diff --git a/pkg/apis/options/header.go b/pkg/apis/options/header.go index a47e8a952..a35955082 100644 --- a/pkg/apis/options/header.go +++ b/pkg/apis/options/header.go @@ -2,6 +2,11 @@ package options import "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr" +const ( + // DefaultHeaderPreserveRequestValue is the default value for Header.PreserveRequestValue + DefaultHeaderPreserveRequestValue bool = false +) + // Header represents an individual header that will be added to a request or // response header. type Header struct { @@ -59,7 +64,7 @@ type ClaimSource struct { // EnsureDefaults sets any default values for Header fields. func (h *Header) EnsureDefaults() { if h.PreserveRequestValue == nil { - h.PreserveRequestValue = ptr.Ptr(false) + h.PreserveRequestValue = ptr.Ptr(DefaultHeaderPreserveRequestValue) } for i := range h.Values { h.Values[i].EnsureDefaults() diff --git a/pkg/apis/options/providers.go b/pkg/apis/options/providers.go index ed836656f..e8c392269 100644 --- a/pkg/apis/options/providers.go +++ b/pkg/apis/options/providers.go @@ -4,10 +4,46 @@ import "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr" const ( // OIDCEmailClaim is the generic email claim used by the OIDC provider. - OIDCEmailClaim = "email" + OIDCEmailClaim string = "email" // OIDCGroupsClaim is the generic groups claim used by the OIDC provider. - OIDCGroupsClaim = "groups" + OIDCGroupsClaim string = "groups" + + // DefaultSkipDiscovery is the default value + // for OIDCOptions.SkipDiscovery + DefaultSkipDiscovery bool = false + + // DefaultInsecureSkipNonce is the default value + // for OIDCOptions.InsecureSkipNonce + DefaultInsecureSkipNonce bool = true + + // DefaultInsecureAllowUnverifiedEmail is the default value + // for OIDCOptions.InsecureAllowUnverifiedEmail + DefaultInsecureAllowUnverifiedEmail bool = false + + // DefaultInsecureSkipIssuerVerification is the default value + // for OIDCOptions.InsecureSkipIssuerVerification + DefaultInsecureSkipIssuerVerification bool = false + + // DefaultSkipClaimsFromProfileURL is the default value + // for Provider.SkipClaimsFromProfileURL + DefaultSkipClaimsFromProfileURL bool = false + + // DefaultADFSSkipScope is the default value + // for ADFSOptions.SkipScope + DefaultADFSSkipScope bool = false + + // DefaultMicrosoftEntraIDUseFederatedToken is the default value + // for MicrosoftEntraIDOptions.FederatedTokenAuth + DefaultMicrosoftEntraIDUseFederatedToken bool = false + + // DefaultGoogleUseApplicationDefaultCredentials is the default values + // for GoogleOptions.UseApplicationDefaultCredentials + DefaultUseApplicationDefaultCredentials bool = false + + // DefaultUseSystemTrustStore is the default value + // for Provider.UseSystemTrustStore + DefaultUseSystemTrustStore bool = true ) // OIDCAudienceClaims is the generic audience claim list used by the OIDC provider. @@ -298,9 +334,9 @@ func providerDefaults() Providers { Tenant: "common", }, OIDCConfig: OIDCOptions{ - InsecureAllowUnverifiedEmail: ptr.Ptr(false), - InsecureSkipNonce: ptr.Ptr(true), - SkipDiscovery: ptr.Ptr(false), + InsecureAllowUnverifiedEmail: ptr.Ptr(DefaultInsecureAllowUnverifiedEmail), + InsecureSkipNonce: ptr.Ptr(DefaultInsecureSkipNonce), + SkipDiscovery: ptr.Ptr(DefaultSkipDiscovery), UserIDClaim: OIDCEmailClaim, // Deprecated: Use OIDCEmailClaim EmailClaim: OIDCEmailClaim, GroupsClaim: OIDCGroupsClaim, @@ -322,10 +358,10 @@ func (p Providers) EnsureDefaults() { // EnsureDefaults sets any default values for Provider fields. func (p *Provider) EnsureDefaults() { if p.SkipClaimsFromProfileURL == nil { - p.SkipClaimsFromProfileURL = ptr.Ptr(false) + p.SkipClaimsFromProfileURL = ptr.Ptr(DefaultSkipClaimsFromProfileURL) } if p.UseSystemTrustStore == nil { - p.UseSystemTrustStore = ptr.Ptr(true) + p.UseSystemTrustStore = ptr.Ptr(DefaultUseSystemTrustStore) } p.OIDCConfig.EnsureDefaults() @@ -338,13 +374,13 @@ func (p *Provider) EnsureDefaults() { func (o *OIDCOptions) EnsureDefaults() { // Ensure OIDC defaults if o.InsecureAllowUnverifiedEmail == nil { - o.InsecureAllowUnverifiedEmail = ptr.Ptr(false) + o.InsecureAllowUnverifiedEmail = ptr.Ptr(DefaultInsecureAllowUnverifiedEmail) } if o.InsecureSkipNonce == nil { - o.InsecureSkipNonce = ptr.Ptr(true) + o.InsecureSkipNonce = ptr.Ptr(DefaultInsecureSkipNonce) } if o.SkipDiscovery == nil { - o.SkipDiscovery = ptr.Ptr(false) + o.SkipDiscovery = ptr.Ptr(DefaultSkipDiscovery) } if o.UserIDClaim == "" { o.UserIDClaim = OIDCEmailClaim @@ -363,20 +399,20 @@ func (o *OIDCOptions) EnsureDefaults() { // EnsureDefaults sets any default values for MicrosoftEntraIDOptions fields. func (me *MicrosoftEntraIDOptions) EnsureDefaults() { if me.FederatedTokenAuth == nil { - me.FederatedTokenAuth = ptr.Ptr(false) + me.FederatedTokenAuth = ptr.Ptr(DefaultMicrosoftEntraIDUseFederatedToken) } } // EnsureDefaults sets any default values for ADFSOptions fields. func (a *ADFSOptions) EnsureDefaults() { if a.SkipScope == nil { - a.SkipScope = ptr.Ptr(false) + a.SkipScope = ptr.Ptr(DefaultADFSSkipScope) } } // EnsureDefaults sets any default values for GoogleOptions fields. func (g *GoogleOptions) EnsureDefaults() { if g.UseApplicationDefaultCredentials == nil { - g.UseApplicationDefaultCredentials = ptr.Ptr(false) + g.UseApplicationDefaultCredentials = ptr.Ptr(DefaultUseApplicationDefaultCredentials) } } diff --git a/pkg/apis/options/upstreams.go b/pkg/apis/options/upstreams.go index 05c12e033..f69fec90d 100644 --- a/pkg/apis/options/upstreams.go +++ b/pkg/apis/options/upstreams.go @@ -1,6 +1,7 @@ package options import ( + "net/http" "time" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr" @@ -8,10 +9,31 @@ import ( const ( // DefaultUpstreamFlushInterval is the default value for the Upstream FlushInterval. - DefaultUpstreamFlushInterval = 1 * time.Second + DefaultUpstreamFlushInterval time.Duration = 1 * time.Second // DefaultUpstreamTimeout is the maximum duration a network dial to a upstream server for a response. - DefaultUpstreamTimeout = 30 * time.Second + DefaultUpstreamTimeout time.Duration = 30 * time.Second + + // DefaultUpstreamStatic determines if upstreams are static by default. + DefaultUpstreamStatic bool = false + + // DefaultUpstreamStaticCode is the default response code for static upstreams. + DefaultUpstreamStaticCode int = http.StatusOK // 200 + + // DefaultUpstreamProxyRawPath determines if upstreams will proxy the raw url path by default. + DefaultUpstreamProxyRawPath bool = false + + // DefaultUpstreamInsecureSkipTLSVerify determines if upstreams will skip TLS verification by default. + DefaultUpsteamInsecureSkipTLSVerify bool = false + + // DefaultUpstreamPassHostHeader determines if upstreams will pass the host header by default. + DefaultUpstreamPassHostHeader bool = true + + // DefaultUpstreamProxyWebSockets determines if upstreams will proxy websockets by default. + DefaultUpstreamProxyWebSockets bool = true + + // DefaultUpstreamDisableKeepAlives determines if upstreams will disable keep-alives by default. + DefaultUpstreamDisableKeepAlives bool = false ) // UpstreamConfig is a collection of definitions for upstream servers. @@ -106,7 +128,7 @@ type Upstream struct { // EnsureDefaults sets any default values for UpstreamConfig fields. func (uc *UpstreamConfig) EnsureDefaults() { if uc.ProxyRawPath == nil { - uc.ProxyRawPath = ptr.Ptr(false) + uc.ProxyRawPath = ptr.Ptr(DefaultUpstreamProxyRawPath) } for i := range uc.Upstreams { uc.Upstreams[i].EnsureDefaults() @@ -116,24 +138,24 @@ func (uc *UpstreamConfig) EnsureDefaults() { // EnsureDefaults sets any default values for Upstream fields. func (u *Upstream) EnsureDefaults() { if u.InsecureSkipTLSVerify == nil { - u.InsecureSkipTLSVerify = ptr.Ptr(false) + u.InsecureSkipTLSVerify = ptr.Ptr(DefaultUpsteamInsecureSkipTLSVerify) } if u.Static == nil { - u.Static = ptr.Ptr(false) + u.Static = ptr.Ptr(DefaultUpstreamStatic) } if u.FlushInterval == nil { u.FlushInterval = ptr.Ptr(DefaultUpstreamFlushInterval) } if u.PassHostHeader == nil { - u.PassHostHeader = ptr.Ptr(true) + u.PassHostHeader = ptr.Ptr(DefaultUpstreamPassHostHeader) } if u.ProxyWebSockets == nil { - u.ProxyWebSockets = ptr.Ptr(true) + u.ProxyWebSockets = ptr.Ptr(DefaultUpstreamProxyWebSockets) } if u.Timeout == nil { u.Timeout = ptr.Ptr(DefaultUpstreamTimeout) } if u.DisableKeepAlives == nil { - u.DisableKeepAlives = ptr.Ptr(false) + u.DisableKeepAlives = ptr.Ptr(DefaultUpstreamDisableKeepAlives) } } diff --git a/pkg/middleware/headers.go b/pkg/middleware/headers.go index ed82a30b0..b567f4f5b 100644 --- a/pkg/middleware/headers.go +++ b/pkg/middleware/headers.go @@ -28,7 +28,7 @@ func NewRequestHeaderInjector(headers []options.Header) (alice.Constructor, erro func newStripHeaders(headers []options.Header) alice.Constructor { headersToStrip := []options.Header{} for _, header := range headers { - if !ptr.Deref(header.PreserveRequestValue, false) { + if !ptr.Deref(header.PreserveRequestValue, options.DefaultHeaderPreserveRequestValue) { headersToStrip = append(headersToStrip, header) } } diff --git a/pkg/upstream/http.go b/pkg/upstream/http.go index 9c33f96cd..e8283144c 100644 --- a/pkg/upstream/http.go +++ b/pkg/upstream/http.go @@ -54,7 +54,7 @@ func newHTTPUpstreamProxy(upstream options.Upstream, u *url.URL, sigData *option // Set up a WebSocket proxy if required var wsProxy http.Handler - if ptr.Deref(upstream.ProxyWebSockets, false) { + if ptr.Deref(upstream.ProxyWebSockets, options.DefaultUpstreamProxyWebSockets) { wsProxy = newWebSocketReverseProxy(u, upstream.InsecureSkipTLSVerify) } @@ -150,14 +150,14 @@ func newReverseProxy(target *url.URL, upstream options.Upstream, errorHandler Pr // InsecureSkipVerify is a configurable option we allow /* #nosec G402 */ - if ptr.Deref(upstream.InsecureSkipTLSVerify, false) { + if ptr.Deref(upstream.InsecureSkipTLSVerify, options.DefaultUpsteamInsecureSkipTLSVerify) { transport.TLSClientConfig.InsecureSkipVerify = true } // Ensure we always pass the original request path setProxyDirector(proxy) - if !ptr.Deref(upstream.PassHostHeader, false) { + if !ptr.Deref(upstream.PassHostHeader, options.DefaultUpstreamPassHostHeader) { setProxyUpstreamHostHeader(proxy, target) } @@ -169,7 +169,7 @@ func newReverseProxy(target *url.URL, upstream options.Upstream, errorHandler Pr // Pass on DisableKeepAlives to the transport settings // to allow for disabling HTTP keep-alive connections - transport.DisableKeepAlives = ptr.Deref(upstream.DisableKeepAlives, false) + transport.DisableKeepAlives = ptr.Deref(upstream.DisableKeepAlives, options.DefaultUpstreamDisableKeepAlives) // Apply the customized transport to our proxy before returning it proxy.Transport = transport diff --git a/pkg/upstream/proxy.go b/pkg/upstream/proxy.go index acf24d1a5..af4d2e84e 100644 --- a/pkg/upstream/proxy.go +++ b/pkg/upstream/proxy.go @@ -28,12 +28,12 @@ func NewProxy(upstreams options.UpstreamConfig, sigData *options.SignatureData, serveMux: mux.NewRouter(), } - if ptr.Deref(upstreams.ProxyRawPath, false) { + if ptr.Deref(upstreams.ProxyRawPath, options.DefaultUpstreamProxyRawPath) { m.serveMux.UseEncodedPath() } for _, upstream := range sortByPathLongest(upstreams.Upstreams) { - if ptr.Deref(upstream.Static, false) { + if ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) { if err := m.registerStaticResponseHandler(upstream, writer); err != nil { return nil, fmt.Errorf("could not register static upstream %q: %v", upstream.ID, err) } @@ -75,7 +75,7 @@ func (m *multiUpstreamProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request // registerStaticResponseHandler registers a static response handler with at the given path. func (m *multiUpstreamProxy) registerStaticResponseHandler(upstream options.Upstream, writer pagewriter.Writer) error { - logger.Printf("mapping path %q => static response %d", upstream.Path, ptr.Deref(upstream.StaticCode, 200)) + logger.Printf("mapping path %q => static response %d", upstream.Path, ptr.Deref(upstream.StaticCode, options.DefaultUpstreamStaticCode)) return m.registerHandler(upstream, newStaticResponseHandler(upstream.ID, upstream.StaticCode), writer) } diff --git a/pkg/upstream/static.go b/pkg/upstream/static.go index d7d037bfd..6f002b8fe 100644 --- a/pkg/upstream/static.go +++ b/pkg/upstream/static.go @@ -5,6 +5,7 @@ import ( "net/http" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr" ) @@ -13,7 +14,7 @@ import ( // a static response code. func newStaticResponseHandler(upstream string, code *int) http.Handler { return &staticResponseHandler{ - code: ptr.Deref(code, 200), + code: ptr.Deref(code, options.DefaultUpstreamStaticCode), upstream: upstream, } } diff --git a/pkg/validation/options.go b/pkg/validation/options.go index ffb0accc0..13ce2e0bf 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -35,7 +35,7 @@ func Validate(o *options.Options) error { transport := requests.DefaultTransport.(*http.Transport) transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec G402 -- InsecureSkipVerify is a configurable option we allow } else if len(o.Providers[0].CAFiles) > 0 { - pool, err := util.GetCertPool(o.Providers[0].CAFiles, ptr.Deref(o.Providers[0].UseSystemTrustStore, false)) + pool, err := util.GetCertPool(o.Providers[0].CAFiles, ptr.Deref(o.Providers[0].UseSystemTrustStore, options.DefaultUseSystemTrustStore)) if err == nil { transport := requests.DefaultTransport.(*http.Transport) transport.TLSClientConfig = &tls.Config{ diff --git a/pkg/validation/providers.go b/pkg/validation/providers.go index 1acdee65a..9e62e98a4 100644 --- a/pkg/validation/providers.go +++ b/pkg/validation/providers.go @@ -65,7 +65,7 @@ func validateProvider(provider options.Provider, providerIDs map[string]struct{} // providerRequiresClientSecret checks if provider requires client secret to be set // or it can be omitted in favor of JWT token to authenticate oAuth client func providerRequiresClientSecret(provider options.Provider) bool { - if provider.Type == "entra-id" && ptr.Deref(provider.MicrosoftEntraIDConfig.FederatedTokenAuth, false) { + if provider.Type == "entra-id" && ptr.Deref(provider.MicrosoftEntraIDConfig.FederatedTokenAuth, options.DefaultMicrosoftEntraIDUseFederatedToken) { return false } @@ -97,7 +97,7 @@ func validateGoogleConfig(provider options.Provider) []string { hasAdminEmail := provider.GoogleConfig.AdminEmail != "" hasSAJSON := provider.GoogleConfig.ServiceAccountJSON != "" - useADC := ptr.Deref(provider.GoogleConfig.UseApplicationDefaultCredentials, false) + useADC := ptr.Deref(provider.GoogleConfig.UseApplicationDefaultCredentials, options.DefaultUseApplicationDefaultCredentials) if !hasAdminEmail && !hasSAJSON && !useADC { return msgs @@ -124,7 +124,7 @@ func validateGoogleConfig(provider options.Provider) []string { func validateEntraConfig(provider options.Provider) []string { msgs := []string{} - if ptr.Deref(provider.MicrosoftEntraIDConfig.FederatedTokenAuth, false) { + if ptr.Deref(provider.MicrosoftEntraIDConfig.FederatedTokenAuth, options.DefaultMicrosoftEntraIDUseFederatedToken) { federatedTokenPath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE") if federatedTokenPath == "" { diff --git a/pkg/validation/upstreams.go b/pkg/validation/upstreams.go index 4c5376782..4c566659d 100644 --- a/pkg/validation/upstreams.go +++ b/pkg/validation/upstreams.go @@ -55,28 +55,28 @@ func validateUpstream(upstream options.Upstream, ids, paths map[string]struct{}) func validateStaticUpstream(upstream options.Upstream) []string { msgs := []string{} - if !ptr.Deref(upstream.Static, false) && upstream.StaticCode != nil { + if !ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) && upstream.StaticCode != nil { msgs = append(msgs, fmt.Sprintf("upstream %q has staticCode (%d), but is not a static upstream, set 'static' for a static response", upstream.ID, *upstream.StaticCode)) } // Checks after this only make sense when the upstream is static - if !ptr.Deref(upstream.Static, false) { + if !ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) { return msgs } if upstream.URI != "" { msgs = append(msgs, fmt.Sprintf("upstream %q has uri, but is a static upstream, this will have no effect.", upstream.ID)) } - if ptr.Deref(upstream.InsecureSkipTLSVerify, false) { + if ptr.Deref(upstream.InsecureSkipTLSVerify, options.DefaultUpsteamInsecureSkipTLSVerify) { msgs = append(msgs, fmt.Sprintf("upstream %q has insecureSkipTLSVerify, but is a static upstream, this will have no effect.", upstream.ID)) } if ptr.Deref(upstream.FlushInterval, options.DefaultUpstreamFlushInterval) != options.DefaultUpstreamFlushInterval { msgs = append(msgs, fmt.Sprintf("upstream %q has flushInterval, but is a static upstream, this will have no effect.", upstream.ID)) } - if ptr.Deref(upstream.PassHostHeader, false) { + if ptr.Deref(upstream.PassHostHeader, options.DefaultUpstreamPassHostHeader) { msgs = append(msgs, fmt.Sprintf("upstream %q has passHostHeader, but is a static upstream, this will have no effect.", upstream.ID)) } - if ptr.Deref(upstream.ProxyWebSockets, false) { + if ptr.Deref(upstream.ProxyWebSockets, options.DefaultUpstreamProxyWebSockets) { msgs = append(msgs, fmt.Sprintf("upstream %q has proxyWebSockets, but is a static upstream, this will have no effect.", upstream.ID)) } @@ -86,13 +86,13 @@ func validateStaticUpstream(upstream options.Upstream) []string { func validateUpstreamURI(upstream options.Upstream) []string { msgs := []string{} - if !ptr.Deref(upstream.Static, false) && upstream.URI == "" { + if !ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) && upstream.URI == "" { msgs = append(msgs, fmt.Sprintf("upstream %q has empty uri: uris are required for all non-static upstreams", upstream.ID)) return msgs } // Checks after this only make sense the upstream is not static - if !ptr.Deref(upstream.Static, false) { + if !ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) { return msgs } diff --git a/providers/adfs.go b/providers/adfs.go index ebf91f71c..bc583df0b 100644 --- a/providers/adfs.go +++ b/providers/adfs.go @@ -51,7 +51,7 @@ func NewADFSProvider(p *ProviderData, opts options.Provider) *ADFSProvider { return &ADFSProvider{ OIDCProvider: oidcProvider, - skipScope: ptr.Deref(opts.ADFSConfig.SkipScope, false), + skipScope: ptr.Deref(opts.ADFSConfig.SkipScope, options.DefaultADFSSkipScope), oidcEnrichFunc: oidcProvider.EnrichSession, oidcRefreshFunc: oidcProvider.RefreshSession, } diff --git a/providers/adfs_test.go b/providers/adfs_test.go old mode 100755 new mode 100644 diff --git a/providers/google.go b/providers/google.go index ac38980f0..92d782247 100644 --- a/providers/google.go +++ b/providers/google.go @@ -109,7 +109,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv }, } - if opts.UseOrganizationID || opts.ServiceAccountJSON != "" || ptr.Deref(opts.UseApplicationDefaultCredentials, false) { + if opts.UseOrganizationID || opts.ServiceAccountJSON != "" || ptr.Deref(opts.UseApplicationDefaultCredentials, options.DefaultUseApplicationDefaultCredentials) { // reuse admin service to avoid multiple calls for token var adminService *admin.Service @@ -132,7 +132,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv } } - if opts.ServiceAccountJSON != "" || ptr.Deref(opts.UseApplicationDefaultCredentials, false) { + if opts.ServiceAccountJSON != "" || ptr.Deref(opts.UseApplicationDefaultCredentials, options.DefaultUseApplicationDefaultCredentials) { if adminService == nil { adminService = getAdminService(opts) } @@ -304,7 +304,7 @@ var possibleScopesList = [...]string{ } func getOauth2TokenSource(ctx context.Context, opts options.GoogleOptions, scope string) oauth2.TokenSource { - if ptr.Deref(opts.UseApplicationDefaultCredentials, false) { + if ptr.Deref(opts.UseApplicationDefaultCredentials, options.DefaultUseApplicationDefaultCredentials) { ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{ TargetPrincipal: getTargetPrincipal(ctx, opts), Scopes: strings.Split(scope, " "), diff --git a/providers/ms_entra_id.go b/providers/ms_entra_id.go index 57c4fae19..f9445d69f 100644 --- a/providers/ms_entra_id.go +++ b/providers/ms_entra_id.go @@ -52,7 +52,7 @@ func NewMicrosoftEntraIDProvider(p *ProviderData, opts options.Provider) *Micros OIDCProvider: NewOIDCProvider(p, opts.OIDCConfig), multiTenantAllowedTenants: opts.MicrosoftEntraIDConfig.AllowedTenants, - federatedTokenAuth: ptr.Deref(opts.MicrosoftEntraIDConfig.FederatedTokenAuth, false), + federatedTokenAuth: ptr.Deref(opts.MicrosoftEntraIDConfig.FederatedTokenAuth, options.DefaultMicrosoftEntraIDUseFederatedToken), microsoftGraphURL: microsoftGraphURL, } } diff --git a/providers/oidc.go b/providers/oidc.go index 5e28039d3..b0be63bc7 100644 --- a/providers/oidc.go +++ b/providers/oidc.go @@ -51,7 +51,7 @@ func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider { return &OIDCProvider{ ProviderData: p, - SkipNonce: ptr.Deref(opts.InsecureSkipNonce, false), + SkipNonce: ptr.Deref(opts.InsecureSkipNonce, options.DefaultInsecureSkipNonce), } } diff --git a/providers/providers.go b/providers/providers.go index 1c7ac652f..6af51ecf0 100644 --- a/providers/providers.go +++ b/providers/providers.go @@ -99,8 +99,8 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData, IssuerURL: providerConfig.OIDCConfig.IssuerURL, JWKsURL: providerConfig.OIDCConfig.JwksURL, PublicKeyFiles: providerConfig.OIDCConfig.PublicKeyFiles, - SkipDiscovery: ptr.Deref(providerConfig.OIDCConfig.SkipDiscovery, false), - SkipIssuerVerification: ptr.Deref(providerConfig.OIDCConfig.InsecureSkipIssuerVerification, false), + SkipDiscovery: ptr.Deref(providerConfig.OIDCConfig.SkipDiscovery, options.DefaultSkipDiscovery), + SkipIssuerVerification: ptr.Deref(providerConfig.OIDCConfig.InsecureSkipIssuerVerification, options.DefaultInsecureSkipIssuerVerification), }) if err != nil { return nil, fmt.Errorf("error building OIDC ProviderVerifier: %v", err) @@ -144,10 +144,10 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData, } // Make the OIDC options available to all providers that support it - p.AllowUnverifiedEmail = ptr.Deref(providerConfig.OIDCConfig.InsecureAllowUnverifiedEmail, false) + p.AllowUnverifiedEmail = ptr.Deref(providerConfig.OIDCConfig.InsecureAllowUnverifiedEmail, options.DefaultInsecureAllowUnverifiedEmail) p.EmailClaim = providerConfig.OIDCConfig.EmailClaim p.GroupsClaim = providerConfig.OIDCConfig.GroupsClaim - p.SkipClaimsFromProfileURL = ptr.Deref(providerConfig.SkipClaimsFromProfileURL, false) + p.SkipClaimsFromProfileURL = ptr.Deref(providerConfig.SkipClaimsFromProfileURL, options.DefaultSkipClaimsFromProfileURL) // Set PKCE enabled or disabled based on discovery and force options p.CodeChallengeMethod = parseCodeChallengeMethod(providerConfig)