How it works
oauth2-proxy runs as a sidecar container next to the Thoras dashboard container. Traffic hits oauth2-proxy first; it handles the OIDC login flow against Entra, then reverse-proxies authenticated requests to the dashboard’s local port.Setup
1. Register an app in Azure Entra
- In the Azure Portal, go to Entra ID -> App registrations -> New registration.
- Set a Redirect URI of type “Web”:
https://thoras.yourcompany.com/oauth2/callback. - Note the Application (client) ID and Directory (tenant) ID. You’ll need both.
- Under Certificates & secrets, create a new client secret and copy its value immediately (it’s only shown once).
- Under API permissions, ensure
openid,email, andprofiledelegated permissions are present (these are granted by default for most app registrations).

2. Create the Kubernetes secret
oauth2-proxy needs three secrets, referenced viasecretKeyRef rather than
inlined in values.yaml:
| Key | Purpose |
|---|---|
client-id | The Entra application (client) ID |
client-secret | The Entra client secret |
cookie-secret | A random value oauth2-proxy uses to encrypt its session cookie |
kubectl
when using --from-literal):
3. Configure the oauth2-proxy sidecar in values.yaml
Add an extraContainers entry under thorasDashboard:
Key flags explained
Full flag reference: oauth2-proxy configuration options.--oidc-issuer-url— points to your Entra tenant’s v2.0 OIDC endpoint. Replace<tenant-id>with your Directory (tenant) ID. See the Entra ID provider docs for tenant-specific vs. multi-tenant issuer URL variants.--upstream— the dashboard’s local container port that oauth2-proxy proxies to after successful auth. This stays plain HTTP over loopback (127.0.0.1) because it’s a same-pod, container-to-container hop. TLS belongs on the external-facing side (--cookie-secure, ingress TLS), not here. See upstream configuration.--email-domain=yourcompany.com— restricts login to your org’s email domain(s). Replace with your actual domain, or pass the flag multiple times for more than one domain.--cookie-secure=true— only send the session cookie over HTTPS. Requires the dashboard to actually be served over HTTPS end-to-end (see the ingress note below).--redirect-url=https://thoras.yourcompany.com/oauth2/callback— must be the real external hostname of the dashboard, over HTTPS, and must exactly match a redirect URI registered on the Entra app registration.--skip-provider-button=true— since there’s only one provider (Entra), skip the “choose a provider” landing page and redirect straight to login.
4. Deploy and verify
- Apply the secret (step 2) and upgrade the Helm release with the updated
values.yaml. - Confirm the sidecar comes up healthy:
- Visit the dashboard URL. You should be redirected to Microsoft’s login page, and land back on the dashboard after authenticating.
- If the redirect fails or loops, double-check that
--redirect-urlexactly matches a redirect URI registered on the Entra app, and that--oidc-issuer-urlmatches your tenant.
Exposing the sidecar with a Service and HTTPRoute
To reach oauth2-proxy from outside the cluster, point aService at its port
(4180), not the dashboard’s port (8080), so all external traffic is forced
through the auth check.
HTTPRoute (Gateway API) that routes the dashboard hostname to
that Service, attached to an existing Gateway:
parentRefs to match your cluster’s actual Gateway name/namespace, and
terminate TLS on the Gateway’s listener (or upstream at a cert-manager-issued
Certificate bound to it) rather than on the HTTPRoute. Once DNS for
thoras.yourcompany.com resolves to the Gateway and a valid TLS cert is issued,
visiting the dashboard URL should trigger the Entra login flow described in step
3 above.

