From fcecbeb13c64a4f599759f9ac9130098d3ca918f Mon Sep 17 00:00:00 2001 From: Braunson <5280764+braunsonm@users.noreply.github.com> Date: Thu, 1 Sep 2022 05:58:43 -0400 Subject: [PATCH] Inconsistent code-challenge-method CLI flag and config file naming (#1766) * Inconsistent code-challenge-method CLI flag and config file naming - Allow previous config option for now to prevent breaking configs Fixes #1667 * Add changelog entry Co-authored-by: Joel Speed --- CHANGELOG.md | 6 ++++++ docs/docs/configuration/alpha_config.md | 2 +- pkg/apis/options/legacy_options.go | 10 +++++++++- pkg/apis/options/providers.go | 4 ++-- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 94aeaae6..1fb39b70 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,10 +24,16 @@ N/A - [#1774](https://github.com/oauth2-proxy/oauth2-proxy/pull/1774) Fix vulnerabilities CVE-2022-27191, CVE-2021-44716 and CVE-2022-29526 + +- [#1667](https://github.com/oauth2-proxy/oauth2-proxy/issues/1667) Rename configuration file flag for PKCE +to remain consistent with CLI flags. You should specify `code_challenge_method` in your configuration instead of +`force_code_challenge_method`. + - [#1708](https://github.com/oauth2-proxy/oauth2-proxy/pull/1708) Enable different CSRF cookies per request (@miguelborges99) - Add flag "--cookie-csrf-per-request" which activates an algorithm to name CSRF cookies differently per request. This feature allows parallel callbacks and by default it is disabled. - Add flag "--cookie-csrf-expire" to define a different expiration time for the CSRF cookie. By default, it is 15 minutes. + # V7.3.0 ## Release Highlights diff --git a/docs/docs/configuration/alpha_config.md b/docs/docs/configuration/alpha_config.md index f3fe9634..ce8357b4 100644 --- a/docs/docs/configuration/alpha_config.md +++ b/docs/docs/configuration/alpha_config.md @@ -419,7 +419,7 @@ Provider holds all configuration for a single provider | `validateURL` | _string_ | ValidateURL is the access token validation endpoint | | `scope` | _string_ | Scope is the OAuth scope specification | | `allowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group | -| `force_code_challenge_method` | _string_ | The forced code challenge method | +| `code_challenge_method` | _string_ | The code challenge method | ### ProviderType #### (`string` alias) diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go index b3e1f2b5..2be960f9 100644 --- a/pkg/apis/options/legacy_options.go +++ b/pkg/apis/options/legacy_options.go @@ -528,7 +528,9 @@ type LegacyProvider struct { JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file"` PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url"` // PKCE Code Challenge method to use (either S256 or plain) - CodeChallengeMethod string `flag:"code-challenge-method" cfg:"force_code_challenge_method"` + CodeChallengeMethod string `flag:"code-challenge-method" cfg:"code_challenge_method"` + // Provided for legacy reasons, to be dropped in newer version see #1667 + ForceCodeChallengeMethod string `flag:"force-code-challenge-method" cfg:"force_code_challenge_method"` } func legacyProviderFlagSet() *pflag.FlagSet { @@ -574,6 +576,7 @@ func legacyProviderFlagSet() *pflag.FlagSet { flagSet.String("prompt", "", "OIDC prompt") flagSet.String("approval-prompt", "force", "OAuth approval_prompt") flagSet.String("code-challenge-method", "", "use PKCE code challenges with the specified method. Either 'plain' or 'S256'") + flagSet.String("force-code-challenge-method", "", "Deprecated - use --code-challenge-method") flagSet.String("acr-values", "", "acr values string: optional") flagSet.String("jwt-key", "", "private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov") @@ -665,6 +668,11 @@ func (l *LegacyProvider) convert() (Providers, error) { ExtraAudiences: l.OIDCExtraAudiences, } + // Support for legacy configuration option + if l.ForceCodeChallengeMethod != "" && l.CodeChallengeMethod == "" { + provider.CodeChallengeMethod = l.ForceCodeChallengeMethod + } + // This part is out of the switch section because azure has a default tenant // that needs to be added from legacy options provider.AzureConfig = AzureOptions{ diff --git a/pkg/apis/options/providers.go b/pkg/apis/options/providers.go index 775ce618..c5d83c23 100644 --- a/pkg/apis/options/providers.go +++ b/pkg/apis/options/providers.go @@ -76,8 +76,8 @@ type Provider struct { Scope string `json:"scope,omitempty"` // AllowedGroups is a list of restrict logins to members of this group AllowedGroups []string `json:"allowedGroups,omitempty"` - // The forced code challenge method - CodeChallengeMethod string `json:"force_code_challenge_method,omitempty"` + // The code challenge method + CodeChallengeMethod string `json:"code_challenge_method,omitempty"` } // ProviderType is used to enumerate the different provider type options