diff --git a/CHANGELOG.md b/CHANGELOG.md index d68787a3..73f91e9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,9 +39,14 @@ reporting an invalid length of 20 or 28 when the user input cookie-secret was not that length. - Now we will only base64 decode a cookie-secret to raw bytes if it is 16, 24, or 32 bytes long. Otherwise, we will convert the direct cookie-secret to bytes without silent padding added. +- [#412](https://github.com/oauth2-proxy/oauth2-proxy/pull/412)/[#559](https://github.com/oauth2-proxy/oauth2-proxy/pull/559) Allow multiple cookie domains to be specified + - Multiple cookie domains may now be configured. The longest domain that matches will be used. + - The config options `cookie_domain` is now `cookie_domains` + - The environment variable `OAUTH2_PROXY_COOKIE_DOMAIN` is now `OAUTH2_PROXY_COOKIE_DOMAINS` ## Changes since v5.1.1 +- [#559](https://github.com/oauth2-proxy/oauth2-proxy/pull/559) Rename cookie-domain config to cookie-domains (@JoelSpeed) - [#569](https://github.com/oauth2-proxy/oauth2-proxy/pull/569) Updated autocompletion for `--` long options. (@Izzette) - [#489](https://github.com/oauth2-proxy/oauth2-proxy/pull/489) Move Options and Validation to separate packages (@JoelSpeed) - [#556](https://github.com/oauth2-proxy/oauth2-proxy/pull/556) Remove unintentional auto-padding of secrets that were too short (@NickMeves) diff --git a/contrib/local-environment/oauth2-proxy-nginx.cfg b/contrib/local-environment/oauth2-proxy-nginx.cfg index 6ba5623a..2258cce0 100644 --- a/contrib/local-environment/oauth2-proxy-nginx.cfg +++ b/contrib/local-environment/oauth2-proxy-nginx.cfg @@ -8,5 +8,5 @@ client_id="oauth2-proxy" cookie_secure="false" redirect_url="http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback" -cookie_domain=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains. +cookie_domains=".oauth2-proxy.localhost" # Required so cookie can be read on all subdomains. whitelist_domains=".oauth2-proxy.localhost" # Required to allow redirection back to original requested target. diff --git a/contrib/oauth2-proxy.cfg.example b/contrib/oauth2-proxy.cfg.example index f521e000..5dd93fef 100644 --- a/contrib/oauth2-proxy.cfg.example +++ b/contrib/oauth2-proxy.cfg.example @@ -39,7 +39,7 @@ # pass_user_headers = true ## pass the request Host Header to upstream ## when disabled the upstream Host is used as the Host Header -# pass_host_header = true +# pass_host_header = true ## Email Domains to allow authentication for (this authorizes any email on this domain) ## for more granular authorization use `authenticated_emails_file` @@ -80,13 +80,13 @@ ## Expire - (duration) expire timeframe for cookie ## Refresh - (duration) refresh the cookie when duration has elapsed after cookie was initially set. ## Should be less than cookie_expire; set to 0 to disable. -## On refresh, OAuth token is re-validated. +## On refresh, OAuth token is re-validated. ## (ie: 1h means tokens are refreshed on request 1hr+ after it was set) ## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended) ## HttpOnly - httponly cookies are not readable by javascript (recommended) # cookie_name = "_oauth2_proxy" # cookie_secret = "" -# cookie_domain = "" +# cookie_domains = "" # cookie_expire = "168h" # cookie_refresh = "" # cookie_secure = true diff --git a/pkg/apis/options/cookie.go b/pkg/apis/options/cookie.go index 71b4fb73..e3e18e0e 100644 --- a/pkg/apis/options/cookie.go +++ b/pkg/apis/options/cookie.go @@ -6,7 +6,7 @@ import "time" type CookieOptions struct { Name string `flag:"cookie-name" cfg:"cookie_name"` Secret string `flag:"cookie-secret" cfg:"cookie_secret"` - Domains []string `flag:"cookie-domain" cfg:"cookie_domain"` + Domains []string `flag:"cookie-domain" cfg:"cookie_domains"` Path string `flag:"cookie-path" cfg:"cookie_path"` Expire time.Duration `flag:"cookie-expire" cfg:"cookie_expire"` Refresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh"`