# Install oauth2_proxy with Homebrew, apk, MacPorts, Nix

Reverse proxy for authenticating users via OAuth 2 providers. Version 7.15.3 via Homebrew; verified 2026-07-04.

## Install

```sh
sudo av install brew:oauth2_proxy
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install oauth2_proxy
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install oauth2-proxy
```

  Evidence: MacPorts ports tree: security/oauth2-proxy/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add oauth2-proxy
```

  Evidence: Alpine Linux edge package indexes: oauth2-proxy from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#oauth2-proxy
```

  Evidence: nixpkgs package indexes: pkgs/by-name/oa/oauth2-proxy/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:oauth2_proxy
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/oauth2_proxy>
- **Version:** 7.15.3
- **Source summary:** Reverse proxy for authenticating users via OAuth 2 providers
- **Homepage:** <https://oauth2-proxy.github.io/oauth2-proxy/>
- **Repository:** <https://github.com/oauth2-proxy/oauth2-proxy>
- **Upstream docs:** <https://oauth2-proxy.github.io/oauth2-proxy>
- **License:** MIT
- **Source archive:** <https://github.com/oauth2-proxy/oauth2-proxy/archive/refs/tags/v7.15.3.tar.gz>
- **Last updated:** 2026-07-04T09:21:03Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- oauth2-proxy (cli)
- oauth2-proxy (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Service: declared
- Caveats: $HOMEBREW_PREFIX/etc/oauth2-proxy/oauth2-proxy.cfg must be filled in.
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 7.15.3
- Package-manager updated: 2026-07-04
- Local data: ok
- Upstream repository: https://github.com/oauth2-proxy/oauth2-proxy
- Upstream latest detected: v7.15.3 (current)
## Project history and usage

OAuth2 Proxy is an authenticating reverse proxy and middleware component that protects web applications with OAuth2 and OpenID Connect login flows. It sits in front of applications that do not implement identity themselves and validates users by provider, email, domain, group, and related identity attributes.

### Project history

The project descends from Bitly's oauth2_proxy. The maintained repository was forked from bitly/OAuth2_Proxy on November 27, 2018, with v3.0.0 and later coming from the fork. On March 29, 2020, the project moved from pusher/oauth2_proxy to oauth2-proxy/oauth2-proxy, and the binary naming and container image paths followed that rename.

### Adoption history

OAuth2 Proxy became a common cloud-native building block because it lets teams add SSO in front of dashboards, admin apps, APIs, and legacy services without modifying the upstream application. CNCF lists OAuth2 Proxy as a Sandbox project accepted on October 2, 2025, which reflects its role as shared identity infrastructure rather than a single-vendor utility.

### How it is used

Operators deploy oauth2-proxy as a standalone reverse proxy or as an auth middleware integrated with Nginx auth_request, Kubernetes ingress-nginx, Traefik ForwardAuth, Envoy, and similar reverse-proxy stacks. It redirects unauthenticated users to providers such as Google, GitHub, Microsoft Entra ID, login.gov, or a generic OIDC provider, then forwards identity and token information to upstream services through headers when configured.

The project ships compiled binaries, container images, nightly images, and package-manager formulas. Configuration normally combines provider credentials, cookie/session settings, upstream routes, and reverse-proxy headers; larger OIDC sessions can use Redis-backed session storage.

### Why package nerds care

OAuth2 Proxy is significant because it packages identity as a proxy executable: one binary can retrofit OAuth2/OIDC authentication onto applications, Kubernetes ingresses, and internal tools. Its history also mirrors open-source operations reality: a vendor-originated project, a community fork, an organizational rename, and eventual CNCF Sandbox governance.

### Timeline

- 2017-09-29: oauth2-proxy/oauth2-proxy repository record was created on GitHub.
- 2018-11-27: The maintained repository forked from bitly/OAuth2_Proxy.
- 2020-03-29: The project was renamed from pusher/oauth2_proxy to oauth2-proxy/oauth2-proxy.
- 2025-10-02: CNCF accepted OAuth2 Proxy at Sandbox maturity.
- 2026-06-09: GitHub release v7.15.3 was published.

### Related projects

- OAuth2 Proxy is commonly paired with Nginx, ingress-nginx, Traefik, Envoy-style reverse proxies, Kubernetes, Redis session storage, and external identity providers. Related identity-layer projects include Dex, Pomerium, Authelia, Ory Oathkeeper, and cloud-provider access proxies.

### Sources

- <https://api.github.com/repos/oauth2-proxy/oauth2-proxy>
- <https://formulae.brew.sh/formula/oauth2_proxy>
- <https://github.com/bitly/oauth2_proxy>
- <https://github.com/cncf/sandbox/issues/397>
- <https://github.com/oauth2-proxy/oauth2-proxy>
- <https://github.com/oauth2-proxy/oauth2-proxy/releases>
- <https://oauth2-proxy.github.io/oauth2-proxy/>
- <https://oauth2-proxy.github.io/oauth2-proxy/configuration/integration/>
- <https://www.cncf.io/projects/oauth2-proxy/>


## Security Notes

formula declares a Homebrew service.

- **Geiger risk:** orange / medium
- formula declares a Homebrew service


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: /etc/oauth2-proxy.cfg
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** oauth2_proxy
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - oauth2-proxy: normalized package name match | nixpkgs package indexes: pkgs/by-name/oa/oauth2-proxy/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - oauth2-proxy - 7.15.2-r1: normalized package name match | Alpine Linux edge package indexes: oauth2-proxy from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers | https://oauth2-proxy.github.io/oauth2-proxy
- apk - oauth2-proxy-openrc - 7.15.2-r1: normalized package name match | Alpine Linux edge package indexes: oauth2-proxy-openrc from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers (OpenRC init scripts) | https://oauth2-proxy.github.io/oauth2-proxy
- MacPorts - oauth2-proxy: normalized package name match | MacPorts ports tree: security/oauth2-proxy/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [pocket-id](https://www.automicvault.com/pkg/brew/pocket-id/) - Shares av.db curated category or tags: authentication, cli, identity-provider, oidc, security.
- [cyrus-sasl](https://www.automicvault.com/pkg/brew/cyrus-sasl/) - Shares av.db curated category or tags: authentication, cli, security.
- [google-authenticator-libpam](https://www.automicvault.com/pkg/brew/google-authenticator-libpam/) - Shares av.db curated category or tags: authentication, cli, security.
- [krb5](https://www.automicvault.com/pkg/brew/krb5/) - Shares av.db curated category or tags: authentication, cli, security.
- [linux-pam](https://www.automicvault.com/pkg/brew/linux-pam/) - Shares av.db curated category or tags: authentication, cli, security.
- [oath-toolkit](https://www.automicvault.com/pkg/brew/oath-toolkit/) - Shares av.db curated category or tags: authentication, cli, security.
- [stoken](https://www.automicvault.com/pkg/brew/stoken/) - Shares av.db curated category or tags: authentication, cli, security.
- [dexidp](https://www.automicvault.com/pkg/brew/dexidp/) - Shares av.db curated category or tags: authentication, cli, identity-provider, oauth2, security.
- [saml2aws](https://www.automicvault.com/pkg/brew/saml2aws/) - Security-sensitive metadata or terminology overlaps. Shared terms: authentication, cli, identity, identity-provider, provider.

## Combined YAML source

View the package source record on GitHub. [combined/oauth2_proxy.yml](https://github.com/automic-vault/db/blob/main/combined/oauth2_proxy.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
