refactor: use environment variables for oauth2-proxy config

Merge pull request #233 from samply/fix/id-management-redirection
Allow Usage of Centraxx Interface without login
2025-06-16 20:40:15 +02:00 · 2024-10-08 13:52:29 +02:00 · 2024-10-08 13:30:44 +02:00 · 2024-10-01 13:30:23 +02:00
2 changed files with 37 additions and 32 deletions
--- a/ccp/modules/datashield-compose.yml
+++ b/ccp/modules/datashield-compose.yml
@ -121,42 +121,38 @@ services:
  oauth2-proxy:
    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
    container_name: bridgehead-oauth2proxy
-    command: >-
+    environment:
-      --allowed-group=DataSHIELD
+      - http_proxy=http://forward_proxy:3128
-      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
+      - https_proxy=http://forward_proxy:3128
-      --auth-logging=true
+      - OAUTH2_PROXY_ALLOWED_GROUPS=DataSHIELD
-      --whitelist-domain=${HOST}
+      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
-      --http-address="0.0.0.0:4180"
+      - OAUTH2_PROXY_WHITELIST_DOMAIN=${HOST}
-      --reverse-proxy=true
+      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
-      --upstream="static://202"
+      - OAUTH2_PROXY_REVERSE_PROXY=true
-      --email-domain="*"
+      - OAUTH2_PROXY_UPSTREAMS=static://202
-      --cookie-name="_BRIDGEHEAD_oauth2"
+      - OAUTH2_PROXY_EMAIL_DOMAINS=*
-      --cookie-secret="${OAUTH2_PROXY_SECRET}"
+      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2
-      --cookie-expire="12h"
+      - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_SECRET}
-      --cookie-secure="true"
+      - OAUTH2_PROXY_COOKIE_EXPIRE=12h
      --cookie-httponly="true"
      #OIDC settings
-      --provider="keycloak-oidc"
+      - OAUTH2_PROXY_PROVIDER=keycloak-oidc
-      --provider-display-name="VerbIS Login"
+      - OAUTH2_PROXY_PROVIDER_DISPLAY_NAME="VerbIS Login"
-      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
+      - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
-      --client-secret="${OIDC_CLIENT_SECRET}"
+      - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
-      --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
+      - OAUTH2_PROXY_REDIRECT_URL="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${OIDC_ISSUER_URL}"
+      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_ISSUER_URL}
-      --scope="openid email profile"
+      - OAUTH2_PROXY_SCOPE=openid profile email
-      --code-challenge-method="S256"
+      - OAUTH2_PROXY_CODE_CHALLENGE_METHOD=true
-      --skip-provider-button=true
+      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      #X-Forwarded-Header settings - true/false depending on your needs
-      --pass-basic-auth=true
+      - OAUTH2_PROXY_PASS_BASIC_AUTH=true
-      --pass-user-headers=false
+      - OAUTH2_PROXY_PASS_USER_HEADERS=false
-      --pass-access-token=false
+      - OAUTH2_PROXY_ACCESS_TOKEN=false
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`)"
+      - "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)"
      - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
      - "traefik.http.routers.oauth2_proxy.tls=true"
    environment:
      http_proxy: "http://forward_proxy:3128"
      https_proxy: "http://forward_proxy:3128"
    depends_on:
      forward_proxy:
        condition: service_healthy
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@ -19,10 +19,18 @@ services:
      - traefik-forward-auth
    labels:
      - "traefik.enable=true"
      # Router with Authentication
      - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
      - "traefik.http.routers.id-manager.tls=true"
      - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm"
      - "traefik.http.routers.id-manager.service=id-manager-service"
      # Router without Authentication
      - "traefik.http.routers.id-manager-compatibility.rule=PathPrefix(`/id-manager/paths/translator/getIds`)"
      - "traefik.http.routers.id-manager-compatibility.tls=true"
      - "traefik.http.routers.id-manager-compatibility.service=id-manager-service"
      # Definition of Service
      - "traefik.http.services.id-manager-service.loadbalancer.server.port=8080"
      - "traefik.http.services.id-manager-service.loadbalancer.server.scheme=http"
  patientlist:
    image: docker.verbis.dkfz.de/bridgehead/mainzelliste
@ -57,7 +65,7 @@ services:
      - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
  traefik-forward-auth:
-    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:v7.6.0
+    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
    environment:
      - http_proxy=http://forward_proxy:3128
      - https_proxy=http://forward_proxy:3128
@ -67,6 +75,7 @@ services:
      - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
      - OAUTH2_PROXY_REVERSE_PROXY=true
Author	SHA1	Message	Date
Torben Brenner	b741d931ae	refactor: use environment variables for oauth2-proxy config	2024-10-08 13:52:29 +02:00
Torben Brenner	f328e40963	Merge pull request #233 from samply/fix/id-management-redirection Allow Usage of Centraxx Interface without login	2024-10-08 13:30:44 +02:00
Torben Brenner	eb2955872f	fix: allow usage of centraxx interface without login Before this change CentraXX was redirected to the central login servers then interacting with the id-management	2024-10-01 13:30:23 +02:00