dip
/
tenant-catalog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Repository for dip
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
17 Branches
0 Tags
3.2 MiB
Tag: Branch: Tree: service-kubeflow
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'service-kubeflow'
${ noResults }
tenant-catalog/kubeflow/common/oauth2-proxy/base/oauth2_proxy.cfg

79 lines
3.0 KiB
Raw Permalink Blame History

provider = "oidc"
oidc_issuer_url = "http://dex.auth.svc.cluster.local:5556/dex"
scope = "profile email groups openid"
email_domains = [ "*" ]
# serve a static HTTP 200 upstream on for authentication success
# we are using oauth2-proxy as an ExtAuthz to "check" each request, not pass it on
upstreams = [ "static://200" ]
# skip authentication for these paths
skip_auth_routes = [
"^/dex/",
]
# requests to paths matching these regex patterns will receive a 401 Unauthorized response
# when not authenticated, instead of being redirected to the login page with a 302,
# this prevents background requests being redirected to the login page,
# and the accumulation of CSRF cookies
api_routes = [
# Generic
# NOTE: included because most background requests contain these paths
"/api/",
"/apis/",
# Kubeflow Pipelines
# NOTE: included because KFP UI makes MANY background requests to these paths but because they are
# not `application/json` requests, oauth2-proxy will redirect them to the login page
"^/ml_metadata",
]
# OIDC Discovery has to be skipped and login url has to be provided directly
# in order to enable relative auth redirect. Using OIDC Discovery would set
# the redirect location to http://dex.auth.svc.cluster.local:5556 in the example
# installation. This address is usually not available through the Web Browser.
# If you have a setup where dex has it's url as other than the in-cluster
# service, this is optional.
skip_oidc_discovery = true
login_url = "/dex/auth"
redeem_url = "http://dex.auth.svc.cluster.local:5556/dex/token"
oidc_jwks_url = "http://dex.auth.svc.cluster.local:5556/dex/keys"
# if `false`, a sign-in page is displayed before starting the login flow
# prevents background requests starting their own login flow on token expiry,
# which can lead to many CSRF cookies, potentially exceeding the cookie limit
skip_provider_button = false
# style the sign-in page
provider_display_name = "Dex"
custom_sign_in_logo = "/custom-theme/kubeflow-logo.svg"
banner = "-"
footer = "-"
# oauth2-proxy sends "force" by default, which causes dex to always prompt for login
# https://github.com/dexidp/dex/pull/3086
prompt = "none"
# set Authorization Bearer response header. This is needed in order to
# forward the Authorization Bearer token to Istio and enable authorization
# based on JWT.
set_authorization_header = true
# set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and
# X-Auth-Request-Preferred-Username. This is optional for Kubeflow but you
# may have other services that use standard auth headers.
set_xauthrequest = true
cookie_name = "oauth2_proxy_kubeflow"
# Dex default cookie expiration is 24h.
# If set to 168h (default oauth2-proxy), Istio will not be able to use the JWT after 24h,
# but oauth2-proxy will still consider the cookie valid.
# It's possible to configure the JWT Refresh Token to enable longer login session.
cookie_expire = "24h"
cookie_refresh = 0
code_challenge_method = "S256"
redirect_url = "/oauth2/callback"
relative_redirect_url = true