# OAuth

Grey Matter’s sidecar proxy supports full OAuth 2.0 negotiation.

## Filter Configuration Options

| Name              | Type    | Default | Description                                                                                                                                                                                                                                                                                                                             |
| ----------------- | ------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `provider`        | String  | ""      | The url for the OpenID connect provider to use. This is used to determine the particular OAuth endpoints.                                                                                                                                                                                                                               |
| `client_id`       | String  | ""      | The public identifier registered with the OAuth authorization server.                                                                                                                                                                                                                                                                   |
| `client_secret`   | String  | ""      | The secret known only to the application and the authorization server.                                                                                                                                                                                                                                                                  |
| `server_name`     | String  | ""      | The host name of the application. When a user signs in through the OAuth provider, they will need to be redirected back to your application; this host name will be used during the redirect.                                                                                                                                           |
| `server_insecure` | Boolean | false   | Setting this to `true` specifies that you're application is *not* protected by TLS; the redirect URL will then use `http` as the scheme instead of `https`. NOTE: this should *only* be used for development, and with test users for which you don't mind leaking access: OAuth credentials will be sent un-encrypted over plain HTTP. |
| `session_secret`  | String  | ""      | The secret known only to the application. This will be used to cryptographically sign the user's session cookie.                                                                                                                                                                                                                        |
| `domain`          | String  | ""      | A regex describing the expected email domain(s) for authorized users. If this regex pattern does not match, the attempted login is forbidden.                                                                                                                                                                                           |

### Example

```yaml
http_filters:
- name: gm.oauth
  config:
    provider: https://accounts.google.com
    client_id: 234q2348uads8f9sdafds.apps.googleusercontent.com
    client_secret: secret
    server_name: oauth.yoursite.com
    server_insecure:  false
    session_secret: secret2
    domain: gmail.com
```

### Per-Route configuration

```javascript
{
  "domain": <string>
}
```

See [Routing](https://greymatter.gitbook.io/grey-matter-documentation/1.7-beta/usage/traffic_control/routing).