Rename cookie-domain config to cookie-domains (#559)

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>

CHANGELOG.md

@@ -39,9 +39,14 @@
     reporting an invalid length of 20 or 28 when the user input cookie-secret was not that length.
   - Now we will only base64 decode a cookie-secret to raw bytes if it is 16, 24, or 32 bytes long. Otherwise, we will convert
     the direct cookie-secret to bytes without silent padding added.
+- [#412](https://github.com/oauth2-proxy/oauth2-proxy/pull/412)/[#559](https://github.com/oauth2-proxy/oauth2-proxy/pull/559) Allow multiple cookie domains to be specified
+  - Multiple cookie domains may now be configured. The longest domain that matches will be used.
+  - The config options `cookie_domain` is now `cookie_domains`
+  - The environment variable `OAUTH2_PROXY_COOKIE_DOMAIN` is now `OAUTH2_PROXY_COOKIE_DOMAINS`
 
 ## Changes since v5.1.1
 
+- [#559](https://github.com/oauth2-proxy/oauth2-proxy/pull/559) Rename cookie-domain config to cookie-domains (@JoelSpeed)
 - [#569](https://github.com/oauth2-proxy/oauth2-proxy/pull/569) Updated autocompletion for `--` long options. (@Izzette)
 - [#489](https://github.com/oauth2-proxy/oauth2-proxy/pull/489) Move Options and Validation to separate packages (@JoelSpeed)
 - [#556](https://github.com/oauth2-proxy/oauth2-proxy/pull/556) Remove unintentional auto-padding of secrets that were too short (@NickMeves)

contrib/local-environment/oauth2-proxy-nginx.cfg

@@ -8,5 +8,5 @@ client_id="oauth2-proxy"
 cookie_secure="false"
 
 redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback"
-cookie_domain=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
+cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains.
 whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target.

contrib/oauth2-proxy.cfg.example

@@ -39,7 +39,7 @@
 # pass_user_headers = true
 ## pass the request Host Header to upstream
 ## when disabled the upstream Host is used as the Host Header
-# pass_host_header = true 
+# pass_host_header = true
 
 ## Email Domains to allow authentication for (this authorizes any email on this domain)
 ## for more granular authorization use `authenticated_emails_file`
@@ -80,13 +80,13 @@
 ## Expire   - (duration) expire timeframe for cookie
 ## Refresh  - (duration) refresh the cookie when duration has elapsed after cookie was initially set.
 ##            Should be less than cookie_expire; set to 0 to disable.
-##            On refresh, OAuth token is re-validated. 
+##            On refresh, OAuth token is re-validated.
 ##            (ie: 1h means tokens are refreshed on request 1hr+ after it was set)
 ## Secure   - secure cookies are only sent by the browser of a HTTPS connection (recommended)
 ## HttpOnly - httponly cookies are not readable by javascript (recommended)
 # cookie_name = "_oauth2_proxy"
 # cookie_secret = ""
-# cookie_domain = ""
+# cookie_domains = ""
 # cookie_expire = "168h"
 # cookie_refresh = ""
 # cookie_secure = true

pkg/apis/options/cookie.go

@@ -6,7 +6,7 @@ import "time"
 type CookieOptions struct {
 	Name     string        `flag:"cookie-name" cfg:"cookie_name"`
 	Secret   string        `flag:"cookie-secret" cfg:"cookie_secret"`
-	Domains  []string      `flag:"cookie-domain" cfg:"cookie_domain"`
+	Domains  []string      `flag:"cookie-domain" cfg:"cookie_domains"`
 	Path     string        `flag:"cookie-path" cfg:"cookie_path"`
 	Expire   time.Duration `flag:"cookie-expire" cfg:"cookie_expire"`
 	Refresh  time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh"`