_PASS
- The upstream to proxy authenticated requests to. Should include scheme, host, and port e.g.http://localhost:8080
CLIENT_ID
- The Client ID can be found on the 'General' tab of the Web application that you created earlier in the Okta Developer ConsoleCLIENT_SECRET
- The Client Secret be found on the 'General' tab of the Web application that you created earlier in the Okta Developer ConsoleISSUER
- Issuer is the URL of the authorization server that will perform authentication. All Developer Accounts have a 'default' authorization server. The issuer is a combination of your Org URL (found in the upper right of the console home page) and /oauth2/default. For example,https://xxxxx.oktapreview.com/oauth2/default
LOGIN_REDIRECT_URL
- Must be on the 'General' tab of the Web application that you created earlier in the Okta Developer Console. Path should be/sso/authorization-code/callback
, or${SSO_PATH}/authorization-code/callback
ifSSO_PATH
is set.
AUTH_SCOPE
- Defaults toopenid profile
. Okta token auth scopes - note if you override thisopenid
is necessary for authentication requests.APP_POST_LOGIN_URL
- After authentication is complete, redirect to an application-specific URL. Thestate
query parameter will hold the original URL.COOKIE_DOMAIN
- Defaults to current domain only. Set in order to allow use on subdomains.COOKIE_NAME
- Defaults tookta-jwt
. The name of the cookie that holds the Identity TokenINJECT_REFRESH_JS
- Defaults totrue
. Set tofalse
to disable injection of JavaScript that transparently refreshes Identity Tokens when they are close to expiringENDPOINT_AUTHORIZE
- Defaults to${ISSUER}/v1/authorize
. Alternate endpoint to redirect to for authorization.ENDPOINT_LOGOUT
- Defaults to${ISSUER}/v1/logout
. Alternate endpoint to redirect to for logout.ENDPOINT_TOKEN
- Defaults to${ISSUER}/v1/token
. Alternate endpoint to retrieve token from.LISTEN
- Defaults to80
. Specify another port to change the listening port number. See nginx listen for options, such as TLS and unix socketsLOCATIONS_PROTECTED
- Defaults to/
. Comma separated list of location blocks to protect before passing toPROXY_PASS
.LOCATIONS_UNPROTECTED
- Defaults is disabled. Comma separated list of location blocks that will not be protected and passed toPROXY_PASS
.LOGOUT_REDIRECT_URL
- Defaults is app origin URL. URL to redirect to after logging out, can be relative or absolute. Logout path is/sso/logout
, or${SSO_PATH}/logout
ifSSO_PATH
is set.PROXY_SET_HEADER_NAMES
- Default is none. Comma separated list of headers to add that will be passed upstream. Must be accompanied byPROXY_SET_HEADER_VALUES
.PROXY_SET_HEADER_VALUES
- Default is none. Comma separated list of values to associate withPROXY_SET_HEADER_NAMES
. Values are Go templates that execute against claims, for example{{.groups}}
.REQUEST_TIMEOUT
- Defaults to30
. Timeout for calling the Okta EndpointsSERVER_NAME
- Defaults to_
. See nginx server_name for options.SSO_PATH
- Defaults to/sso/
. Path for SSO error and refresh endpoints. Should include leading and trailing slashUPDATE_SCRIPT
- Default is none. If desired, set to the full path of an executable shell script that updates the configuration. One parameter will be passed to the script, it will betrue
on the first update andfalse
on subsequent updates.UPDATE_PERIOD_SECONDS
- Defaults to60
. IfUPDATE_SCRIPT
is defined, it will be called at startup, then everyUPDATE_PERIOD_SECONDS
to refresh the configuration.VALIDATE_CLAIMS_TEMPLATE
- Default is disabled. Go template to execute against claims, must returntrue
or1
. sprig functions are available. Example:{{if or (has "default" .groups) (has "admin" .groups)}}true{{else}}false{{end}}
X-Forwarded-User
- Contains the forwarded user's username. Comes from thesub
assertion in the Auth Token.
- Build container
./docker-build.sh
- Set environment variables in vars.env to match your deployment
- Run container
./docker-run.sh
Any files added to /etc/nginx/conf.d
will be included in the http
block.
Any content in the file /etc/nginx/includes/default-server.conf
will be included in the default server
block.
Multiple servers are supported by incrementing a number starting with 2 to select environment variables.
- Server 2
LISTEN_2
: requiredSERVER_NAME_2
: requiredPROXY_PASS_2
: requiredLOGIN_REDIRECT_URL_2
requiredAPP_POST_LOGIN_URL_2
optionalCOOKIE_DOMAIN_2
optionalCOOKIE_NAME_2
optionalLOCATIONS_PROTECTED_2
: optionalLOCATIONS_UNPROTECTED_2
: optionalLOGOUT_REDIRECT_URL_2
: optionalPROXY_SET_HEADER_NAMES_2
: optionalPROXY_SET_HEADER_VALUES_2
: optionalVALIDATE_CLAIMS_TEMPLATE_2
: optional- optionally add configuration to
/etc/nginx/includes/default-server.2.conf
- Server N
LISTEN_N
: requiredSERVER_NAME_N
: requiredPROXY_PASS_N
: requiredLOGIN_REDIRECT_URL_N
requiredAPP_POST_LOGIN_URL_N
optionalCOOKIE_DOMAIN_N
optionalCOOKIE_NAME_N
optionalLOCATIONS_PROTECTED_N
: optionalLOCATIONS_UNPROTECTED_N
: optionalLOGOUT_REDIRECT_URL_N
: optionalPROXY_SET_HEADER_NAMES_N
: optionalPROXY_SET_HEADER_VALUES_N
: optionalVALIDATE_CLAIMS_TEMPLATE_N
: optional- optionally add configuration to
/etc/nginx/includes/default-server.N.conf