deskoh
diff --git a/‎README.md
Lines changed: 67 additions & 0 deletions b/‎README.md
Lines changed: 67 additions & 0 deletions
diff --git a/‎config/oauth2-proxy.cfg
Lines changed: 104 additions & 0 deletions b/‎config/oauth2-proxy.cfg
Lines changed: 104 additions & 0 deletions
diff --git a/‎docker-compose.yaml
Lines changed: 89 additions & 0 deletions b/‎docker-compose.yaml
Lines changed: 89 additions & 0 deletions
@@ -0,0 +1,67 @@
+# NGINX with OAuth2 Proxy and Keycloak demo
+
+NGINX -> OAuth2 Proxy -> NodeJS
+
+## Quick Start
+
+```sh
+# Start (Keycloak will bootstrap with `dev` realm and users)
+# NGINX and OAuth2 Proxy will exit as dependent containers are not ready (https://docs.docker.com/compose/startup-order/)
+docker-compose up -d
+# Wait until Keycloak completes initialization, and start the stopped containers
+docker-compose up -d
+
+# Cleanup
+docker-compose rm
+docker volume prune
+```
+
+Initiate browser login at http://nginx.127.0.0.1.nip.io:9000/ with user=`user`, password=`password`.
+
+Authenticated requests will be proxied to NodeJS server with HTTP headers echoed to the browser:
+
+```sh
+'x-user': '4a76657b-35f0-43d0-9653-9b0f60ebd4b9'
+'x-email': '[email protected]'
+```
+
+Sign-out URL: [http://nginx.127.0.0.1.nip.io:4180/oauth2/sign_out](http://proxy.127.0.0.1.nip.io:4180/oauth2/sign_out)
+
+Access Keycloak at [http://keycloak.127.0.0.1.nip.io:8080](http://keycloak.127.0.0.1.nip.io:8080) with user=`admin`, password=`password` to check out the settings
+
+## Refreshing Cookie
+
+By setting a value for `refresh-cookie`, the proxy will refresh the Access Token after the specified duration. By setting a short duration (e.g. 5m, which is the default expiry for Access Token issued by Keycloak), this will allow sessions to be revoked quickly.
+
+> For OAuth2 Proxy configuration, `refresh-cookie` does not work for `keycloak` provider but works for `oidc` provider.
+
+## Hostname / Domain
+
+The issuer of access token is the hostname / domain during browser login. Subsequent `POST` to token validation endpoint  ( OAuth2 Proxy `validate_url` value if configured) by OAuth2 Proxy will fail with `{"error":"invalid_token","error_description":"Token verification failed"}` if the hostname is different.
+
+For OAuth2 Proxy container to reach Keycloak using the same hostname / FQDN, an alias to Keycloak container is configured in `docker-compose.yml`.
+
+```yml
+aliases:
+  - keycloak.127.0.0.1.nip.io
+```
+
+## Keycloak Export
+
+```sh
+docker run --rm\
+    --name keycloak_exporter\
+    --network local\
+    -v /tmp:/tmp/realm-config:Z\
+    -e KEYCLOAK_USER=admin\
+    -e KEYCLOAK_PASSWORD=password\
+    -e DB_ADDR=mariadb\
+    -e DB_USER=keycloak\
+    -e DB_PASSWORD=password\
+    -e DB_VENDOR=mariadb\
+    jboss/keycloak:11.0.1\
+    -Dkeycloak.migration.action=export\
+    -Dkeycloak.migration.provider=dir\
+    -Dkeycloak.migration.dir=/tmp/realm-config\
+    -Dkeycloak.migration.usersExportStrategy=SAME_FILE
+```
@@ -0,0 +1,104 @@
+## OAuth2 Proxy Config File
+## https://github.com/oauth2-proxy/oauth2-proxy
+
+## <addr>:<port> to listen on for HTTP/HTTPS clients
+# http_address = "127.0.0.1:4180"
+http_address="0.0.0.0:4180"
+# https_address = ":443"
+
+## Are we running behind a reverse proxy? Will not accept headers like X-Real-Ip unless this is set.
+# reverse_proxy = true
+
+## TLS Settings
+# tls_cert_file = ""
+# tls_key_file = ""
+
+## the OAuth Redirect URL.
+# defaults to the "https://" + requested host header + "/oauth2/callback"
+redirect_url="http://nginx.127.0.0.1.nip.io:9000/oauth2/callback"
+
+## the http url(s) of the upstream endpoint. If multiple, routing is based on path
+upstreams = [
+    # static://200
+    "http://server:8000/"
+]
+## Logging configuration
+#logging_filename = ""
+#logging_max_size = 100
+#logging_max_age = 7
+#logging_local_time = true
+#logging_compress = false
+#standard_logging = true
+#standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}"
+#request_logging = true
+#request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}"
+#auth_logging = true
+#auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}"
+
+## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
+# pass_basic_auth = true
+# pass_user_headers = true
+## pass the request Host Header to upstream
+## when disabled the upstream Host is used as the Host Header
+# pass_host_header = true
+
+## Email Domains to allow authentication for (this authorizes any email on this domain)
+## for more granular authorization use `authenticated_emails_file`
+## To authorize any email addresses use "*"
+# email_domains = [
+#     "yourcompany.com"
+# ]
+email_domains = "*"
+
+## The OAuth Client ID, Secret
+client_id = "server"
+client_secret = "d1680bbb-24f3-4835-a0d9-2a7492a4cc99"
+
+## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token"
+# pass_access_token = true
+
+## Authenticated Email Addresses File (one email per line)
+# authenticated_emails_file = ""
+
+## Htpasswd File (optional)
+## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
+## enabling exposes a username/login signin form
+# htpasswd_file = ""
+
+## Templates
+## optional directory with custom sign_in.html and error.html
+# custom_templates_dir = ""
+
+## skip SSL checking for HTTPS requests
+# ssl_insecure_skip_verify = false
+
+
+## Cookie Settings
+## Name     - the cookie name
+## Secret   - the seed string for secure cookies; should be 16, 24, or 32 bytes
+##            for use with an AES cipher when cookie_refresh or pass_access_token
+##            is set
+## Domain   - (optional) cookie domain to force cookies to (ie: .yourcompany.com)
+## Expire   - (duration) expire timeframe for cookie
+## Refresh  - (duration) refresh the cookie when duration has elapsed after cookie was initially set.
+##            Should be less than cookie_expire; set to 0 to disable.
+##            On refresh, OAuth token is re-validated.
+##            (ie: 1h means tokens are refreshed on request 1hr+ after it was set)
+## Secure   - secure cookies are only sent by the browser of a HTTPS connection (recommended)
+## HttpOnly - httponly cookies are not readable by javascript (recommended)
+# cookie_name = "_oauth2_proxy"
+cookie_secret = "MTExMTExMTExMTExMTExMQ=="
+# cookie_domains = ""
+# cookie_expire = "168h"
+cookie_refresh = "5m"
+cookie_secure = false
+# cookie_httponly = true
+
+oidc_issuer_url = "http://keycloak.127.0.0.1.nip.io:8080/auth/realms/dev"
+provider = "oidc"
+provider_display_name = "Keycloak"
+
+request_logging = false
+# Optional: Set additional headers at http://nginx.127.0.0.1.nip.io:9000/oauth2/auth
+set_authorization_header = true
+set_xauthrequest =  true
@@ -0,0 +1,89 @@
+version: '3.5'
+
+services:
+
+  proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1
+    container_name: oauth2-proxy
+    command: --config /oauth2-proxy.cfg
+    ports:
+      - 4180:4180
+      - 443:443
+    networks:
+      - proxy-network
+    volumes:
+      - ./config/oauth2-proxy.cfg:/oauth2-proxy.cfg
+    depends_on:
+      - keycloak
+
+  keycloak:
+    image: jboss/keycloak:11.0.1
+    environment:
+      - DB_ADDR=mariadb
+      - DB_USER=keycloak
+      - DB_PASSWORD=password
+    container_name: kc
+    volumes:
+      - ./keycloak:/tmp/realm-config
+    command:
+      [
+        '-Dkeycloak.migration.action=import',
+        '-Dkeycloak.migration.provider=dir',
+        '-Dkeycloak.migration.dir=/tmp/realm-config',
+        '-Dkeycloak.migration.strategy=IGNORE_EXISTING',
+      ]
+    networks:
+      proxy-network:
+        aliases:
+          - keycloak.127.0.0.1.nip.io
+    ports:
+      - 8080:8080
+    depends_on:
+      - mariadb
+  
+  mariadb:
+    image: mariadb:10.5.5
+    environment:
+      - MYSQL_DATABASE=keycloak
+      - MYSQL_ROOT_PASSWORD=password
+      - MYSQL_USER=keycloak
+      - MYSQL_PASSWORD=password
+    container_name: keycloak-db
+    networks:
+      - proxy-network
+    volumes:
+      - vol-mariadb:/var/lib/mysql
+  
+  server:
+    build: ./server
+    image: server
+    user: node
+    working_dir: /usr/src/app
+    environment:
+      - NODE_ENV=production
+    ports:
+      - 8000:8000
+    command: node .
+    container_name: server
+    networks:
+      - proxy-network
+  
+  nginx:
+    image: nginx:alpine
+    ports:
+      - 9000:80
+    container_name: nginx
+    volumes:
+      - ./nginx:/etc/nginx/conf.d
+    networks:
+      - proxy-network
+    depends_on:
+      - server
+      - proxy
+
+networks:
+  proxy-network:
+    name: local
+
+volumes:
+  vol-mariadb: