* fix for github teams
* Update github.go
* added errorhandling
* Update github.md
* refactored GitHub provider
refactored hasOrg, hasOrgAndTeams and hasTeam into hasAccess to stay within function limit
* reverted Refactoring
* refactored github.go
- joined hasOrgAndTeamAccess into checkRestrictions
* refactored github.go
- reduced number of returns of function checkRestrictions to 4
* updated GitHub provider to accept legacy team ids
* GoFmt and golangci-lint
Formatted with GoFmt and followed recommendations of GoLint
* added Tests
added Tests for checkRestrictions.
* refactored in maintainer feedback
* Removed code, documentation and tests for legacy ids
* add changelog and update docs
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: use federated credentials to refresh token in entra id
* fix: add some error handling
* chore: update changelog
* chore: update comments
* chore: update comments
* doc: reference entra id docs and clearer phrasing of comments
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Update Go version in devcontainer
* Add option to change response mode in authorization request
* Fix option name
* Update docs and changelog
* Rename config value to underscore
* Add unit tests for added parameter
* Move change to upcoming release
* Generate alpha config
---------
Co-authored-by: Michael Cornel <michael@stieler.it>
* Microsoft Entra ID Provider
* fix typo in function name
* documentation tweaks
* documentation and comment tweak
* docs tweaks
* final tweaks
* refactor: drop flag for skipping graph groups
* update legacy / deprecated provider page and sort provider overview
* reformat
* move entra-id provider into switch (treat like every other provider
* fix test case and reformat
* fix sidebar configuration
* apply review suggestions
* add pagination for graph api
* fix: do not error when groups unable to retrieve
* doc: number of groups fix
* restore master packages
* docs: tiny docs tweak
* address review comments
* fix codegen
---------
Co-authored-by: tuunit <jan@larwig.com>
* feat: Replace default Go user-agent with oauth2-proxy and version
* Add to CHANGELOG
* Make userAgentTransport configurable and composable
* Use correct naming convention for DefaultHTTPClient
* Move version to own package and use named arguments
* Update version path in Makefile
* Fix import path in Makefile
* Change importpath in dist.sh
* Minor style issues
* Session aware logout, backend logout url approach
* Add CHANGELOG.md and documentation for #1876
* Proper http handling and case change for golint compliance
* Update alpha_config.md
* Fix case conformity
* Change placeholder from ${id_token} to {id_token}
As this should be specified in a URL and curly braces should be escaped as %7b and %7d, therefore using {} shouldn't be an issue
* Apply suggestions from code review
Co-authored-by: Jan Larwig <jan@larwig.com>
* Add other suggestions
* Add suggestions and move background logout to generic provider
* Changelog updated
* Update oauthproxy.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add comment for gosec, remove sensitive data from log
---------
Co-authored-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* chore: bump go to version 1.21
update all depedencies as well
* fix linting issues based on golang 1.20 deprecations
* cleanup go depedencies
* add custom gomega matcher for option intefaces
* revert and upgrade golangci-lint to 1.55.2
* fix lint issues for v1.55.2 of golangci-lint
* fix toml loading test
* remove second runspecs call
* update go.sum
* revert testutil package
* update go-jose dependency by switching gopkg.in/square/go-jose.v2
with github.com/go-jose/go-jose/v3
* updated `CHANGELOG.md` with entry for PR #2356
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add GitHub groups (orgs/teams) support
* align code of getTeams with getOrgs to support Github Enterprise Server instances with different domain
* add documentation
* add missing import after rebase
* add nightly build and push (#2297)
* add nightly build and push
* add date based nightly build tags
* only keep single multiarch image build and push
* add changelog
* add images to internal docs static files
* add docu for nightly builds
* remove unnecessary spaces
* update nightly repository
* Issue 978: Fix Custom cookie name breaks redis for session (#1949)
* Issue 978: Fix Custom cookie name breaks redis for session (see https://github.com/oauth2-proxy/oauth2-proxy/issues/978)
* Issue 978: Fix Custom cookie name breaks redis for session (see https://github.com/oauth2-proxy/oauth2-proxy/issues/978)
* Update CHANGELOG.md
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Update CHANGELOG.md
---------
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Support http.AllowQuerySemicolons (#2248)
* Support http.AllowQuerySemicolons
* Docs
* Make it clear we are overriding the handler
* Update documentation for allow-query-semicolons
* Fix changelog format
* Fix formatting
---------
Co-authored-by: MickMake <github@mickmake.com>
* Add GitHub groups (orgs/teams) support
* align code of getTeams with getOrgs to support Github Enterprise Server instances with different domain
* add documentation
* fix changelog & documentation
* fix missing import
---------
Co-authored-by: Tobias Mayer <github@tobiasm.de>
Co-authored-by: Nuno Miguel Micaelo Borges <miguelborges99@gmail.com>
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Tim White <tim.white@su.org.au>
Co-authored-by: MickMake <github@mickmake.com>
* add full support for all oidc config based providers to use and respect all configs set via OIDCConfig
* add changelog entry
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix uninitialized user claim
Some providers doesn't initialize data with setProviderDefaults function
(keycloak-oidc for example), therefore UserClaim is never initialized
with the default value and stay as an empty string.
This result in an empty user.
* Add CHANGELOG.md entry for #1873
* Call setProviderDefaults where missing
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Avoid Nextcloud "Current user is not logged in" (Statuscode 997)
The error message results from oauth2-proxy trying to pass the
access token via URL. Instead it needs to be sent via header,
thus the Nextcloud provider requires a fix similar to what #1502
did before for the keycloak provider.
* Implement EnrichSession() for Nextcloud provider
Parse nested JSON to transform relevant information (groups, id,
email) from the OAuth2 userinfo endpoint into session.
* Update CHANGELOG.md (add link to PR #1750)
* Unbreak oauth2-proxy for keycloak provider after 2c668a
With 2c668a, oauth2-proxy fails a request if the token validation fails.
Token validation always fails with the keycloak provider, due to the
valudation request passing the token via the URL, and keycloak not
parsing the url for tokens.
This is fixed by forcing the validation request to pass the token via a
header.
This code taken from the DigitalOcean provider, which presumably forcing
the token to be passed via header for the same reason.
Test plan: I was unable to build a docker image to test the fix, but I
believe it is relatively simple, and it passes the "looks good to me"
test plan.
* Add changelog entry for unbreak keycloak
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.
Signed-off-by: Valentin Pichard <github@w3st.fr>
* Fix provider data initialisation
* PKCE Support
Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.
- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them
Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server. Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2
oauth2-proxy will always use S256 unless the user explicitly forces `plain`.
Fixes#1361
* Address PR comments by moving pkce generation
* Make PKCE opt-in, move to using the Nonce generater for code verifier
* Make PKCE opt-in, move to using the Nonce generater for code verifier
* Encrypt CodeVerifier in CSRF Token instead of Session
- Update Dex for PKCE support
- Expose HTTPBin for further use cases
* Correct the tests
* Move code challenges into extra params
* Correct typo in code challenge method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Correct the extra space in docs
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Address changelog and new line nits
* Add generated docs
Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
You must explicitly configure oauth2-proxy (alpha config only) with which parameters are allowed to pass through, and optionally provide an allow-list of valid values and/or regular expressions for each one. Note that this mechanism subsumes the functionality of the "prompt", "approval_prompt" and "acr_values" legacy configuration options, which must be converted to the equivalent YAML when running in alpha config mode.
