mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-06-10 23:57:44 +02:00
chore: extend test cases for oidc provider and documentation regarding implicit setting of the groups scope when no scope was specified in the config
Co-authored-by: Jan Larwig <jan@larwig.com>
This commit is contained in:
Jacek J. Łakis
Jan Larwig
parent
2fd2f8c63d
commit
05b91f310a
@ -14,6 +14,7 @@
|
||||
- [#2300](https://github.com/oauth2-proxy/oauth2-proxy/pull/2300) Add fix for websocket path rewrite (@rekup)
|
||||
- [#2821](https://github.com/oauth2-proxy/oauth2-proxy/pull/2821) feat: add CF-Connecting-IP as supported real ip header (@ondrejsika)
|
||||
- [#2620](https://github.com/oauth2-proxy/oauth2-proxy/pull/2620) fix: update code_verifier to use recommended method (@vishvananda)
|
||||
- [#2392](https://github.com/oauth2-proxy/oauth2-proxy/pull/2392) chore: extend test cases for oidc provider and documentation regarding implicit setting of the groups scope when no scope was specified in the config (@jjlakis / @tuunit)
|
||||
|
||||
# V7.7.1
|
||||
|
||||
|
||||
@ -76,9 +76,9 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
|
||||
Provider specific options can be found on their respective subpages.
|
||||
|
||||
| Flag / Config Field | Type | Description | Default |
|
||||
| --------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| --------------------------------------------------------------------------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| flag: `--acr-values`<br/>toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
|
||||
| flag: `--allowed-group`<br/>toml: `allowed_groups` | string \| list | restrict logins to members of this group (may be given multiple times) | |
|
||||
| flag: `--allowed-group`<br/>toml: `allowed_groups` | string \| list | Restrict login to members of a group or list of groups. Furthermore, if you aren't setting the `scope` and use `allowed_groups` with the generic OIDC provider the scope `groups` gets added implicitly. | |
|
||||
| flag: `--approval-prompt`<br/>toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
|
||||
| flag: `--backend-logout-url`<br/>toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
|
||||
| flag: `--client-id`<br/>toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
|
||||
@ -104,7 +104,7 @@ Provider specific options can be found on their respective subpages.
|
||||
| flag: `--provider`<br/>toml: `provider` | string | OAuth provider | google |
|
||||
| flag: `--pubjwk-url`<br/>toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
|
||||
| flag: `--redeem-url`<br/>toml: `redeem_url` | string | Token redemption endpoint | |
|
||||
| flag: `--scope`<br/>toml:`scope` | string | OAuth scope specification | |
|
||||
| flag: `--scope`<br/>toml:`scope` | string | OAuth scope specification. Every provider has a default list of scopes which will be used in case no scope is configured. | |
|
||||
| flag: `--skip-claims-from-profile-url`<br/>toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
|
||||
| flag: `--skip-oidc-discovery`<br/>toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
|
||||
| flag: `--use-system-trust-store`<br/>toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
|
||||
|
||||
@ -76,9 +76,9 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
|
||||
Provider specific options can be found on their respective subpages.
|
||||
|
||||
| Flag / Config Field | Type | Description | Default |
|
||||
| --------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| --------------------------------------------------------------------------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| flag: `--acr-values`<br/>toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
|
||||
| flag: `--allowed-group`<br/>toml: `allowed_groups` | string \| list | restrict logins to members of this group (may be given multiple times) | |
|
||||
| flag: `--allowed-group`<br/>toml: `allowed_groups` | string \| list | Restrict login to members of a group or list of groups. Furthermore, if you aren't setting the `scope` and use `allowed_groups` with the generic OIDC provider the scope `groups` gets added implicitly. | |
|
||||
| flag: `--approval-prompt`<br/>toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
|
||||
| flag: `--backend-logout-url`<br/>toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
|
||||
| flag: `--client-id`<br/>toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
|
||||
@ -104,7 +104,7 @@ Provider specific options can be found on their respective subpages.
|
||||
| flag: `--provider`<br/>toml: `provider` | string | OAuth provider | google |
|
||||
| flag: `--pubjwk-url`<br/>toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
|
||||
| flag: `--redeem-url`<br/>toml: `redeem_url` | string | Token redemption endpoint | |
|
||||
| flag: `--scope`<br/>toml:`scope` | string | OAuth scope specification | |
|
||||
| flag: `--scope`<br/>toml:`scope` | string | OAuth scope specification. Every provider has a default list of scopes which will be used in case no scope is configured. | |
|
||||
| flag: `--skip-claims-from-profile-url`<br/>toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
|
||||
| flag: `--skip-oidc-discovery`<br/>toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
|
||||
| flag: `--use-system-trust-store`<br/>toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
|
||||
|
||||
@ -76,9 +76,9 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
|
||||
Provider specific options can be found on their respective subpages.
|
||||
|
||||
| Flag / Config Field | Type | Description | Default |
|
||||
| --------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| --------------------------------------------------------------------------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| flag: `--acr-values`<br/>toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
|
||||
| flag: `--allowed-group`<br/>toml: `allowed_groups` | string \| list | restrict logins to members of this group (may be given multiple times) | |
|
||||
| flag: `--allowed-group`<br/>toml: `allowed_groups` | string \| list | Restrict login to members of a group or list of groups. Furthermore, if you aren't setting the `scope` and use `allowed_groups` with the generic OIDC provider the scope `groups` gets added implicitly. | |
|
||||
| flag: `--approval-prompt`<br/>toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
|
||||
| flag: `--backend-logout-url`<br/>toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
|
||||
| flag: `--client-id`<br/>toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
|
||||
@ -104,7 +104,7 @@ Provider specific options can be found on their respective subpages.
|
||||
| flag: `--provider`<br/>toml: `provider` | string | OAuth provider | google |
|
||||
| flag: `--pubjwk-url`<br/>toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
|
||||
| flag: `--redeem-url`<br/>toml: `redeem_url` | string | Token redemption endpoint | |
|
||||
| flag: `--scope`<br/>toml:`scope` | string | OAuth scope specification | |
|
||||
| flag: `--scope`<br/>toml:`scope` | string | OAuth scope specification. Every provider has a default list of scopes which will be used in case no scope is configured. | |
|
||||
| flag: `--skip-claims-from-profile-url`<br/>toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
|
||||
| flag: `--skip-oidc-discovery`<br/>toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
|
||||
| flag: `--use-system-trust-store`<br/>toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
|
||||
|
||||
@ -137,12 +137,32 @@ func TestScope(t *testing.T) {
|
||||
expectedScope: "openid email profile",
|
||||
},
|
||||
{
|
||||
name: "oidc: with no scope provided and groups",
|
||||
name: "oidc: with no scope provided and allowed groups",
|
||||
configuredType: "oidc",
|
||||
configuredScope: "",
|
||||
expectedScope: "openid email profile groups",
|
||||
allowedGroups: []string{"foo"},
|
||||
},
|
||||
{
|
||||
name: "oidc: with custom scope including groups without allowed groups",
|
||||
configuredType: "oidc",
|
||||
configuredScope: "myscope groups",
|
||||
expectedScope: "myscope groups",
|
||||
},
|
||||
{
|
||||
name: "oidc: with custom scope without groups but allowed groups",
|
||||
configuredType: "oidc",
|
||||
configuredScope: "myscope",
|
||||
expectedScope: "myscope",
|
||||
allowedGroups: []string{"foo"},
|
||||
},
|
||||
{
|
||||
name: "oidc: with custom scope with groups and allowed groups",
|
||||
configuredType: "oidc",
|
||||
configuredScope: "myscope groups",
|
||||
expectedScope: "myscope groups",
|
||||
allowedGroups: []string{"foo"},
|
||||
},
|
||||
{
|
||||
name: "oidc: with a configured scope provided",
|
||||
configuredType: "oidc",
|
||||
@ -161,6 +181,27 @@ func TestScope(t *testing.T) {
|
||||
configuredScope: "read:user read:org",
|
||||
expectedScope: "read:user read:org",
|
||||
},
|
||||
{
|
||||
name: "keycloak: with no scope provided and groups",
|
||||
configuredType: "keycloak-oidc",
|
||||
configuredScope: "",
|
||||
expectedScope: "openid email profile groups",
|
||||
allowedGroups: []string{"foo"},
|
||||
},
|
||||
{
|
||||
name: "keycloak: with custom scope and groups",
|
||||
configuredType: "keycloak-oidc",
|
||||
configuredScope: "myscope",
|
||||
expectedScope: "myscope",
|
||||
allowedGroups: []string{"foo"},
|
||||
},
|
||||
{
|
||||
name: "keycloak: with custom scope and groups scope",
|
||||
configuredType: "keycloak-oidc",
|
||||
configuredScope: "myscope groups",
|
||||
expectedScope: "myscope groups",
|
||||
allowedGroups: []string{"foo"},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user