Google authentication for internal services
This proxy handles sessions and makes it easy to secure internal services
behind a Google Authentication. It acts as a gatekeeper to make sure only authenticated users
are allowed to make requests to the origin. All requests are proxied to the origin as is, except
The origin will receive following headers from the proxy:
x-key: <secret>Where secret is a shared secret between the proxy and origin. If the secret is correct, the origin can trust other headers.
x-user-name: John DoeName of the authenticated user.
x-user-email: firstname.lastname@example.orgEmail of the authenticated user.
x-user-photo-url: https://gstatic.google.com/profile.jpgProfile picture url for the authenticated user.
You redirect the user to
/logout path, which will be handled at proxy level and causes session
to be terminated.
Install node environment
Follow instructions in https://github.com/bitly/oauth2_proxy to create Google OAuth2 client id and secret
If you host your internal service at https://internal.company.com, you should use following settings:
https://internal.company.com/login/returnThis handles the OAuth2 redirect from Google. This should be configured the same as CALLBACK_URL environment variable.
You might need to enable Google+ API for the Google project to make auth working.
cp .env.sample .env and fill the blanks