helpers

aws_alb_oauth_proxy.helpers._aws_region()

Attempts to query the AWS region where this instance is running.

Returns None if endpoint is not available, which means we’re probably not running on AWS.

Related Amazon docs

Return type:Optional[str]
aws_alb_oauth_proxy.helpers._instance_document()

This is a wrapper around aiohttp.request to make it usable in a synchronous way.

As only one request is done per proxy, there normally is no need to use a session. There is however a bug (#3628) in aiohttp that leaks the session when an exception is raised. The manual session handling for only one request is a workaround while waiting for PR #3640 to be merged.

Return type:Optional[str]
Returns:The region name as a string
aws_alb_oauth_proxy.helpers.clean_response_headers(request)

Removes HTTP headers from an upstream response and add auth header if present.

Parameters:request (Request) – A web.Request containing the request whose headers are to be cleaned.
Return type:CIMultiDictProxy
Returns:A CIMultiDictProxy containing the clean headers.

server

class aws_alb_oauth_proxy.server.Proxy(upstream, aws_region, header_name='X-WEBAUTH-USER', header_property='email', ignore_auth=False)

Bases: object

This is basically a reverse proxy that translates some headers. We don’t care about cookies or sessions.

This takes the OIDC data from the load balancer, validates it, and adds new headers as expected by Grafana. Some form of key caching may be useful and will be implemented later.

_add_auth_info(request)

Adds the authentication information, if any, to the request.

Catches exceptions from decoding the payload and converts them to HTTP exceptions to be propagated. If authentication is disabled via _ignore_auth doesn’t do anything.

Headers are kept in a CIMultiDictProxy so case of the header is not important.

_decode_payload(oidc_data)

Returns the payload of the OIDC data sent by the ALB

Relevant AWS Documentation

Parameters:oidc_data (str) – OIDC data from alb
Return type:Mapping[str, str]
Returns:payload
Raise:jwt.exceptions.ExpiredSignatureError: If the token is not longer valid
_setup_session(app)

Handle context sessions nicely.

See docs

auth_middleware(request, handler)
handle_request(request)
Return type:StreamResponse
runner()