* Add -user-id-claim to support other claims than email
Fix#431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".
- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
`GetJwtSession` and overridden by oidc to respect `user-id-claim`
Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.
* Apply suggestions from code review
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Review feedback: Don't extract claims manually
Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.
* Fix indentation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Allow the OIDC issuer verification to be skipped if desired.
* Remove stale warning
* Add CHANGELOG entry
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
Co-authored-by: Dan Bond <pm@danbond.io>
* Allow multiple cookie domains to be specified
* Use X-Forwarded-Host, if it exists, when selecting cookie domain
* Perform cookie domain sorting in config validation phase
* Extract get domain cookies to a single function
* Update pkg/cookies/cookies.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update changelog
Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* addint redirect capability to sign_out
* updating changelog
* Add a new param to set the Authorization header to up-stream systems as Basic user:password
* Resolving code review
* mutual exclusiv changes for Basic and Bearer Authorization header
* Fixed the merge mixup and comment error
* Updated changelog and fixed typo
* Adding the new entry in changelog
Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
Previously in #401, an option was added to support forwarding the email
address as the username to the upstream service when the PassBasicAuth
option is used.
The PassBasicAuth option is not appropriate for all users, with PassUserHeaders
allowing very similar functionality without specifying a basic auth headers.
The PreferEmailToUser option has been expanded to support the PassUserHeaders
option.
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.
When matching this with downstream databases, it's sometimes preferred to use
the email address as the known identifier.
However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.
This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.
Defaults to Off.
Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.
Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.
See: https://www.owasp.org/index.php/SameSite
Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.
* Fix tests for modified NewReverseProxy method.
* Added change to the changelog.
* Remove duplicate entries from changelog.
* Initial version of OIDC based GitLab provider
* Add support for email domain check to GitLab provider
* Add gitlab.com as default issuer for GitLab provider
* Update documentation for GitLab provider
* Update unit tests for new GitLab provider implementation
* Update CHANGELOG for GitLab provider
* Rename GitLab test access token as response to linter
- Add `ping-path` option to enable switching on and passing to `logger.go`
Default remains unchanged at: `"/ping"`
- Add note in configuration.md about silence flag taking precedence
Potential tests:
- `options.go` sets `logger.SetExcludePath` based on silence flag?
- Changing `PingPath` reflected in router?
Useful for excluding /ping endpoint to reduce log volume.
This is somewhat more verbose than a simple bool to disable logging of
the `/ping` endpoint.
Perhaps better to add `-silence-ping-logging` bool flag to `options.go` and
pass in the `/ping` endpoint as part of `logger` declaration in `options.go`.
Could be extended into a slice of paths similar to go-gin's `SkipPaths`:
https://github.com/gin-gonic/gin/blob/master/logger.go#L46
Add ability to silence logging of requests to /ping endpoint, reducing
log clutter
Pros:
- Don't have to change all handlers to set/not set silent ping logging
- Don't have to duplicate `loggingHandler` (this could be preferable yet)
Cons:
- Leaking oauth2proxy logic into `package logger`
- Defining default pingPath in two locations
Alternative:
- Add generic exclude path to `logger.go` and pass in `/ping`.
