Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Using an OIDC app and OAuth2 Proxy to set up single sign-on for applications that do not support SSO

Written by
Improved by
Updated at February 11, 2026

Note

This feature is at the Preview stage.

Some applications have no built-in support for single sign-on (SSO). However, you may sometimes need to configure user authentication in such applications using Yandex Identity Hub.

In this guide, you will use the OAuth2 Proxy utility combined with a reverse proxy to integrate a simple application with Yandex Identity Hub and restrict access to it exclusively to specified Identity Hub users via OpenID Connect (OIDC)-based single sign-on.

This guide uses nginx as the proxy server and a static HTML page as the test application. To enable your Identity Hub users to access the test application, you will create and configure an OIDC app. Additionally, you will need a Yandex Compute Cloud VM instance to run nginx and OAuth2 Proxy and host your test application. Furthermore, to implement secure access to the test application, you will need a domain name and an SSL certificate issued for it.

OIDC apps can be managed by users with the organization-manager.oauthApplications.admin role or higher.

To configure application access for your Identity Hub users, do the following:

  1. Create and configure an OIDC app in Identity Hub.
  2. Configure the test application VM.
  3. Set up the integration.
  4. Make sure your integration works correctly.

Creating and configuring an OIDC app in Identity Hub

Creating an OIDC app

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps.

  3. In the top-right corner, click Create application and in the window that opens:

    1. Select the OIDC (OpenID Connect) single sign-on method.

    2. In the Name field, specify a name for your new app: website-oidc-app.

    3. In the Folder field, select the folder where you want to create an OAuth client for your app.

    4. Optionally, in the Description field, enter a description for the new app.

    5. Optionally, add labels:

      1. Click Add label.
      2. Enter a label in key: value format.
      3. Press Enter.

    6. Click Create application.

  4. In the window that opens, on the Overview tab, under Identity provider (IdP) configuration, copy and save the ClientID value representing the unique OAuth client ID. You will need this value later when setting up OAuth2 Proxy.

  5. Create an app secret:

    Under App secrets, click Add secret, and in the window that opens:

    1. Optionally, add a description for the new secret.
    2. Click Create.

    The window will display the generated application secret. Save this value.

    Warning

    If you refresh or close the application information page, you will not be able to view the secret again.

    If you closed or refreshed the page before saving the secret, click Add secret to create a new one.

    To delete a secret, in the list of secrets on the OIDC app page, click in the secret row and select Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create an OAuth client:

    yc iam oauth-client create \
  --name website-oauth-client \
  --scopes openid,email,profile

    Where:

    • --name: OAuth client name.
    • --scopes: User attributes that will be provided to OAuth2 Proxy. The specified attributes are:
      • openid: User ID. Required attribute.
      • email: User email address.
      • profile: Additional user details, such as first name, last name, and avatar.

    Result:

    id: ajeiu3otac08********
name: website-oauth-client
scopes:
  - email
  - openid
  - profile
folder_id: b1gkd6dks6i1********
status: ACTIVE

    Save the app ClientID (the id field value): you will need it to create a secret and configure OAuth2 Proxy.

  2. Create a secret for your OAuth client using the ID you obtained in the previous step:

    yc iam oauth-client-secret create \
  --oauth-client-id <OAuth_client_ID>

    Result:

    oauth_client_secret:
  id: ajeohit7l3t6********
  oauth_client_id: ajeiu3otac08********
  masked_secret: yccs__460c4ca204****
  created_at: "2026-01-22T08:51:27.263668671Z"
secret_value: yccs__4d2243a25b501220ee2a6f********************************e76e64e797_07911bfb

    Save the secret_value field value: you will need it to configure OAuth2 Proxy.

  3. Create an OIDC app:

    yc organization-manager idp application oauth application create \
  --organization-id <organization_ID> \
  --name website-oidc-app \
  --description "OIDC app to configure Identity Hub user access to the website" \
  --client-id <OAuth_client_ID> \
  --authorized-scopes openid,email,profile \
  --group-distribution-type none

    Where:

    • --organization-id: ID of the organization you want to create your OIDC app in. This is a required parameter.
    • --name: OIDC app name. This is a required parameter.
    • --description: OIDC app description. This is an optional parameter.
    • --client-id: OAuth client ID you got in Step 2. This is a required parameter.
    • --authorized-scopes: Specify the same attributes as when creating the OAuth client.
    • --group-distribution-type: Set to none as user groups are not provided to OAuth2 Proxy.

    Result:

    done (2s)
id: ek0odpetc1o4********
name: website-oidc-app
organization_id: bpf2c65rqcl8********
description: OIDC app to configure Identity Hub user access to the website
group_claims_settings:
  group_distribution_type: NONE
client_grant:
  client_id: ajeiu3otac08********
  authorized_scopes:
    - openid
    - email
    - profile
status: ACTIVE
created_at: "2026-01-22T08:53:26.873089Z"
updated_at: "2026-01-22T08:53:27.439690Z"

Configure the redirect URI

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the OIDC app.
  3. At the top right, click Edit and in the window that opens:

    1. In the Redirect URI field, specify the authentication endpoint for your test application:

      https://<your_domain>/oauth2/callback

      Where <your_domain> is your test application domain, e.g., example.com.

    2. Click Save.

Update your OAuth client by providing the redirect URI:

yc iam oauth-client update \
  --id <OAuth_client_ID> \
  --redirect-uris "https://<your_domain>/oauth2/callback"

Where:

  • <OAuth_client_ID>: OAuth client ID you got when you created it.
  • --redirect-uris: Authentication endpoint for your test application. For example: https://example.com/oauth2/callback.

Result:

  id: ajeiu3otac08********
  name: website-oauth-client
  redirect_uris:
    - https://example.com/oauth2/callback
  scopes:
    - email
    - openid
    - profile
  folder_id: b1gkd6dks6i1********
  status: ACTIVE

Add a user

For your Identity Hub users to be able to authenticate in the test application over the OIDC protocol, you need to explicitly add these users and/or user groups to this OIDC application.

Note

Users and groups added to an OIDC application can be managed by a user with the organization-manager.oidcApplications.userAdmin role or higher.

Add a user to the application:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and select the required app.
  3. Navigate to the Users and groups tab.
  4. Click Add users.
  5. In the window that opens, select the required user or user group.
  6. Click Add.

  1. Get the user ID or user group ID.

  2. To add a user or user group to the application, run this command:

    yc organization-manager idp application oauth application add-assignments \
  --id <app_ID> \
  --subject-id <user_or_group_ID>

    Where:

    • --id: OIDC app ID.
    • --subject-id: User or user group ID.

    Result:

    done (2s)
assignment_deltas:
  - action: ADD
    assignment:
      subject_id: aje0j5mts02t********

Configure the test application VM

In this guide, you will deploy the test application and configure nginx and OAuth2 Proxy on a VM instance running Ubuntu 24.04.

Warning

To configure access to your existing application, repeat the setup on the server handling requests from your application's users. This way, you do not need to create a separate VM instance and can proceed directly to configuring nginx and OAuth2 Proxy.

Set up your Yandex Cloud environment

Before creating the VM, ensure that your folder contains a cloud network and a subnet. If needed, follow the guides below to create them:

Also, in your cloud network, create a security group that allows inbound TCP traffic on ports 22, 80, and 443 as well as any outbound traffic.

Create a VM

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines and click Create virtual machine.

  4. Under Boot disk image, in the Product search field, type Ubuntu 24.04 LTS and select a public Ubuntu 24.04 LTS image.

  5. Under Location, select the same availability zone as that of your subnet.

  6. Under Computing resources, select the 2 vCPU 4 GB RAM configuration.

  7. Under Network settings:

    • In the Subnet field, select your network and subnet in your new VM's availability zone.
    • In the Public IP address field, leave the Auto value to assign the VM a random public IP address from the Yandex Cloud pool.
    • In the Security groups field, select the security group you created earlier.

  8. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, enter a username, e.g., yc-user. Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  9. Under General information, specify the VM name: my-nginx-vm.

  10. Click Create VM.

To create a VM instance, run this command:

  yc compute instance create \
    --name my-nginx-vm \
    --zone <VM_availability_zone> \
    --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2404-lts,auto-delete=true \
    --ssh-key <path_to_public_SSH_key> \
    --network-interface subnet-name=<subnet_name>,nat-ip-version=ipv4,security-group-ids=<security_group_ID>

Where:

  • --name: VM name. Follow these naming requirements:

    • Length: between 3 and 63 characters.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  • --zone: Availability zone you are creating the VM in.

  • --ssh-key: Path to the public SSH key file, e.g., ~/.ssh/id_ed25519.pub. The VM will automatically create a user named yc-user for this key.

  • subnet-name: ID of the subnet in the same folder and availability zone as the new VM.

  • <security_group_ID>: ID of the security group you created earlier.

Result
done (29s)
id: epdvqa1rtvjj********
folder_id: b1gt6g8ht345********
created_at: "2026-01-22T12:03:52Z"
name: my-nginx-vm
zone_id: ru-central1-b
platform_id: standard-v2
resources:
  memory: "2147483648"
  cores: "2"
  core_fraction: "100"
status: RUNNING
metadata_options:
  gce_http_endpoint: ENABLED
  aws_v1_http_endpoint: ENABLED
  gce_http_token: ENABLED
  aws_v1_http_token: DISABLED
boot_disk:
  mode: READ_WRITE
  device_name: epdbi403v2or********
  auto_delete: true
  disk_id: epdbi403v2or********
network_interfaces:
  - index: "0"
    mac_address: d0:0d:1f:d2:83:be
    subnet_id: e2lqsms4cdl3********
    primary_v4_address:
      address: 192.168.2.31
      one_to_one_nat:
        address: 89.169.***.***
        ip_version: IPV4
    security_group_ids:
      - enp378h7n0cm********
serial_port_settings:
  ssh_authorization: OS_LOGIN
gpu_settings: {}
fqdn: epdvqa1rtvjj********.auto.internal
scheduling_policy: {}
network_settings:
  type: STANDARD
placement_policy: {}
hardware_generation:
  legacy_features:
    pci_topology: PCI_TOPOLOGY_V2
application: {}

Set up the integration

Creating a test app and configuring nginx

  1. Ensure your domain has a resource A record pointing to the public IP address of your new VM. If no such record exists, create one.

    Note

    If management of your domain is delegated to Yandex Cloud DNS, follow this guide to create the resource record. If your domain is managed by a third-party provider, refer to their documentation or contact their support team.

  2. Connect over SSH to the new VM.

  3. Install nginx:

    sudo apt update && sudo apt upgrade -y
sudo apt install nginx -y

  4. Create the test application files:

    1. Save your domain name to an environment variable:

      export MY_DOMAIN="<domain_name>"

      Where <domain_name> is your domain name with a resource record pointing to the public IP address of the current VM, e.g., example.com.

    2. Create a directory and the main HTML page for your test application:

      sudo mkdir /var/www/$MY_DOMAIN
sudo touch /var/www/$MY_DOMAIN/index.html \
  && echo "<h1>Your Web application that is available to your Identity Hub users only</h1>" | sudo tee -a /var/www/$MY_DOMAIN/index.html

  5. Generate a self-signed SSL certificate for your domain. To do this, run the command and enter values as prompted:

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/my-private.key -out /etc/ssl/certs/my-certificate.crt

    This will create a self-signed SSL certificate sufficient for testing the proposed solution.

    Tip

    To avoid browser security warnings when using the application, use an SSL certificate issued by a trusted certificate authority.

    For example, to obtain a certificate from Let's Encrypt and save both the certificate and private key to your computer, follow these guides: Adding a Let's Encrypt® certificate and Get the contents of the Let's Encrypt certificate.

  6. Configure the nginx settings:

    1. In the nano text editor, open the nginx configuration file:

      sudo nano /etc/nginx/conf.d/default.conf

    2. Replace the opened file contents with this text:

      server {
    listen 80;
    listen [::]:80;
    server_name <domain_name>;

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name <domain_name>;

    location /oauth2/ {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
        # or, if you are handling multiple domains:
        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
    }
  
    location = /oauth2/auth {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-Uri  $request_uri;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
    }

    # Paths to your certificate and key
    ssl_certificate /etc/ssl/certs/my-certificate.crt;
    ssl_certificate_key /etc/ssl/private/my-private.key;

    # Recommended security settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/$server_name.access.log;
    error_log /var/log/nginx/$server_name.error.log;

    location / {

        auth_request /oauth2/auth;
        error_page 401 =403 /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        root /var/www/$server_name/;
        index index.html;

        try_files $uri $uri/ =404;
    }

}

      Where <domain_name> is your domain name with a resource record pointing to the public IP address of the current VM, e.g., example.com.

      Warning

      If you are using a certificate issued by a certificate authority, copy the certificate and private key files to the VM and specify their local paths in the ssl_certificate and ssl_certificate_key fields of the configuration file, respectively.

  7. Apply the updated nginx settings:

    sudo nginx -s reload

Configuring OAuth2 Proxy

  1. Connect over SSH to the new VM.

  2. Install the latest version of OAuth2 Proxy in any way you prefer.

    In the example below, we download an archive containing the executable. At the time of writing this guide, the latest version was v7.14.2.

    sudo wget https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v7.14.2/oauth2-proxy-v7.14.2.linux-amd64.tar.gz
sudo tar -xvf oauth2-proxy-v7.14.2.linux-amd64.tar.gz -C /usr/bin/
sudo chmod +x /usr/bin/oauth2-proxy-v7.14.2.linux-amd64/oauth2-proxy
sudo rm oauth2-proxy-v7.14.2.linux-amd64.tar.gz

  3. Configure the OAuth2 Proxy settings:

    1. Generate a cookie secret required for configuring the utility:

      dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_' ; echo

      Save the generated value, as you will need it later.

    2. In the nano text editor, open the oauth2-proxy.cfg configuration file:

      sudo nano /usr/bin/oauth2-proxy-v7.14.2.linux-amd64/oauth2-proxy.cfg

    3. Paste the following configuration into oauth2-proxy.cfg, substituting its values as required:

      provider = "oidc"  # Provider type
provider_display_name = "Yandex Identity Hub" # Provider name to use as button text
reverse_proxy = true # Enable operation behind nginx
client_id = "<ClientID_ID>" # OIDC app ClientID 
client_secret = "<ClientID_app_secret>" # OIDC app secret
oidc_issuer_url = "https://auth.yandex.cloud"
cookie_name = "_oauth2_proxy" # Cookie name
cookie_secret = "<cookie_secret>"  # Cookie key generated previously
email_domains = [ "<domain_1>","<domain_2>",...,"<domain_n>" ]  # Domains for which authentication is allowed
upstreams = [ "<your_application_address>" ]  # Backend application address
http_address = "127.0.0.1:4180"  # Address and port on which oauth2-proxy listens
redirect_url = "<redirect_URI>"  # Callback URL

      Where:

      • client_id: ClientID value of the OAuth client obtained earlier when creating the OIDC app.

      • client_secret: Secret value you generated in the OIDC app.

      • cookie_secret: Cookie secret you generated and saved earlier.

      • email_domains: List of email domains for which Identity Hub user authentication in the test app is allowed.

        OAuth2 Proxy checks the email domain specified in the Email field of the user's settings in Identity Hub (the email attribute).

        In the email_domains field, specify the email domain of the user you previously added to your OIDC app. If you added a user group to the OIDC app, specify the email domain of a group user on whose behalf you will test authentication. You can specify multiple domains, comma-separated.

        Tip

        To allow users with Yandex accounts to authenticate in your test application, add yandex.ru to the email_domains list.

      • upstreams: Your application's address, e.g., https://example.com/.

      • redirect_url: Redirect URI value you specified when configuring the OIDC app.

  4. Run OAuth2 Proxy:

    sudo /usr/bin/oauth2-proxy-v7.14.2.linux-amd64/oauth2-proxy \
  --config /usr/bin/oauth2-proxy-v7.14.2.linux-amd64/oauth2-proxy.cfg

    Tip

    You can also run OAuth2 Proxy in the background, e.g., using nohup.

Making sure authentication works correctly

To check that OIDC app-based authentication works correctly in your test application, follow these steps:

  1. In your browser, enter the address of your test application (e.g., https://example.com).

    If everything is configured correctly, you will see the OAuth2 Proxy authentication window in the browser.

  2. Click Sign in with Yandex Identity Hub.

  3. Authenticate as the user you previously added to the OIDC app. If you added a user group to the OIDC app, authenticate as a user belonging to that group.

    If everything is configured correctly, your test application page will open in the browser.

  4. When attempting to authenticate as a user not added to the OIDC app, or as a user whose email domain is not included in the allowed email domains list configured in OAuth2 Proxy, your application will display an access error message.

Previous
OpenVPN Access Server
Next
Transferring a Yandex MPP Analytics for PostgreSQL cluster's logs to Yandex Cloud Logging