g-proxy

Google authentication for internal services

This proxy handles sessions and makes it easy to secure internal services behind a Google Authentication. It acts as a gatekeeper to make sure only authenticated users are allowed to make requests to the origin. All requests are proxied to the origin as is, except for /login, /login/return and /logout paths.

The origin will receive following headers from the proxy:

• x-key: <secret> Where secret is a shared secret between the proxy and origin. If the secret is correct, the origin can trust other headers.
• x-user-name: John Doe Name of the authenticated user.
• x-user-email: john.doe@company.com Email of the authenticated user.
• x-user-photo-url: https://gstatic.google.com/profile.jpg Profile picture url for the authenticated user.

FAQ

How to log out?

You redirect the user to /logout path, which will be handled at proxy level and causes session to be terminated.

Get started

1. Install node environment

2. Follow instructions in https://github.com/bitly/oauth2_proxy to create Google OAuth2 client id and secret

   If you host your internal service at https://internal.company.com, you should use following settings:

   • Authorized JavaScript origins: https://internal.company.com
   • Authorized redirect URIs: https://internal.company.com/login/return This handles the OAuth2 redirect from Google. This should be configured the same as CALLBACK_URL environment variable.

   You might need to enable Google+ API for the Google project to make auth working.

3. npm i

4. cp .env.sample .env and fill the blanks

5. npm start