I have currently set up a web-based application, to which I have added an authentication method using oauth2_proxy (with gitlab as authentication provider). What I need to know is if there's way that I can restrict the access to this app using a Gitlab group or something like that? Because as of now - oauth is configured to allow access to any user on gitlab which has a @foor.bar email domain (-email-domain=foo.bar directive on oauth config). However I'm looking to control this method in a more restricted manner, so for instance I will create a group on Gitlab, to which I will add only relevant users & other groups to which access should be granted. Is there a way to do it?
Restrict access to an application using oauth2_proxy and Gitlab as its provider
Have you found a solution? –
Typhogenic
I'm afraid not, ended up not using it. Although it's been almost two years since I posted that question so who knows, it might be supported now :-) –
Skinflint
In newer releases, access can be restricted to a gitlab group in the oauth2_proxy configuration.
--gitlab-group="your_auth_group"
in oauth2-proxy.cfg:
gitlab_groups: [
"your_auth_group",
"group2"
]
Be aware, that without that configuration, anyone who can login to your Gitlab instance can use your oauth2_proxy-protected service, independent of where the application is registered.
Registering an appliation in a GitLab group does not restrict the users!
You can also use --gitlab-projects to restrict by access level to a gitlab project. Check documentation for details
Tip: you can see the list of groups of an authenticated user using the /oauth2/userinfo endpoint.
Not sure if it's what you're looking for but regards documentation you could use --authenticated-emails-file param to provide authenticated emails list.
Thanks! That seems like a relatively newer addition since I posted this question (4 and something years ago) and have abandoned that project a while ago, but thanks for posting that answer for others that may come across this requirement! –
Skinflint
In newer releases, access can be restricted to a gitlab group in the oauth2_proxy configuration.
--gitlab-group="your_auth_group"
in oauth2-proxy.cfg:
gitlab_groups: [
"your_auth_group",
"group2"
]
Be aware, that without that configuration, anyone who can login to your Gitlab instance can use your oauth2_proxy-protected service, independent of where the application is registered.
Registering an appliation in a GitLab group does not restrict the users!
You can also use --gitlab-projects to restrict by access level to a gitlab project. Check documentation for details
Tip: you can see the list of groups of an authenticated user using the /oauth2/userinfo endpoint.
© 2022 - 2024 — McMap. All rights reserved.