1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-07-03 01:07:02 +02:00

Inconsistent code-challenge-method CLI flag and config file naming (#1766)

* Inconsistent code-challenge-method CLI flag and config file naming

- Allow previous config option for now to prevent breaking configs

Fixes #1667

* Add changelog entry

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
Braunson
2022-09-01 05:58:43 -04:00
committed by GitHub
parent d19182c740
commit fcecbeb13c
4 changed files with 18 additions and 4 deletions

View File

@ -24,10 +24,16 @@ N/A
- [#1774](https://github.com/oauth2-proxy/oauth2-proxy/pull/1774) Fix vulnerabilities CVE-2022-27191, CVE-2021-44716 and CVE-2022-29526 - [#1774](https://github.com/oauth2-proxy/oauth2-proxy/pull/1774) Fix vulnerabilities CVE-2022-27191, CVE-2021-44716 and CVE-2022-29526
- [#1667](https://github.com/oauth2-proxy/oauth2-proxy/issues/1667) Rename configuration file flag for PKCE
to remain consistent with CLI flags. You should specify `code_challenge_method` in your configuration instead of
`force_code_challenge_method`.
- [#1708](https://github.com/oauth2-proxy/oauth2-proxy/pull/1708) Enable different CSRF cookies per request (@miguelborges99) - [#1708](https://github.com/oauth2-proxy/oauth2-proxy/pull/1708) Enable different CSRF cookies per request (@miguelborges99)
- Add flag "--cookie-csrf-per-request" which activates an algorithm to name CSRF cookies differently per request. - Add flag "--cookie-csrf-per-request" which activates an algorithm to name CSRF cookies differently per request.
This feature allows parallel callbacks and by default it is disabled. This feature allows parallel callbacks and by default it is disabled.
- Add flag "--cookie-csrf-expire" to define a different expiration time for the CSRF cookie. By default, it is 15 minutes. - Add flag "--cookie-csrf-expire" to define a different expiration time for the CSRF cookie. By default, it is 15 minutes.
# V7.3.0 # V7.3.0
## Release Highlights ## Release Highlights

View File

@ -419,7 +419,7 @@ Provider holds all configuration for a single provider
| `validateURL` | _string_ | ValidateURL is the access token validation endpoint | | `validateURL` | _string_ | ValidateURL is the access token validation endpoint |
| `scope` | _string_ | Scope is the OAuth scope specification | | `scope` | _string_ | Scope is the OAuth scope specification |
| `allowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group | | `allowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group |
| `force_code_challenge_method` | _string_ | The forced code challenge method | | `code_challenge_method` | _string_ | The code challenge method |
### ProviderType ### ProviderType
#### (`string` alias) #### (`string` alias)

View File

@ -528,7 +528,9 @@ type LegacyProvider struct {
JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file"` JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file"`
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url"` PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url"`
// PKCE Code Challenge method to use (either S256 or plain) // PKCE Code Challenge method to use (either S256 or plain)
CodeChallengeMethod string `flag:"code-challenge-method" cfg:"force_code_challenge_method"` CodeChallengeMethod string `flag:"code-challenge-method" cfg:"code_challenge_method"`
// Provided for legacy reasons, to be dropped in newer version see #1667
ForceCodeChallengeMethod string `flag:"force-code-challenge-method" cfg:"force_code_challenge_method"`
} }
func legacyProviderFlagSet() *pflag.FlagSet { func legacyProviderFlagSet() *pflag.FlagSet {
@ -574,6 +576,7 @@ func legacyProviderFlagSet() *pflag.FlagSet {
flagSet.String("prompt", "", "OIDC prompt") flagSet.String("prompt", "", "OIDC prompt")
flagSet.String("approval-prompt", "force", "OAuth approval_prompt") flagSet.String("approval-prompt", "force", "OAuth approval_prompt")
flagSet.String("code-challenge-method", "", "use PKCE code challenges with the specified method. Either 'plain' or 'S256'") flagSet.String("code-challenge-method", "", "use PKCE code challenges with the specified method. Either 'plain' or 'S256'")
flagSet.String("force-code-challenge-method", "", "Deprecated - use --code-challenge-method")
flagSet.String("acr-values", "", "acr values string: optional") flagSet.String("acr-values", "", "acr values string: optional")
flagSet.String("jwt-key", "", "private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov") flagSet.String("jwt-key", "", "private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov")
@ -665,6 +668,11 @@ func (l *LegacyProvider) convert() (Providers, error) {
ExtraAudiences: l.OIDCExtraAudiences, ExtraAudiences: l.OIDCExtraAudiences,
} }
// Support for legacy configuration option
if l.ForceCodeChallengeMethod != "" && l.CodeChallengeMethod == "" {
provider.CodeChallengeMethod = l.ForceCodeChallengeMethod
}
// This part is out of the switch section because azure has a default tenant // This part is out of the switch section because azure has a default tenant
// that needs to be added from legacy options // that needs to be added from legacy options
provider.AzureConfig = AzureOptions{ provider.AzureConfig = AzureOptions{

View File

@ -76,8 +76,8 @@ type Provider struct {
Scope string `json:"scope,omitempty"` Scope string `json:"scope,omitempty"`
// AllowedGroups is a list of restrict logins to members of this group // AllowedGroups is a list of restrict logins to members of this group
AllowedGroups []string `json:"allowedGroups,omitempty"` AllowedGroups []string `json:"allowedGroups,omitempty"`
// The forced code challenge method // The code challenge method
CodeChallengeMethod string `json:"force_code_challenge_method,omitempty"` CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
} }
// ProviderType is used to enumerate the different provider type options // ProviderType is used to enumerate the different provider type options