[Google Oauth2 Sign-In] User impersonation alternative using OAuth2 Proxy


I wanted to share to the community a different approach to this great guide https://www.elastic.co/blog/user-impersonation-with-x-pack-integrating-third-party-auth-with-kibana.

After playing a little bit with Nginx and OAuth2 Proxy I have managed to avoid the user impersonation and give the admin the chance to create accounts for each user in the organization with their associated roles.


  • Parts of this guide are taken from the user impersonation guide (see link above)
  • This guide requires you to manually create the accounts in advance with the same predefined password (work in progress for an automatic creation solution).
  • The following guide is based on a installation of Elasticsearch + Kibana 5.4 (SSL configuration enabled on port 8443) + X-Pack plugin from DEB files on a Debian 8.x machine.
  • This guide does not cover the security aspects. These should be taken care by you, using your own solutions to properly secure Elasticsearch, Kibana, Oauth2_proxy and Nginx

  1. After X-Pack plugin installation, uncomment and modify or add the following lines in /etc/kibana/kibana.yml and restart the Kibana service:

         elasticsearch.requestHeadersWhitelist: [ authorization ]
         xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ authorization ]
  2. Install and configure OAuth2 Proxy

  • Download prebuilt binary for OAuth2 Proxy: https://github.com/bitly/oauth2_proxy/releases

  • Put the binary from the archive in the /usr/local/bin folder

  • Create configuration folders:

            # mkdir /etc/oauth2_proxy
            # mkdir /etc/oauth2_proxy/templates    (optional)
  • Create the configuration file for the oauth2_proxy service (/etc/oauth2_proxy/oauth2_proxy.cfg):

         https_address = "kibana.example.com:443"
         ## TLS Settings
         tls_cert_file = "/etc/kibana/certs/example.com.crt"
         tls_key_file = "/etc/kibana/certs/example.com.key"
         # the OAuth Redirect URL.
         redirect_url = "https://kibana.example.com/oauth2/callback"
         # the http url of the upstream endpoint (nginx in our case)
         upstreams = [
         email_domains = [
         ## The OAuth Client ID, Secret
         client_id = "<google oauth2 client ID>"
         client_secret = "<google oauth2 client secret>"
         cookie_name = "_oauth2_proxy"
         cookie_secret = "secretsecret"
         cookie_secure = true
  • Check the tutorial at https://github.com/bitly/oauth2_proxy#google-auth-provider in order to create the Google project for authentication in order to obtain the google client_id and client_secret

  • Create the systemd script in order to start the OAuth2_Proxy service (/usr/lib/systemd/system/oauth2_proxy.service):

         Description=oauth2_proxy daemon service
         After=syslog.target network.target
         ExecStart=/usr/local/bin/oauth2_proxy -config=/etc/oauth2_proxy/oauth2_proxy.cfg
         #If you want to use custom templates
         #ExecStart=/usr/local/bin/oauth2_proxy -config=/etc/oauth2_proxy/oauth2_proxy.cfg --custom-templates-dir=/etc/oauth2_proxy/templates
         ExecReload=/bin/kill -HUP $MAINPID
  • Optional: create the template files sign_in.html and error.html in the etc/oauth2_proxy/templates folder based on the ones defined here https://github.com/bitly/oauth2_proxy/blob/master/templates.go

  • Enable the Oauth2 Proxy service:

         # systemctl enable oauth2_proxy
  • Start the service:

         # systemctl start oauth2_proxy
  1. Build, install, configure and start NGINX
  • Install packages required to make builds from source:

            # apt-get install build-essential libc6 libpcre3 libpcre3-dev libpcrecpp0 libssl1.0.0 libssl-dev zlib1g zlib1g-dev lsb-base
  • Create the folder where the nginx will be built:

            # mkdir /usr/src/nginx
            # cd /usr/src/nginx
  • Download the source packages:

            # wget http://nginx.org/download/nginx-1.13.0.tar.gz
            # wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz 
            # wget https://github.com/openresty/set-misc-nginx-module/archive/v0.31.tar.gz 
  • Extract the packages:

             # tar -xzf nginx-1.13.0.tar.gz
             # tar -xzf v0.3.0.tar.gz
             # tar -xzf v0.31.tar.gz
  • Build and install nginx:

            # cd /usr/src/nginx/nginx-1.13.0
             # ./configure --prefix=/opt/nginx \
     			 --with-http_ssl_module \
     			 --add-module=/usr/src/nginx/ngx_devel_kit-0.3.0 \
             # make -j2
             # make install
  • Create the systemd service script (/lib/systemd/system/nginx.service):

         Description=The NGINX HTTP and reverse proxy server
         After=syslog.target network.target remote-fs.target nss-lookup.target
         ExecStartPre=/opt/nginx/sbin/nginx -t
         ExecReload=/bin/kill -s HUP $MAINPID
         ExecStop=/bin/kill -s QUIT $MAINPID


  • Create NGINX configuration folders:

          # mkdir /opt/nginx/conf/conf.d
          # mkdir /opt/nginx/conf/sites-available/
          # mkdir /opt/nginx/conf/sites-enabled/
  • Update the NGINX configuration file (/opt/nginx/conf/nginx.conf)

          user  nobody;
          worker_processes  1;
          error_log  logs/error.log;
          error_log  logs/error.log  notice;
          error_log  logs/error.log  info;
          pid        logs/nginx.pid;
          events {
             worker_connections  1024;
             http {
                  include       mime.types;
                  default_type  application/octet-stream;
                  access_log  logs/access.log  main;
                  sendfile        on;
                  #tcp_nopush     on;
                  #keepalive_timeout  0;
                  keepalive_timeout  65;
                  gzip  on;
                  include /opt/nginx/conf/conf.d/*.conf;
                  include /opt/nginx/conf/sites-enabled/*;
  • Create the NGINX proxy configuration file (/opt/nginx/conf/sites-available/oauth2_proxy):

          server {
                  listen 80;
                  server_name kibana.example.com;
                  # redirect http->https while we're at it
                  rewrite ^ https://$server_name$request_uri? permanent;
              server {
                  server_name localhost;
                  location / {
                      # The location of the Kibana server
                      proxy_pass https://kibana.example.com:8443/;
                      # Create the base64 encoded authentication string
                      set $auth_string  "${remote_user}:<SuperSecuredSecretPassword>";
                      set_encode_base64 $encoded_string $auth_string;
                      proxy_set_header Authorization "Basic $encoded_string";
                      # Simple rewrite to get us back to oauth2_proxy 's login page if someone uses Kibana's Logout             button.
                      rewrite /login https://kibana.example.com/oauth2/sign_in redirect;
  • Create a symlink of the file /opt/nginx/conf/sites-available/oauth2_proxy in the folder /opt/nginx/conf/sites-enabled

  • Enable the NGINX service

         # systemctl enable nginx
  • Start the NGINX service

          # systemctl start nginx
  1. Create the Kibana usernames identicals to the ones from the email addresses:
  • Connect to Kibana server using the address https://kibana.example.com:8443 with a superuser account and create the users as in the following example:

      # for the email address (hosted on Google) user.name@example.com, create the kibana user user.name with the password <SuperSecuredSecretPassword> (the same as in the nginx configuration file)
      # use the same password for all the other users you will create

Thanks for sharing!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.