* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.
Signed-off-by: Valentin Pichard <github@w3st.fr>
* Fix provider data initialisation
* PKCE Support
Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.
- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them
Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server. Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2
oauth2-proxy will always use S256 unless the user explicitly forces `plain`.
Fixes#1361
* Address PR comments by moving pkce generation
* Make PKCE opt-in, move to using the Nonce generater for code verifier
* Make PKCE opt-in, move to using the Nonce generater for code verifier
* Encrypt CodeVerifier in CSRF Token instead of Session
- Update Dex for PKCE support
- Expose HTTPBin for further use cases
* Correct the tests
* Move code challenges into extra params
* Correct typo in code challenge method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Correct the extra space in docs
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Address changelog and new line nits
* Add generated docs
Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.
* fixed lint issues
* additional lint fixes
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* fixed typo
* removed weird : file
* small CR changes
* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG
* Update pkg/apis/options/providers.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/apis/options/providers.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/apis/options/providers.go
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.
* fixed lint issues
* additional lint fixes
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* small CR changes
* auto generates alpha_config.md
* rebase (mainly service alpha options related conflicts)
* removed :
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* small CR changes
* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG
* "cntd. rebase"
* ran make generate again
* last conflicts
* removed duplicate client id validation
* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0
* fixed TestGoogleGroupOptions test
* ran make generate
* moved CHANGLOG line to 7.1.1
* moved changelog comment to 7.1.2 (additional rebase)
Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Add example with traefik and keycloak
* Switch to dex
* Remove unneeded change in keycloak settings
* Taken into account review comments
* Add changelog entry
Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix and enhance OIDC example
* Restructure
* Indent
* Add full stop.
* Add link
* Add minimalistic README
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
The existing URL no longer works. This commit updates the Chart
dependencies to use the new Stable chart URL.
This will fix the "Chart not found" errors that occur if these example
resources are used.
Please keep in mind this is only a bandaid, as the repository is still
EOL, and should not be used.
* Adding one more example - keycloak - alongside with dex IDP.
* don't expose keycloak and proxy ports to the host
* specify email-domain list option in documentation
* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390
* get rid of the scripts - use static file for keycloak startup
* changelog entry
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
