oauth2-nginx-auth-backend 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 34843ad4d62cf09d89d2263cd138ea003034dfed
+  data.tar.gz: b83686fa6849f02934e0f4bb5085f2d8cab4b777
+SHA512:
+  metadata.gz: 9dbcfdc27299569cb7d7e498eee4c5be57c7e7157e49e49d2a9cbe578265738541bfc8503c1647845a709116363dc75200b0297e8a9a66ca5b71b944164a9596
+  data.tar.gz: e749170db36dbd8e26e5b8fa0456a97daa954c4e4ae0ef01d319577264f7408e5f917c23ca6332e5141b05b2408eb02bee1fbbb7778eca876873bd25c32ee725

data/.drone.yml

@@ -0,0 +1,15 @@
+---
+pipeline:
+
+  resolve:
+    image: alpine
+    commands:
+      - cat /etc/resolv.conf
+    when:
+      status: [ success, failure ]
+
+  docker:
+    image: plugins/docker
+    repo: docker-registry.devops.dance/${DRONE_REPO_NAME}
+    tags:
+      - ${DRONE_COMMIT:0:7}

data/.gitignore

@@ -0,0 +1,50 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/.rubocop.yml

@@ -0,0 +1,2 @@
+Metrics/LineLength:
+  Max: 120

data/.ruby-version

@@ -0,0 +1 @@
+2.4.1

data/Dockerfile

@@ -0,0 +1,12 @@
+FROM ruby:2.4
+
+ENV HOME /opt/app
+ENV RUBYLIB=$HOME/lib
+WORKDIR $HOME
+
+ADD . $HOME
+
+RUN \
+  bundler
+
+CMD ruby bin/ops_oauth2_server.rb

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in ops-oauth2.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,59 @@
+PATH
+  remote: .
+  specs:
+    oauth2-nginx-auth-backend (0.2.0)
+      httparty (~> 0.15)
+      sinatra (~> 2.0)
+      sinatra-contrib (~> 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.0)
+    backports (3.11.1)
+    httparty (0.16.1)
+      multi_xml (>= 0.5.2)
+    multi_json (1.13.1)
+    multi_xml (0.6.0)
+    mustermann (1.0.2)
+    parallel (1.12.1)
+    parser (2.5.0.5)
+      ast (~> 2.4.0)
+    powerpack (0.1.1)
+    rack (2.0.4)
+    rack-protection (2.0.1)
+      rack
+    rainbow (3.0.0)
+    rubocop (0.54.0)
+      parallel (~> 1.10)
+      parser (>= 2.5)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.9.0)
+    sinatra (2.0.1)
+      mustermann (~> 1.0)
+      rack (~> 2.0)
+      rack-protection (= 2.0.1)
+      tilt (~> 2.0)
+    sinatra-contrib (2.0.1)
+      backports (>= 2.0)
+      multi_json
+      mustermann (~> 1.0)
+      rack-protection (= 2.0.1)
+      sinatra (= 2.0.1)
+      tilt (>= 1.3, < 3)
+    tilt (2.0.8)
+    unicode-display_width (1.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.14)
+  oauth2-nginx-auth-backend!
+  rubocop (~> 0.49)
+
+BUNDLED WITH
+   1.16.1

data/README.md

@@ -0,0 +1,57 @@
+# Nginx Configuration
+
+### /etc/nginx/oauth2-auth.conf
+```
+auth_request /oauth2/verify;
+error_page 401 = https://auth.example.com/oauth2/sign_in;
+auth_request_set $auth_cookie $upstream_http_set_cookie;
+add_header Set-Cookie $auth_cookie;
+
+```
+
+### /etc/nginx/oauth2-location.conf
+```
+location /oauth2/ {
+  proxy_method     GET;
+  proxy_pass       http://127.0.0.1:3000;
+  proxy_set_header Content-Length "";
+  proxy_set_header Host                    $host;
+  proxy_set_header X-Real-IP               $remote_addr;
+  proxy_set_header X-Scheme                $scheme;
+  proxy_set_header X-Auth-Request-Redirect $scheme://$server_name$request_uri;
+}
+
+```
+
+### /etc/oauth2/oauth2.conf example
+```
+{
+  "auth": {
+    "cookie_domain": ".devops.dance",
+    "cookie_name_permissions": "DDIntranetPermissions",
+    "cookie_name_redirect": "DDIntranetRedirect",
+    "cookie_name_signature": "DDIntranetSignature",
+    "cookie_ttl": 86400,
+    "default_redirect_page": "https://oauth.devops.dance/",
+    "oauth_shared_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+  },
+  "google": {
+    "oauth_client_id": "XXXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com",
+    "oauth_client_secret": "XXXXXXXXXXXXXXXXXXXXXXXX",
+    "oauth_redirect_url": "https://oauth.devops.dance/oauth2/google/authorize",
+    "oauth_server_url": "https://oauth.devops.dance/",
+    "whitelisted_domains": [
+      "smatly.com"
+    ],
+    "whitelisted_emails": []
+  },
+  "slack": {
+    "oauth_client_id": "XXXXXXXXXXXXXXXXXXXXXXXXX",
+    "oauth_client_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+    "oauth_redirect_url": "https://oauth.devops.dance/oauth2/slack/authorize",
+    "whitelisted_domains": [
+      "devops-dance"
+    ]
+  }
+}
+```

data/bin/ops_oauth2_server.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'sinatra'
+require 'sinatra/cookies'
+require 'ops/oauth2/google'
+require 'ops/oauth2/slack'
+require 'ops/oauth2/auth'
+
+# Main HTTPServer class handling requests
+class HTTPServer < Sinatra::Base
+  helpers Sinatra::Cookies
+
+  slack = Slack.new
+  google = Google.new
+
+  set :port, 3000
+  set :bind, '0.0.0.0'
+  set :cookie_options, domain: Auth.cookie_domain, secure: true, httponly: true
+  set :public_folder, 'static'
+  set :views, Proc.new { File.join(root, "..", "views") }
+  set :environment, :production
+
+  get '/oauth2/google/sign_in' do
+    redirect google.oauth_auth_redirect
+  end
+
+  get '/oauth2/google/authorize' do
+    return google.authorize(self)
+  end
+
+  get '/oauth2/slack/sign_in' do
+    redirect slack.oauth_auth_redirect
+  end
+
+  get '/oauth2/slack/authorize' do
+    return slack.authorize(self)
+  end
+
+  get '/oauth2/verify' do
+    Auth.authorized?(cookies, request)
+  end
+
+  get '/oauth2/sign_in' do
+    erb :index
+  end
+end
+
+HTTPServer.run!

data/lib/ops/oauth2.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'ops/oauth2/version'

data/lib/ops/oauth2/auth.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'json'
+require 'openssl'
+
+# Authorization
+class Auth
+  def self.cookie_name_permissions
+    ENV['OAUTH_COOKIE_NAME_PERMISSIONS'] || configuration.dig('auth', 'cookie_name_permissions') || abort('Missing OAUTH_COOKIE_NAME_PERMISSIONS')
+  end
+
+  def self.cookie_name_signature
+    'OKIntranetSignature'
+    ENV['OAUTH_COOKIE_NAME_SIGNATURE'] || configuration.dig('auth', 'cookie_name_signature') || abort('Missing OAUTH_COOKIE_NAME_SIGNATURE')
+  end
+
+  def self.cookie_name_redirect
+    ENV['OAUTH_COOKIE_NAME_REDIRECT'] || configuration.dig('auth', 'cookie_name_redirect') || abort('Missing OAUTH_COOKIE_NAME_REDIRECT')
+  end
+
+  def self.header_request_redirect_url
+    'HTTP_X_AUTH_REQUEST_REDIRECT'
+  end
+
+  def self.environment
+    ENV['OAUTH_ENVIRONMENT'] || configuration.dig('auth', 'running_environment') || abort('Missing OAUTH_ENVIRONMENT')
+  end
+
+  def self.secret
+    ENV['OAUTH_SHARED_SECRET'] || configuration.dig('auth', 'oauth_shared_secret') || abort('Missing OAUTH_SHARED_SECRET')
+  end
+
+  def self.default_redirect_page
+    ENV['DEFAULT_REDIRECT_PAGE'] || configuration.dig('auth', 'default_redirect_page') || abort('Missing DEFAULT_REDIRECT_PAGE')
+  end
+
+  def self.cookie_domain
+    ENV['OAUTH_COOKIE_DOMAIN'] || self.configuration.dig('auth', 'cookie_domain') || abort('Missing OAUTH_COOKIE_DOMAIN')
+  end
+
+  def self.cookie_ttl
+    return ENV['OAUTH_COOKIE_TTL'].to_i if ENV['OAUTH_COOKIE_TTL']
+    configuration.dig('auth', 'cookie_ttl').to_i || abort('Missing OAUTH_COOKIE_TTL')
+  end
+
+  def self.sign(data)
+    digest = OpenSSL::Digest.new('sha256')
+    Base64.encode64(OpenSSL::HMAC.digest(digest, secret, data))
+  end
+
+  def self.trusted?(cookies, request)
+    cookies[cookie_name_signature] == sign([cookies[cookie_name_permissions], request.user_agent].join)
+  end
+
+  def self.configuration_file
+    '/etc/oauth2/oauth2.conf'
+  end
+
+  def self.configuration
+    @configuration ||= JSON.parse(File.read(configuration_file))
+  rescue
+    abort("Missing or invalid #{self.configuration_file}")
+  end
+
+  def self.authorize(info, request)
+    cookies = {}
+    cookies[cookie_name_permissions] = Base64.encode64(info.to_json)
+    cookies[cookie_name_signature] = sign([Base64.encode64(info.to_json), request.user_agent].join)
+    cookies
+  end
+
+  def self.go_to_auth(cookies, request)
+    cookies[cookie_name_redirect] = request.env[header_request_redirect_url]
+    401
+  end
+
+  def self.untrusted(cookies, request)
+    cookies.delete(cookie_name_signature)
+    cookies.delete(cookie_name_permissions)
+    go_to_auth(cookies, request)
+  end
+
+  def self.authorized?(cookies, request)
+    return go_to_auth(cookies, request) unless cookies.key?(cookie_name_permissions)
+    return go_to_auth(cookies, request) unless cookies.key?(cookie_name_signature)
+    return untrusted(cookies, request) unless trusted?(cookies, request)
+    200
+  end
+end

data/lib/ops/oauth2/google.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+require 'cgi'
+require 'httparty'
+require 'json'
+require 'ops/oauth2/auth'
+
+# Basic support of google oauth2
+class Google
+  def oauth_client_secret
+    ENV['GOOGLE_OAUTH_CLIENT_SECRET'] || configuration.dig('google', 'oauth_client_secret') || abort('Missing GOOGLE_OAUTH_CLIENT_SECRET')
+  end
+
+  def oauth_client_id
+    ENV['GOOGLE_OAUTH_CLIENT_ID'] || configuration.dig('google', 'oauth_client_id') || abort('Missing GOOGLE_OAUTH_CLIENT_ID')
+  end
+
+  def redirect_url
+    ENV['GOOGLE_OAUTH_REDIRECT_URL'] || configuration.dig('google', 'oauth_redirect_url') || abort('Missing GOOGLE_OAUTH_REDIRECT_URL')
+  end
+
+  def state_url
+    ENV['OAUTH_SERVER_URL'] || configuration.dig('google', 'oauth_server_url') || abort('Missing OAUTH_SERVER_URL')
+  end
+
+  def google_whitelisted_domains
+    ENV['GOOGLE_WHITELISTED_DOMAINS'] || configuration.dig('google', 'whitelisted_domains') || abort('Missing GOOGLE_WHITELISTED_DOMAINS')
+  end
+
+  def google_whitelisted_emails
+    ENV['GOOGLE_WHITELISTED_EMAILS'] || configuration.dig('google', 'whitelisted_emails') || abort('Missing GOOGLE_WHITELISTED_EMAILS')
+  end
+
+  def oauth_auth_url
+    'https://accounts.google.com/o/oauth2/auth'
+  end
+
+  def oauth_token_url
+    'https://accounts.google.com/o/oauth2/token'
+  end
+
+  def oauth_userinfo_url
+    'https://www.googleapis.com/oauth2/v2/userinfo'
+  end
+
+  def configuration_file
+    '/etc/oauth2/oauth2.conf'
+  end
+
+  def configuration
+    @configuration ||= JSON.parse(File.read(configuration_file))
+  rescue
+    abort("Missing or invalid #{configuration_file}")
+  end
+
+  def oauth_auth_url_params
+    [
+      "client_id=#{oauth_client_id}",
+      'scope=email',
+      'response_type=code',
+      "redirect_uri=#{CGI.escape(redirect_url)}",
+      "state=#{CGI.escape(state_url)}",
+      'login_hint='
+    ].join('&')
+  end
+
+  def oauth_auth_redirect
+    [
+      oauth_auth_url,
+      '?',
+      oauth_auth_url_params
+    ].join
+  end
+
+  def permitted?(user_info)
+    email = user_info.dig('email')
+    return false unless email
+    _, domain = email.split('@')
+    return true if google_whitelisted_emails.include? email
+    return true if google_whitelisted_domains.include? domain
+    false
+  rescue
+    false
+  end
+
+  def user_info(authorization)
+    headers = {
+      'Authorization' => "Bearer #{authorization}"
+    }
+    HTTParty.get(oauth_userinfo_url, headers: headers)
+  end
+
+  def access_token(params)
+    response = verify(params[:code])
+    response.dig('access_token')
+  end
+
+  def authorize(s)
+    if s.params.key? 'code'
+      # Make sure we got an access token, otherwise redirect to auth page
+      at = access_token(s.params)
+      return Auth.go_to_auth(s.cookies, s.request) unless at
+
+      # Get google user info and make sure it's permitted to get auth.
+      ui = user_info(at)
+      return 403 unless permitted?(ui)
+
+      # Naive sanity check of google response
+      return Auth.go_to_auth(s.cookies, s.request) unless ui.key? 'email'
+
+      # Now we're safe to authorize => set cookies
+      Auth.authorize(ui, s.request).each do |cookie, value|
+        s.cookies.set(cookie, value: value, expires: Time.now + Auth.cookie_ttl)
+      end
+
+      # Redirect user to the original page if redirect cookie present.
+      if s.cookies.key?(Auth.cookie_name_redirect)
+	redirect_url = s.cookies[Auth.cookie_name_redirect]
+	s.cookies.delete(Auth.cookie_name_redirect)
+	s.redirect redirect_url
+      end
+
+      # Redirect to default page if you don't have redirect cookie
+      s.redirect Auth.default_redirect_page
+    else
+      Auth.go_to_auth(s.cookies, request)
+    end
+  end
+
+  def verify(code)
+    options = {
+      body: {
+        client_id: oauth_client_id,
+        client_secret: oauth_client_secret,
+        code: code,
+        redirect_uri: redirect_url,
+        grant_type: 'authorization_code'
+      }
+    }
+    HTTParty.post(oauth_token_url, options)
+  end
+end

data/lib/ops/oauth2/slack.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'cgi'
+require 'httparty'
+require 'json'
+
+# Basic support of slack oauth2
+class Slack
+  def oauth_client_secret
+    ENV['SLACK_OAUTH_CLIENT_SECRET'] || configuration.dig('slack', 'oauth_client_secret') || abort('Missing SLACK_OAUTH_CLIENT_SECRET')
+  end
+
+  def oauth_client_id
+    ENV['SLACK_OAUTH_CLIENT_ID'] || configuration.dig('slack', 'oauth_client_id') || abort('Missing SLACK_OAUTH_CLIENT_ID')
+  end
+
+  def redirect_url
+    ENV['SLACK_OAUTH_REDIRECT_URL'] || configuration.dig('slack', 'oauth_redirect_url') || abort('Missing SLACK_OAUTH_REDIRECT_URL')
+  end
+
+  def whitelisted_domains
+    return ENV['SLACK_WHITELISTED_DOMAINS'].split(',') if ENV['SLACK_WHITELISTED_DOMAINS']
+    configuration.dig('slack', 'whitelisted_domains') || abort('Missing SLACK_WHITELISTED_DOMAINS')
+  end
+
+  def oauth_auth_url
+    'https://slack.com/oauth/authorize'
+  end
+
+  def oauth_token_url
+    'https://slack.com/api/oauth.access'
+  end
+
+  def oauth_scopes
+    'identity.basic,identity.team'
+  end
+
+  def configuration_file
+    '/etc/oauth2/oauth2.conf'
+  end
+
+  def configuration
+    @configuration ||= JSON.parse(File.read(configuration_file))
+  rescue
+    abort("Missing or invalid #{configuration_file}")
+  end
+
+  def oauth_auth_url_params
+    [
+      "client_id=#{oauth_client_id}",
+      "scope=#{oauth_scopes}",
+      "redirect_uri=#{CGI.escape(redirect_url)}"
+    ].join('&')
+  end
+
+  def oauth_auth_redirect
+    [
+      oauth_auth_url,
+      '?',
+      oauth_auth_url_params
+    ].join
+  end
+
+  def user_info(response)
+    payload = JSON.parse(response)
+    {
+      'user': payload['user']
+    }
+  rescue
+    nil
+  end
+
+  def domain(response)
+    payload = JSON.parse(response)
+    payload.dig('team', 'domain')
+  rescue
+    nil
+  end
+
+  def authorize(s)
+    response = verify(s.params)
+    return 403 unless response.dig('ok')
+
+    # get slack response domain and authorize if included in whitelisted
+    return 403 unless whitelisted_domains.include? domain(response.body)
+
+    # make sure we get a proper user info structure
+    ui = user_info(response.body)
+    return 403 unless ui
+
+    # build and authorize cookies
+    Auth.authorize(ui, s.request).each do |cookie, value|
+      s.cookies.set(cookie, value: value, expires: Time.now + Auth.cookie_ttl)
+    end
+
+    # redirect user to a proper place if needed
+    if s.cookies.key?(Auth.cookie_name_redirect)
+      redirect_url = s.cookies[Auth.cookie_name_redirect]
+      s.cookies.delete(Auth.cookie_name_redirect)
+      s.redirect redirect_url
+    end
+
+    # redirect to a default page
+    s.redirect Auth.default_redirect_page
+  end
+
+  def verify(params)
+    return { 'ok': false } unless params.dig('code')
+    options = {
+      body: {
+        client_id: oauth_client_id,
+        client_secret: oauth_client_secret,
+        code: params.dig('code'),
+        redirect_uri: redirect_url
+      }
+    }
+    HTTParty.post(oauth_token_url, options)
+  end
+end

data/lib/ops/oauth2/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Ops
+  module Oauth2
+    VERSION = '0.2.0'
+  end
+end

data/oauth2-nginx-auth-backend.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'ops/oauth2/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'oauth2-nginx-auth-backend'
+  spec.version       = Ops::Oauth2::VERSION
+  spec.authors       = ['Bartek Jarocki']
+  spec.email         = ['bartek@smatly.com']
+
+  spec.summary       = 'oauth2 nginx auth_request backend'
+  spec.homepage      = 'https://github.com/bjarocki/oauth2-nginx-auth-backend'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'bin'
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_development_dependency 'rubocop', '~> 0.49'
+
+  spec.add_runtime_dependency 'httparty', '~> 0.15'
+  spec.add_runtime_dependency 'sinatra', '~> 2.0'
+  spec.add_runtime_dependency 'sinatra-contrib', '~> 2.0'
+end

data/views/index.erb

@@ -0,0 +1,81 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta name="generator" content=
+  "HTML Tidy for HTML5 for Linux version 5.4.0">
+  <link rel="stylesheet" href=
+  "https://cdnjs.cloudflare.com/ajax/libs/bulma/0.5.1/css/bulma.min.css">
+
+  <style>
+  .loginBtn {
+  box-sizing: border-box;
+  position: relative;
+  width: 100%;
+  margin: 18px 0px 0px 0px;
+  padding: 0 15px 0 52px;
+  text-align: left;
+  line-height: 42px;
+  white-space: nowrap;
+  border-radius: 0.2em;
+  background-color: white;
+  font-size: 1.3em;
+  color: #333;
+  border: 1px solid rgba(10,10,10,0.1);
+  }
+  .loginBtn:before {
+  content: "";
+  box-sizing: border-box;
+  position: absolute;
+  top: 2px;
+  left: 2px;
+  width: 38px;
+  height: 38px;
+  }
+  .loginBtn:focus {
+  outline: none;
+  }
+  .loginBtn:active {
+  box-shadow: inset 0 0 0 32px rgba(0,0,0,0.1);
+  }
+  .loginBtn--slack {
+  }
+  .loginBtn--slack:before {
+  border-right: rgba(0,0,0,0.1) 1px solid;
+  background: url('images/slack-large.png') 0px 0px no-repeat;
+  }
+  .loginBtn--slack:hover,
+  .loginBtn--slack:focus {
+  background: #78d4b6
+  }
+  .loginBtn--google {
+  background: #4285f4;
+  color: #fff;
+  }
+  .loginBtn--google:before {
+  border-right: rgba(0,0,0,0.1) 1px solid;
+  background: url('images/google-large.png') 0px 0px no-repeat;
+  }
+  .loginBtn--google:hover,
+  .loginBtn--google:focus {
+  background: #E74B37;
+  }
+  </style>
+  <title></title>
+</head>
+<body>
+  <section class="section">
+    <div class="columns is-mobile is-centered">
+      <div class="column is-one-quarter is-narrow">
+        <div class="box">
+          <p class="is-centered"></p>
+          <figure class="image is-256x256">
+            <img src="images/devops-logo.png">
+          </figure>
+          <p><button class="loginBtn loginBtn--slack" onclick="location.href='/oauth2/slack/sign_in'">Login with Slack</button></p>
+          <p><button class="loginBtn loginBtn--google" onclick="location.href='/oauth2/google/sign_in'">Login with Google</button></p>
+        </div>
+      </div>
+    </div>
+  </section>
+</body>
+</html>

metadata

@@ -0,0 +1,133 @@
+--- !ruby/object:Gem::Specification
+name: oauth2-nginx-auth-backend
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Bartek Jarocki
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-03-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.49'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.49'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: sinatra-contrib
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: 
+email:
+- bartek@smatly.com
+executables:
+- ops_oauth2_server.rb
+extensions: []
+extra_rdoc_files: []
+files:
+- ".drone.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- ".ruby-version"
+- Dockerfile
+- Gemfile
+- Gemfile.lock
+- README.md
+- bin/ops_oauth2_server.rb
+- lib/ops/oauth2.rb
+- lib/ops/oauth2/auth.rb
+- lib/ops/oauth2/google.rb
+- lib/ops/oauth2/slack.rb
+- lib/ops/oauth2/version.rb
+- oauth2-nginx-auth-backend.gemspec
+- static/oauth2/images/devops-logo.png
+- static/oauth2/images/google-large.png
+- static/oauth2/images/slack-large.png
+- views/index.erb
+homepage: https://github.com/bjarocki/oauth2-nginx-auth-backend
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: oauth2 nginx auth_request backend
+test_files: []