Create an OAuth-protected share

Once you've configured auth providers in Frontdoor, you can protect shares by specifying an auth provider when creating the share.

note

To create an OAuth-protected share, you must use a custom frontend.

Steps

Frontdoor console

1. From the Frontdoor console, click Shares in the left-hand menu.

2. Click the + icon to create a new share.

3. Fill in the share fields:

   • Name: Enter a name used to access the share; must be alphanumeric and start with a letter.
   • Hosting Frontdoor agent: Select the agent you created.
   • Target URL: Enter the URL to the application or service you want to share; must be accessible from the agent you selected.
   • Frontend: Select the frontend (the default is public).

4. Under Authentication, select the OAuth provider you created earlier.

5. (Optional) Enter emails or email patterns to restrict access to specific users.

6. Click Create share.

   You're returned to the share list page, where you can click Frontend Endpoint to access your share.

Command-line interface

Create a Frontdoor share through the REST API, and ensure you specify the auth provider:

curl -X POST "https://api.netfoundry.io/frontdoor/{frontdoorId}/shares" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <your-api-token>" \
  -d '{
    "name": "protected-app",
    "frontendId": "{customFrontendId}",
    "environmentId": "{environmentId}",
    "target": "http://localhost:8080",
    "authProviderId": "{authProviderId}",
    "emailPatterns": ["*@example.com", "admin@*"]
  }'

See share API guide for more details.

Email pattern restrictions

Use the emailPatterns array to restrict access to users whose email addresses match specific patterns. You can allow any user with a specific domain using *@example.com, permit users with emails starting with a specific prefix using admin@*, or restrict access to only a specific email address using user@company.org.

HTTP headers for proxied requests

When Frontdoor successfully authenticates a user via OAuth, it automatically adds authentication headers to all proxied requests sent to your backend application. These headers allow your application to identify the authenticated user and make authorization decisions.

Authentication headers

Frontdoor sets the following HTTP headers on every proxied request after successful OAuth authentication:

• zrok-auth-provider: Contains the name of the OAuth provider used for authentication, such as google-auth or github-corp.
• zrok-auth-email: Provides the authenticated user's email address as provided by the OAuth provider.
• zrok-auth-expires: Includes the timestamp when the authentication session expires, formatted as RFC3339, like 2024-01-15T14:30:00Z

Security considerations

These headers are only present when requests come through Frontdoor's OAuth-protected custom frontend, as direct access to your backend would not include these headers. Your application should validate that these headers are present when OAuth protection is expected, and use the zrok-auth-expires header to implement client-side session warnings or automatic logout.