A lesson in informing users of your shortcoming
Retro: own your product's shortcomings, a tale of oauth-proxy
I’m starting a company. I need the ability for a user to login with oidc (OAuth 2.0). This is how popular sites implement that cool “One Click Login” for Google and other sites you probably already have an account at. In order to do this the cool-kids-way is to implement a reverse proxy on top of your app that handles oidc. Then you get the best practices and you don’t have to write your own implementation. You can also update that reverse proxy without breaking anything in your app. This takes care of all the complexities of OAuth2 for you.
One such product is the beautiful oauth2-proxy. I found it and loved the interface. I even contributed to solve a bug in the Helm manifest. It supports multiple authentication providers.
After getting everything working with Google SSO, I added an additional provider: the LinkedIn provider I configured a LinkedIn provider with the new configuration format called “Alpha Config.” The configuration took and validated, but I couldn’t see any difference in the login page. The end points also didn’t respond as I would have thought when trying to target a different provider. Turns out, oauth-proxy does NOT support multiple providers at the same time.
The reason for this confusion is because they updated only the configuration file format (Alpha Config) to support multiple providers. They built some future-proofing by making the provider in the new format an array and calling it providers
, but they do nothing with the non-primary provider. Ouch. All that work chasing this solution and it’s a dead end.
Nothing in the docs clearly owned this shortcoming. But in this case, it’s very important to document what you can’t do. Especially when your users will expect it. The feature request for Multiple Providers was opened in 2020. It has 63 upvotes. The last PR on that feature landed in 2021. This is probably not getting fixed any time soon. Time to go back to the drawing board.
I submitted a PR to document this, which was since accepted. Hopefully it saves someone a headache.