[mcpherrinm]

I'm super happy to see this. Square uses something similar for employee access to our datacenter, and I hope more people follow this trend. It's one of the annoying parts of open-sourcing our infrastructure -- we can't generally assume folks have an authenticating proxy around. With a few examples in the wild, I'll be happy to start doing that.

We use mutually-authenticated TLS (ie, the proxy presents a client cert to your backend) so that you know the entire request is valid, including the username header. IAP only signs the header, which could be replayed because it's not bound to the session (eg, a debug page exposes request headers). But it's probably easier to grab a library that can validate JWT than worry about your TLS termination layer (eg, in a rails app behind nginx terminating TLS & serving asssets)

[brazzledazzle]

Have you seen https://github.com/bitly/oauth2_proxy?

[rrdharan]

I love that thing - I use it with nginx to secure access to stuff running on my home machine that I want to expose publicly (e.g. the Transmission Web UI).

[StavrosK]

Wouldn't something like Caddy's multipass[1] be easier and with less third-party approval?

That said, I just use Caddy to proxy all my home's internal services with basic auth. At work I use the same setup, except it authenticates against our LDAP server.

[1]: https://caddyserver.com/docs/multipass

[brazzledazzle]

That's a great use for it I hadn't considered. Thanks for the idea.

[chayesfss]

What types of webservices? Just pure L7 stuff that has forms on it? Is that oauth2proxy just an authenticated reverse proxy or can it add some security context to the internal interface?

[roque]

We use it in conjunction with kubernetes service proxy https://github.com/pedro-r-marques/k8s-service-proxy to access all of our internal services and debug ports deployed in the k8s/GKE cluster. oauth2 proxy authenticates, service discovery in k8s means that we can keep publishing apps. We don't use fine grain ACLs... But i guess that we could if we wanted to.

[willejs]

I'm a big fan. Ive been using it to do 'outside in' google type, expose services on the internet via oauth for ages. Its solid and great.

[mcpherrinm]

I hadn't before this thread. It looks cool. I'm definitely going to look into it more. Thanks!

[tracker1]

For a recent service I wrote, it requires the JWT to expire in less than a minute.. which would at least minimize replay attacks and entirely possible to do something similar.

Though client certs is definitely safer all around, more involved to spread around to apps talking to each other though.