Wordpress OAuth2 Proxy
A reverse proxy using WP OAuth Server as an authentication scheme.
You can use it to expose any internal service to your Wordpress users.
Usage
Install the Wordpress plugin
First, you need to install WP OAuth Server on your Wordpress site.
In WP-CLI...
$ wp plugin install --activate oauth2-providerCreate a new client
From your
https://YOUR_WORDPRESS/wp-admin/options-general.php?page=wo_settings#clients
page, click "Add New Client", and set the redirect URI to
https://YOUR_SERVICE/auth/wordpress/callback, where YOUR_SERVICE is the
public name of your wordpress-oauth2-proxy.
Copy the Client ID and Secret for the client from this page.
Configure the proxy
It is easiest to use Docker with Docker
Compose, but if you prefer you can simply
set the appropriate environment variables and run node index.js.
If you are not using Docker, you will need to install node and MongoDB (or get a hosted MongoDB database from Compose). The database is merely used to persist authenticated clients.
Copy docker-compose.example.yml into your project, and adjust the environment
variables as appropriate, then run docker-compose up.
| Variable | Explanation |
|---|---|
| HOST | The external hostname for your service |
| TARGET | The internal hostname of the service to expose through the authenticated proxy. Commonly a linked image. |
| TARGET_SCHEME | "http" or "https" |
| TARGET_PREPEND | A path to be prepended to every request through the proxy |
| HTTP_PORT | Default: 80 |
| HTTPS_PORT | Default: 443 |
| HTTPS_FORCE | Enable to redirect all non-https requests |
| KEY_FILE | Path to a TLS certificate key |
| CERT_FILE | Path to a TLS certificate |
| DB_URI | A MongoDB database (by default running in a linked container) |
| SESSION_SECRET | Change this to any random string |
| OAUTH_CLIENT_ID | The Client ID you created in Wordpress. |
| OAUTH_CLIENT_SECRET | The Secret you created in Wordpress. |
| OAUTH_URL | The SITEURL of the Wordpress instance. |
| OAUTH_CALLBACK_URL | Prefix with the external URI of your service (such as a CNAME pointing to this Docker host). The /auth/wordpress/callback route is handled by wordpress-oauth2-proxy. |
| SECRET_TOKEN_HEADER | Optionally accept a secret token on this header for unauthenticated requests ($SECRET_TOKEN) (for example, X-Gitlab-Token) |
| SECRET_TOKEN | A secret token which must match $SECRET_TOKEN_HEADER if enabled and the request is not authenticated by oAuth. |
Make sure that TARGET is not publicly accessible, or unauthenticated users can simply ignore your reverse proxy!
With the proxy up and running, open the site in your browser, and verify the login process.
You're done!
Hacking
You will need docker and docker-compose installed.
$ git clone git@github.com:logankoester/wordpress-oauth2-proxy.git$ cd wordpress-oauth2-proxy$ mv docker-compose.example.yml docker-compose.yml # Modify docker-compose.yml for your environment... $ docker-compose upAuthor
Copyright (c) 2015 Logan Koester. Released under the MIT license. See LICENSE for details.