1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
Commit Graph

22 Commits

Author SHA1 Message Date
Koen van Zuijlen
343bd61ebb
chore(deps): Updated to ginkgo v2 (#2459)
* chore(deps): Updated to ginkgo v2

* fix basic auth test suite cleanup

* fix redis store tests

* add changelog entry

---------

Co-authored-by: Jan Larwig <jan@larwig.com>
2024-07-18 22:41:02 +02:00
t-katsumura
d107d885e4
Session-Cookie Support (#1713)
* Create session cookie when cookie-expire set 0

* Fix format

* add test

* fix lint error

* fix test code

* fix conflicted test case

* update test case of cookie expiration

* update tests of csrf cookies

* update docs

* Update docs/docs/configuration/overview.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

---------

Co-authored-by: tanuki884 <morkazuk@fsi.co.jp>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-08-16 12:23:02 +01:00
Joel Speed
4a2cf153cf
Fixup update session state handling 2022-10-29 12:49:53 +01:00
Nuno Miguel Micaelo Borges
a1ff878fdc
Add flags to define CSRF cookie expiration time and to allow CSRF cookies per request (#1708)
* Add start of state to CSRF cookie name

* Update CHANGELOG.md

* Update CHANGELOG.md

* Support optional flags

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update overview.md

Add new CSRF flags

* Update overview.md

Describe new CSRF flags

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
2022-08-31 23:27:56 +01:00
Braunson
ce750e9b30
PKCE Support (#1541)
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.

Signed-off-by: Valentin Pichard <github@w3st.fr>

* Fix provider data initialisation

* PKCE Support

Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.

- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them

Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server.  Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2

oauth2-proxy will always use S256 unless the user explicitly forces `plain`.

Fixes #1361

* Address PR comments by moving pkce generation

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Encrypt CodeVerifier in CSRF Token instead of Session

- Update Dex for PKCE support
- Expose HTTPBin for further use cases

* Correct the tests

* Move code challenges into extra params

* Correct typo in code challenge method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Correct the extra space in docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address changelog and new line nits

* Add generated docs

Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
2022-03-13 10:08:33 +00:00
Nick Meves
7eeaea0b3f
Support nonce checks in OIDC Provider (#967)
* Set and verify a nonce with OIDC

* Create a CSRF object to manage nonces & cookies

* Add missing generic cookie unit tests

* Add config flag to control OIDC SkipNonce

* Send hashed nonces in authentication requests

* Encrypt the CSRF cookie

* Add clarity to naming & add more helper methods

* Make CSRF an interface and keep underlying nonces private

* Add ReverseProxy scope to cookie tests

* Align to new 1.16 SameSite cookie default

* Perform SecretBytes conversion on CSRF cookie crypto

* Make state encoding signatures consistent

* Mock time in CSRF struct via Clock

* Improve InsecureSkipNonce docstring
2021-04-21 10:33:27 +01:00
Joel Speed
5fe947eb07
Update go version to 1.16
This includes a fix for our samesite cookie parsing. The behaviour
changed in 1.16 so that the default value now leaves it empty, so it's
equivalent to not setting it (as per spec)
2021-02-19 11:30:58 +00:00
Nick Meves
6fb3274ca3
Refactor organization of scope aware request utils
Reorganized the structure of the Request Utils due to their widespread use
resulting in circular imports issues (mostly because of middleware & logger).
2021-01-16 13:55:48 -08:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Nick Meves
29b24793e3
Use X-Forwarded-Host consistently 2020-08-31 08:31:45 -07:00
Joel Speed
105d5acb7b
Only log no cookie match if cookie domains specified 2020-08-27 14:48:00 +01:00
Phil Taprogge
d69fd6af22
Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
Joel Speed
211fd3a010
Rename CookieOptions to Cookie 2020-07-05 09:18:21 +01:00
Joel Speed
458710149c
Rename Cookie Options to remove extra 'Cookie' 2020-04-29 19:51:24 +01:00
Eric Dahlseng
a659b9558e
Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
Joel Speed
802754caad
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
Paul Groudas
5d0827a028 Add configuration for cookie 'SameSite' value.
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.

Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.

See: https://www.owasp.org/index.php/SameSite
2020-01-06 12:21:52 -05:00
Paul Groudas
90f8117fba Fix typos in doc strings. 2019-12-20 11:27:10 -05:00
Joel Speed
6366690927
Fix gofmt for changed files 2019-06-15 11:34:00 +02:00
Joel Speed
fb9616160e
Move logger to pkg/logger 2019-06-15 11:33:58 +02:00
Joel Speed
76bd23738f
Simplify cookie creation form *options.CookieOptions 2019-05-20 11:26:12 +02:00
Joel Speed
15a2cf8b9e
Implement ClearSession for cookie SessionStore 2019-05-18 13:10:05 +02:00