bradym/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Using these settings, I was able to get logged in to rundeck using oauth2 with google as the provider. More specifically, it's using gsuite and only works for users belonging to a specified group (ops@example.com).
You'll need to follow the setup steps here to get your gsuite setup ready for use:
https://pusher.github.io/oauth2_proxy/auth-configuration#google-auth-provider
Known Issues


This setup is insecure as there is no SSL setup. I've only used it locally for testing.
oauth2_proxy does not support returning the groups a user is a memer of, so they cannot be passed to rundeck. This is why the group name is currently hardcoded. Not a good solution for most situations.

Software Versions


oauth2_proxy: 3.2.0 from https://pusher.github.io/oauth2_proxy/
Rundeck: 3.0.23-20190619
nginx: nginx/1.14.2


## oauth2_proxy.cfg
# Proxy settings

http_address = "0.0.0.0:4180"
cookie_domain = ".example.com"
cookie_secret = "generateYourOwnSuperSecretValue!"
cookie_secure = false
email_domains = ["example.com"]
pass_access_token = true
pass_host_header = true
pass_roles_header = true
redirect_url = "http://rundeck.example.com/oauth2/callback"
request_logging = true
set_xauthrequest = true
upstreams = ["http://127.0.0.1:4440/"]

# Google settings

provider = "google"
client_id = "YourGoogleClientId"
client_secret = "YourGoogleClientSecret"
google_admin_email = "admin@example.com"
google_group = "ops@example.com"
google_service_account_json = "/path/to/google_service_account_json_file.json"

## rundeck-config.properties
rundeck.security.authorization.preauthenticated.enabled=true
rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS
rundeck.security.authorization.preauthenticated.delimiter=,
rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-Uuid
rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles
rundeck.security.authorization.preauthenticated.redirectLogout=true
rundeck.security.authorization.preauthenticated.redirectUrl=/oauth2/sign_in

## rundeck-nginx.conf
server {
    listen 80;

    server_name rundeck.example.com;
    server_tokens off;

    access_log /var/log/nginx/access.log;
    error_log  /var/log/nginx/error.log;

    root /var/lib/rundeck/exp/webapp;

    location /oauth2/ {
        proxy_pass       http://localhost:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
    }

    location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/start;

        auth_request_set $user   $upstream_http_x_auth_request_user;
        proxy_set_header X-Forwarded-Uuid $user;
        proxy_set_header X-Forwarded-Roles user;

        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        proxy_pass http://localhost:4440/;
        proxy_redirect http://localhost:4440 /;
        proxy_set_header Host $host;
    }
}
	# Proxy settings

	http_address = "0.0.0.0:4180"
	cookie_domain = ".example.com"
	cookie_secret = "generateYourOwnSuperSecretValue!"
	cookie_secure = false
	email_domains = ["example.com"]
	pass_access_token = true
	pass_host_header = true
	pass_roles_header = true
	redirect_url = "http://rundeck.example.com/oauth2/callback"
	request_logging = true
	set_xauthrequest = true
	upstreams = ["http://127.0.0.1:4440/"]

	# Google settings

	provider = "google"
	client_id = "YourGoogleClientId"
	client_secret = "YourGoogleClientSecret"
	google_admin_email = "admin@example.com"
	google_group = "ops@example.com"
	google_service_account_json = "/path/to/google_service_account_json_file.json"
	rundeck.security.authorization.preauthenticated.enabled=true
	rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS
	rundeck.security.authorization.preauthenticated.delimiter=,
	rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-Uuid
	rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles
	rundeck.security.authorization.preauthenticated.redirectLogout=true
	rundeck.security.authorization.preauthenticated.redirectUrl=/oauth2/sign_in
	server {
	listen 80;

	server_name rundeck.example.com;
	server_tokens off;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	root /var/lib/rundeck/exp/webapp;

	location /oauth2/ {
	proxy_pass http://localhost:4180;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Scheme $scheme;
	proxy_set_header X-Auth-Request-Redirect $request_uri;
	}

	location / {
	auth_request /oauth2/auth;
	error_page 401 = /oauth2/start;

	auth_request_set $user $upstream_http_x_auth_request_user;
	proxy_set_header X-Forwarded-Uuid $user;
	proxy_set_header X-Forwarded-Roles user;

	auth_request_set $auth_cookie $upstream_http_set_cookie;
	add_header Set-Cookie $auth_cookie;

	proxy_pass http://localhost:4440/;
	proxy_redirect http://localhost:4440 /;
	proxy_set_header Host $host;
	}
	}