* OIDC Token Refresh works without id_tokens
Addresses https://github.com/pusher/oauth2_proxy/issues/318
Refactoring the OIDC provider so that the refresh process works when there are
no id_tokens present in the response. Added unit tests to the oidc_test.go to prove
the redeem and refresh still work.
The expiry time of the session is now taken from the outh token expiry and not
the id_token (preventing stale access_tokens in sessions).
* Refactoring the to use a KeySetStub in the oidc_test.go. This allows the
elimination of the slightly contrived function passing elements used
previously. (This change is being applied to address the bug #318)
* Changes as per the PR comments and preparing for 5.x release
* Fixup changelog
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
======================================================
changelog note
[#274](https://github.com/pusher/oauth2_proxy/pull/274) Add github api pagination support (@toshi-miura ,@apratina)
======================================================
I didn't edit CHANGELOG.md.
Since # 102 was taken over and the change difference of CHANGELOG.md was large
* Remove shadowing of predeclared identifier: new.
* strings.ReplaceAll instead of strings.Replace with -1.
* Change strings.ToLower comparison to strings.EqualFold.
* Rewrite if-else-if-else chain as a switch.
Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
* Initial version of OIDC based GitLab provider
* Add support for email domain check to GitLab provider
* Add gitlab.com as default issuer for GitLab provider
* Update documentation for GitLab provider
* Update unit tests for new GitLab provider implementation
* Update CHANGELOG for GitLab provider
* Rename GitLab test access token as response to linter
* Check Google group membership with hasMember and get.
This PR is an enhancement built on
https://github.com/pusher/oauth2_proxy/pull/160. That PR reduces the
number of calls to the Google Admin API and simplifies the code by
using the hasMember method. It also supports checking membership in
nested groups.
However, the above message doesn't handle members who are not a part
of the domain. The hasMember API returns a 400 for that case. As a
fallback, when the API returns a 400, this change will try using the
`get` API which works as expected for members who aren't a part of the
domain. Supporting members who belong to the Google group but aren't
part of the domain is a requested feature from
https://github.com/pusher/oauth2_proxy/issues/95.
https://developers.google.com/admin-sdk/directory/v1/reference/members/get
Note that nested members who are not a part of the domain will not be
correctly detected with this change.
* Update CHANGELOG.
* Fix incorrect JSON and stop escaping strings.
* Add comments for each scenario.
* Current OIDC implementation asserts that user email check must come
from JWT token claims. OIDC specification also allows for source
of user email to be fetched from userinfo profile endpoint.
http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
* First, attempt to retrieve email from JWT token claims. Then fall back to
requesting email from userinfo endpoint.
* Don't fallback to subject for email
https://github.com/bitly/oauth2_proxy/pull/481
Fix an unsupported protocol scheme error when validating tokens by
ensuring that the ValidateURL generates a non-empty string. The Azure
provider doesn't define any ValidateURL and therefore uses the default
value of `url.Parse("")` which is not `nil`.
The following log summary shows the issue:
2019/06/14 12:26:04 oauthproxy.go:799: 10.244.1.3:34112 ("10.244.1.1") refreshing 16h26m29s old session cookie for Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} (refresh after 1h0m0s)
2019/06/14 12:26:04 internal_util.go:60: GET ?access_token=eyJ0...
2019/06/14 12:26:04 internal_util.go:61: token validation request failed: Get ?access_token=eyJ0...: unsupported protocol scheme ""
2019/06/14 12:26:04 oauthproxy.go:822: 10.244.1.3:34112 ("10.244.1.1") removing session. error validating Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true}
