Skip to main content

Create an OAuth-protected share

Once you've configured auth providers in your Frontdoor, you can protect shares by specifying an auth provider when creating the share.

When creating a share through the REST API, specify the auth provider:

curl -X POST "https://api.netfoundry.io/frontdoor/{frontdoorId}/shares" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <your-api-token>" \
  -d '{
    "name": "protected-app",
    "frontendId": "{customFrontendId}",
    "environmentId": "{environmentId}",
    "target": "http://localhost:8080",
    "authProviderId": "{authProviderId}",
    "emailPatterns": ["*@example.com", "admin@*"]
  }'

See the Share API Guide for more details.

Email pattern restrictions

Use the emailPatterns array to restrict access to users whose email addresses match specific patterns. You can allow any user with a specific domain using *@example.com, permit users with emails starting with a specific prefix using admin@*, or restrict access to only a specific email address using user@company.org.

HTTP headers for proxied requests

When Frontdoor successfully authenticates a user via OAuth, it automatically adds authentication headers to all proxied requests sent to your backend application. These headers allow your application to identify the authenticated user and make authorization decisions.

Authentication headers

Frontdoor sets the following HTTP headers on every proxied request after successful OAuth authentication: zrok-auth-provider contains the name of the OAuth provider used for authentication such as google-auth or github-corp, zrok-auth-email provides the authenticated user's email address as provided by the OAuth provider, and zrok-auth-expires includes the timestamp when the authentication session will expire, formatted as RFC3339 such as 2024-01-15T14:30:00Z.

Security considerations

These headers are only present when requests come through Frontdoor's OAuth-protected Custom Frontend, as direct access to your backend would not include these headers. Your application should validate that these headers are present when OAuth protection is expected, and use the zrok-auth-expires header to implement client-side session warnings or automatic logout.