1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-15 00:15:00 +02:00
Commit Graph

103 Commits

Author SHA1 Message Date
4c1047866b fix: do not add Cache-Control header to response from auth only endpoint
fix #661
related #453
2020-07-06 19:04:31 +09:00
6e1b3b9660 Switch to in session store initialisation 2020-06-28 12:50:55 +01:00
5ce9e75c21 Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
6b43b41638 Fix tests broken by security advisory 2020-06-27 12:41:46 +01:00
ee5662e0f5 Merge pull request from GHSA-5m6c-jp6f-2vcv
* Add more Open Redirect test cases

* Add whitelisted domain to test

* Add more test cases

* Improve invalid redirect regex
2020-06-27 12:07:24 +01:00
c2c1caa404 Set User = Subject in ExtraJWTBearer sessions 2020-06-19 11:48:23 -07:00
f7b28cb1d3 Improvements to Session State code (#536)
* Drop SessionStateJSON wrapper
* Use EncrpytInto/DecryptInto to reduce sessionstate

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-30 08:53:38 +01:00
276d1c6f19 Always encrypt sessions regardless of configuration 2020-05-24 21:23:04 +01:00
44b27e0208 Move Options and Validation to package 2020-05-21 22:43:42 +01:00
7e5c8bb579 Fix secretBytes adding unintended padding (#556)
* Fix secretBytes adding unintended padding

* Add more SecretBytes test scenarios

* Add CHANGELOG entry about breaking secret padding change

* Add SecretBytes tests explanation comments
2020-05-21 19:29:45 +01:00
4e3dd09cf2 Drop fallback to email when user is empty (#537) 2020-05-12 16:04:51 +01:00
e642daef4e Support context in providers (#519)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-10 13:34:59 +01:00
0d5fa211df Merge pull request from GHSA-j7px-6hwj-hpjg 2020-05-06 12:42:02 +01:00
e49f8542bc Rename Session Options to improve structure 2020-04-29 19:51:24 +01:00
458710149c Rename Cookie Options to remove extra 'Cookie' 2020-04-29 19:51:24 +01:00
dd05e7ff0b Add new linters (#486)
* add new linters and fix issues

* fix deprecated warnings

* simplify return

* update CHANGELOG

* fix staticcheck issues

* remove a deprecated linter, minor fixes of variable initialization
2020-04-14 09:36:44 +01:00
a659b9558e Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
b0b87563dc Add set basic auth param (#413)
* addint redirect capability to sign_out

* updating changelog

* Add a new param to set the Authorization header to up-stream systems as Basic user:password

* Resolving code review

* mutual exclusiv changes for Basic and Bearer Authorization header

* Fixed the merge mixup and comment error

* Updated changelog and fixed typo

* Adding the new entry in changelog

Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
2020-04-10 14:41:28 +01:00
7efc162aaa Prevent browser caching during auth flow (#453)
* Prevent browser caching during auth flow

* simplify no-cache logic, add tests and update changelog

* checking noCacheHeaders does not exists in response headers from upstream

* remove unnecessary codes

* add no-cache headers in SignInPage and OAuthStart for proxy mode

https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222
2020-04-09 15:39:07 +01:00
802754caad Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
8d0149ccf8 Fix issue with group validation called on every request (#435)
* Revert group validation on every request

* Fix syntax

* Remove unit tests associated with reverted change

* Update CHANGELOG
2020-03-13 20:10:38 +00:00
4cd43ef397 Support the PreferEmailToUser option on PassUserHeaders
Previously in #401, an option was added to support forwarding the email
address as the username to the upstream service when the PassBasicAuth
option is used.

The PassBasicAuth option is not appropriate for all users, with PassUserHeaders
allowing very similar functionality without specifying a basic auth headers.

The PreferEmailToUser option has been expanded to support the PassUserHeaders
option.
2020-03-04 11:47:13 +13:00
51f4d88028 Add option to prefer an Email address to a Username (#401)
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.

When matching this with downstream databases, it's sometimes preferred to use
the email address as the  known identifier.

However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.

This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.

Defaults to Off.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-29 17:38:32 +00:00
5489d1624e Merge branch 'master' into kamal/whitelist-redirects-with-ports 2020-01-08 22:24:56 +02:00
6d74a42e57 Merge branch 'master' into feat/static-upstream 2019-11-19 12:23:42 +01:00
6d1b5fc4b0 Merge branch 'master' into kamal/whitelist-redirects-with-ports 2019-11-14 17:19:21 +02:00
fef940da9a Added userinfo endpoint (#300)
* Added userinfo endpoint

* Added documentation for  the userinfo endpoint

* Update oauthproxy.go

Co-Authored-By: Dan Bond <pm@danbond.io>

* Suggested fixes :  Streaming json to rw , header set after error check

* Update oauthproxy.go

Co-Authored-By: Dan Bond <pm@danbond.io>

* fix session.Email

* Ported tests and updated changelog
2019-11-07 14:38:36 -08:00
a12bae35ca update port whitelisting rules, refactor IsValidRedirect tests 2019-10-23 16:38:44 +03:00
ae4e9155d2 implicit/explicit redirect port matching 2019-10-12 23:47:23 +03:00
bfb22506ff allow redirects to whitelisted hosts with ports 2019-10-11 15:39:57 +03:00
3d17159c5c replace getRootEndpoint by getEndpointWithCookie 2019-10-10 10:14:01 +02:00
dc36836800 Add tests for static upstream 2019-10-10 10:14:01 +02:00
7134d22bcc New flag "-ssl-upstream-insecure-skip-validation" (#234)
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.

* Fix tests for modified NewReverseProxy method.

* Added change to the changelog.

* Remove duplicate entries from changelog.
2019-08-07 17:48:53 +01:00
630db3769b Merge branch 'master' into refactor 2019-07-15 11:30:43 +01:00
d24aacdb5c Fix lint errors 2019-06-23 21:39:13 +01:00
3881955605 Update unit tests for ValidateGroup 2019-06-20 16:57:20 -07:00
058ffd1047 Update unit tests for username 2019-06-17 13:11:49 -07:00
54d91c69cc Use logger instead of log 2019-06-17 12:52:13 -07:00
10f65e0381 Add a more realistic test for JWT passthrough 2019-06-17 12:52:13 -07:00
1ff74d322a Fix imports 2019-06-17 12:52:13 -07:00
69cb34a04e Add unit tests for JWT -> session translation 2019-06-17 12:52:13 -07:00
187960e9d8 Improve token pattern matching
Unit tests for token discovery
2019-06-17 12:52:13 -07:00
6366690927 Fix gofmt for changed files 2019-06-15 11:34:00 +02:00
fb9616160e Move logger to pkg/logger 2019-06-15 11:33:58 +02:00
093f9da881 Move cipher creation to options and away from oauth2_proxy.go 2019-05-20 11:26:13 +02:00
37e31b5f09 Remove dead code 2019-05-20 11:26:11 +02:00
c61f3a1c65 Use SessionStore for session in proxy 2019-05-20 11:26:10 +02:00
2ab8a7d95d Move SessionState to its own package 2019-05-18 13:09:56 +02:00
39d2f28a40 Add comment; update changelog 2019-05-09 10:14:01 +01:00
15f48fb95e Don't infer username from email local part if username not set 2019-05-07 10:36:00 +01:00