Close full mode

Deploy Oauth2 Proxy to App Service container

Git RepositoryEdit on Github

Create App Service container

  • Create Azure App Service with a container.

  • Use DockerHub registry and enter as image.

  • Wait until the app has been created

  • Open a browser and navigate to https://{your-app-service-name}

  • You need to wait for a while until the website is ready. Then you will find an example ASP.NET Core MVC app.

  • In App Service panel, you can go to Deployment Center and click Logs to check all logs while launching a container.

Set some App Service configurations

  • Set these configurations to your app service:
      • true
      • 8000
      • You Google Oauth2 client ID
      • You Google Oauth2 client ID
      • You public website redirect URL
      • It is usually in this pattern: https://{your-app-service-name}

Create Azure Container Register (ACR) and get a username and password

  • Create a new Azure Container Registry with basic type.
  • Wait until your container registry has been created.
  • In container registry panel, go to Access keys and enable admin user.
  • You will find username and password that we will for GitHub secret values.

Create GitHub secret

  • Download a publish profile from your App Service on overview page and use it a value of AZURE_WEBAPP_CONTAINER_PUBLISH_PROFILE secret.
  • Create these GitHub secrets with their values:
      • It is your app service name only without https:// and
      • Full name of your Azure Container Register without schema e.g. {your-acr}
      • Your Azure Container Register username
      • Your Azure Container Register password

Create Google credential

Example of Dockerfile

FROM node:12-alpine
RUN npm install -g serve
# Oauth2 Proxy executable binary file
COPY oauth2-proxy ./
RUN chmod +x oauth2-proxy
COPY ./ ./
RUN chmod +x
COPY ./oauth_config.cfg ./
COPY ./index.html ./
COPY ./authenticated-emails-list.txt ./
  • index.html can be other HTML source files for a website that you want to protect by Google authentication

Example of Oauth2 Proxy configuration

http_address = ""
upstreams = [
cookie_name = "_oauth2_proxy"
# Generate with Python command
# python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(16)).decode())'
cookie_secret = "OkbN-4LP4kf8kQoupLmkHA=="
authenticated_emails_file = "./authenticated-emails-list.txt"
cookie_secure = false

Example of

# Run two services
./oauth2-proxy --client-id $OAUTH2_CLIENT_ID --client-secret $OAUTH2_CLIENT_SECRET --redirect-url $OAUTH2_REDIRECT_URL --config "./oauth_config.cfg" &
serve --listen 3000 --no-clipboard .

Example of authenticated-emails-list.txt

  • authenticated-emails-list.txt

Example of GitHubActions

name: Deploy protected content with Oauth2 Proxy
- main
NODE_VERSION: 12.x # Set the Node.js version to use.
DOCKER_IMAGE: ${{ secrets.LOGIN_SERVER }}/oauth2-proxy:${{ github.sha }}
name: Deploy protected content
# Find more virtual environment.
runs-on: ubuntu-18.04
- name: Checkout the latest source code from the current branch
uses: actions/checkout@v2
- uses: azure/docker-login@v1
login-server: ${{ secrets.LOGIN_SERVER }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Push a new image to container registry
run: |
docker build . --tag ${{ env.DOCKER_IMAGE }}
docker push ${{ env.DOCKER_IMAGE }}
# Before downloading a publish profile, make sure that you have set WEBSITE_WEBDEPLOY_USE_SCM
# in App Service Configuration to true
# configure port number
- uses: azure/webapps-deploy@v2
app-name: ${{ secrets.AZURE_WEBAPP_NAME }}
publish-profile: ${{ secrets.AZURE_WEBAPP_CONTAINER_PUBLISH_PROFILE }}
images: ${{ env.DOCKER_IMAGE }}

Trigger GitHub Actions

  • Go to GitHub Action tab and enable it
  • Create new commit and push the project to the main branch
  • Go to GitHub and check Actions tab and wait until all workflow jobs/steps are successful.

Update App Service to use an image from Azure Container Registry

  • Go to App Service panel in Azure portal.
  • Click Deployment Center and click Settings tab.
  • Change Registry source to Azure Container Registry.
  • Select your image and tag that built from GitHub Actions.
  • Open a browser and navigate to your website https://{your-website-name}
  • You should find Oauth2 Proxy protection on your home page.
  • Log in with your allowed email in authenticated-emails-list.txt.
  • After you have logged in with Google, you will be redirected to a home page and see a protected content.


  • Sirinat Oam Paphatsirinatthi - KubeOps Skills
Loading comments...