oauth2-proxy

Reverse Proxies & Load Balancers

A flexible, open‑source reverse proxy that adds OAuth2 / OIDC authentication to web applications

Track releases GitHub Website

Go Latest v7.15.2 · 1mo ago Security brief →

Features

Acts as a standalone reverse proxy or middleware component
Supports generic OAuth2 and OIDC providers plus specialized implementations (Google, GitHub, etc.)
Extracts user details (username, groups) and forwards them as HTTP headers

Recent releases

View all 7 releases →

v7.15.2 Security relevant patches GHSA-5hvv-m4w4-gf6v 1mo

Security fixes

CVE-2026-34986, CVE-2026-32281, CVE-2026-32289, CVE-2026-32288, CVE-2026-32280, CVE-2026-32282, CVE-2026-32283
GHSA-5hvv-m4w4-gf6v: Health check user-agent authentication bypass (Critical)
GHSA-7x63-xv5r-3p2x: X-Forwarded-Uri header spoofing authentication bypass (Critical)

Notable features

New --trusted-proxy-ip flag for explicit trusted reverse proxy IP configuration

View release on GitHub

v7.15.1 Bug fix 2mo

Fixed bugs in Unix socket handling for IP resolution, improved session refresh token logging, and corrected backend logout response handling.

View release on GitHub

v7.15.0 Breaking risk 2mo

Breaking changes

CSRF cookie validation now uses CSRFExpire instead of Expire

Notable features

OIDC JWT signing algorithm configuration
CSRF cookie SameSite option
Config validation flag

View release on GitHub

v7.14.3 Security relevant 3mo

Security fixes

CVE-2025-68121

Notable features

Redis URL parameter configuration

View release on GitHub

v7.14.2 Bug fix 4mo

Reverted AuthOnly endpoint change that incorrectly returned 302 redirects, restoring 401 status when no session exists. Documentation improved for nginx auth_request configuration.

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.