Login.gov - Oauth2 Proxy

login.gov is an OIDC provider for the US Government. If you are a US Government agency, you can contact the login.gov team through the contact information that you can find on https://login.gov/developers/ and work with them to understand how to get login.gov accounts for integration/test and production access.

A developer guide is available here: https://developers.login.gov/, though this proxy handles everything but the data you need to create to register your application in the login.gov dashboard.

As a demo, we will assume that you are running your application that you want to secure locally on http://localhost:3000/, that you will be starting your proxy up on http://localhost:4180/, and that you have an agency integration account for testing.

First, register your application in the dashboard. The important bits are:

Identity protocol: make this Openid connect
Issuer: do what they say for OpenID Connect. We will refer to this string as ${LOGINGOV_ISSUER}.
Public key: This is a self-signed certificate in .pem format generated from a 2048-bit RSA private key. A quick way to do this is openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -nodes -subj '/C=US/ST=Washington/L=DC/O=GSA/OU=18F/CN=localhost'. The contents of the key.pem shall be referred to as ${OAUTH2_PROXY_JWT_KEY}.
Return to App URL: Make this be http://localhost:4180/
Redirect URIs: Make this be http://localhost:4180/oauth2/callback.
Attribute Bundle: Make sure that email is selected.

Now start the proxy up with the following options:

./oauth2-proxy -provider login.gov \
  -client-id=${LOGINGOV_ISSUER} \
  -redirect-url=http://localhost:4180/oauth2/callback \
  -oidc-issuer-url=https://idp.int.identitysandbox.gov/ \
  -cookie-secure=false \
  -email-domain=gsa.gov \
  -upstream=http://localhost:3000/ \
  -cookie-secret=somerandomstring12341234567890AB \
  -cookie-domain=localhost \
  -skip-provider-button=true \
  -pubjwk-url=https://idp.int.identitysandbox.gov/api/openid_connect/certs \
  -profile-url=https://idp.int.identitysandbox.gov/api/openid_connect/userinfo \
  -jwt-key="${OAUTH2_PROXY_JWT_KEY}"

You can also set all these options with environment variables, for use in cloud/docker environments. One tricky thing that you may encounter is that some cloud environments will pass in environment variables in a docker env-file, which does not allow multiline variables like a PEM file. If you encounter this, then you can create a jwt_signing_key.pem file in the top level directory of the repo which contains the key in PEM format and then do your docker build. The docker build process will copy that file into your image which you can then access by setting the OAUTH2_PROXY_JWT_KEY_FILE=/etc/ssl/private/jwt_signing_key.pem environment variable, or by setting --jwt-key-file=/etc/ssl/private/jwt_signing_key.pem on the commandline.

Once it is running, you should be able to go to http://localhost:4180/ in your browser, get authenticated by the login.gov integration server, and then get proxied on to your application running on http://localhost:3000/. In a real deployment, you would secure your application with a firewall or something so that it was only accessible from the proxy, and you would use real hostnames everywhere.

Skip OIDC discovery

Some providers do not support OIDC discovery via their issuer URL, so oauth2-proxy cannot simply grab the authorization, token and jwks URI endpoints from the provider's metadata.

In this case, you can set the --skip-oidc-discovery option, and supply those required endpoints manually:

    -provider oidc
    -client-id oauth2-proxy
    -client-secret proxy
    -redirect-url http://127.0.0.1:4180/oauth2/callback
    -oidc-issuer-url http://127.0.0.1:5556
    -skip-oidc-discovery
    -login-url http://127.0.0.1:5556/authorize
    -redeem-url http://127.0.0.1:5556/token
    -oidc-jwks-url http://127.0.0.1:5556/keys
    -cookie-secure=false
    -email-domain example.com