Use oauth2-proxy with GitHub Auth Provider to secure Admin apps

[humphd]

We've pretty much solved authentication for users. Next, I want to solve authentication for our "admin" apps. These are areas of the system that only our dev team should be able to access (e.g., Supabase console).

One solution is for us to add oauth2-proxy and configure it with the GitHub Auth Provider, which can be set up to further limit to use a GitHub org, team, repo, etc.

We can connect oauth2-proxy to either nginx or traefik.

[humphd]

I think that once we do this, we can configure Portainer to use it too (this needs more research, see https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints):

[humphd]

See #2801 (comment) which outlines some of what has to happen. NOTE: we don't need to do SSL or the like here.

In the case of Telescope, we need to:

• add the oauth2-proxy container to our services in the docker/production.yml file
• proxy connections to portainer.telescope.cdot.systems or supabase.telescope.cdot.systems in our production nginx config to oauth2-proxy. See the latter part of https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls/
• configure the GitHub Provider to use the Telescope Maintainers team (same thing @TDDR is doing for the docker registry, so you can collaborate).
• configure Portainer to use our oauth2 proxy's endpoints: https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints

Each of you can take some part of this and file new issues to get it landed. Let me know who is doing what, and what help you need.

[Kevan-Y]

Spend a few days doing research and testing this.
I was able to enable it in my local and protect some routes for demo purposes.
For example access to treafik we need to call localhost:8085 which is our oauth2_proxy, then on successful login it will redirect to treafik.

demo.mp4

But I have some questions, do we use oauth2 proxy's endpoints for sign out? I never used portainer, not sure how that works. I looked at @humphd discussion with the picture of some sort of UI, but not sure where that is from.

One thing we need to set up is GitHub Authorizing OAuth Apps. One thing I read is that it doesn't support subdomain, so we might need 2 OAuth Apps, so we will have 2 secret and client-key.(Reformulating below)
One thing we need to set up is GitHub Authorizing OAuth Apps. Also, I read that it doesn't support multiple domains, so we might need 2 OAuth Apps, so we will have 2 secret and client-key.

[humphd]

@Kevan-Y fantastic!

Can you say more about your concerns with signout?

Portainer is like the Traefik dashboard you used: just a web app we want to restrict access to. If you can make this work with Traefik's dashboard, we can do it with anything.

"it doesn't support subdomain" can you say more? So we'd have to do it per sub-domain? That's not a huge problem.

[Kevan-Y]

I never used portainer before, I'm not sure if there is a signout button or it's a login without signout.
If there is I'm not sure how we could handle that to overwrite it button. (Maybe that case we shouldn't worry too much about it).

Sorry, I think I wrongly described my thought in the previous message.
Let me reformulate here.
As I was reading the docs for GitHub Authorizing OAuth Apps, I found this.

Where in our case with have https://dev.portainer.telescope.cdot.systems and https://portainer.telescope.cdot.systems. We will need to create 2 OAuth apps per sub-domain. Because GitHub OAuth app can only have one exact URL per OAuth app .

[Kevan-Y]

I think that once we do this, we can configure Portainer to use it too (this needs more research, see https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints):

I think if we put oauth proxy behind portainer. We don't need to set up this configuration in portainer.
I looked at portainer custom oauth, we can setup to login with GitHub, but I think at the end we still have to manually add the user and set the admin/non-admin for them.

A solution for this issue would be (Will have a PR this week for portainer):
Go to our oauth proxy -> login -> redirect to portainer
Note:

• Portainer won't expose any port, oauth proxy will handle that.
• Need disable auth in portainer so we don't have to login twice.
  

Later on in follow up issue:
I done more deep research to support like multiple upstream, it seems that oauth proxy doesn't very have a way itself.
We might later on use nginx to do some redirection, when we gonna have dev.supabase.telescope.cdot.systems and dev.portainer.telescope.cdot.systems.
Instruction nginx with subdomain with oauth proxy (nginx stuff is confusing 😅)

[humphd]

There's no way to disable auth in Portainer, so I'd like to have the oauth method work if possible.

[Kevan-Y]

We can setup Github oauth with portainer, but it doesn't provide a way to allow certain teams/org.
If we enable Automatic user provisioning, anyone with github account and our portainer URL can login to it, but they will be set as user, so they will see nothing.

In the admin part, the user will be displayed like that

If we want to give them access to any admin part we will have to manually set them to admin.

If we absolutely need to restrict to certain Github users. We can disable Automatic user provisioning and manually add a user.
We do not need to provide a password, but the username must match the username from Github.
e.g.

[humphd]

I think turning off automatic user provisioning, and having to create a user, whose name matches the GitHub username, isn't a terrible way to handle this. cc @cindyledev

[Kevan-Y]

If we go this way oauth2-proxy will won't be used here but would be useful for cases like supabase.
I noticed I don't have permission to create OAuth app in this organization.
We need to create Oauth app to enable GitHub oauth in Portainer .

[humphd]

If we go this way oauth2-proxy will be used here but would be useful for cases like supabase.

Do you mean "won't be used here"?

[Kevan-Y]

If we go this way oauth2-proxy will be used here but would be useful for cases like supabase.

Do you mean "won't be used here"?

yes sorry, typo

[humphd]

What's the process to create a GitHub app?

[Kevan-Y]

https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app.
Name and description up to you.
Our Homepage URL and authorization callback URL would be https://dev.portainer.telescope.cdot.systems/

Let's try on staging first before creating one for https://portainer.telescope.cdot.systems/

I will need the client ID + secret

[humphd]

What is the callback URL for this?

[Kevan-Y]

authorization callback URL is https://dev.portainer.telescope.cdot.systems/

[humphd]

Staging and Production are both using GitHub OAuth now! Thank you @Kevan-Y. If you need an account created, @cindyledev can hook you up.

[Kevan-Y]

Conclusion

Portainer custom Oauth with GitHub in Staging and Production.
How that works, only the default admin can login through Internal authentication. All other users will need to login through Github.
To give access to a GitHub User, you will need to add a new user and match the username to their Github username. Once that is created, user can login with their Github account