1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-01-24 05:26:55 +02:00

161 Commits

Author SHA1 Message Date
Stefan Sedich
220b3708fc
Add support for setting groups on session when using basic auth (#1064)
* Add support for setting groups on session when using basic auth

* Refactoring based on feedback

* Attribution
2021-02-25 13:02:23 -08:00
Joel Speed
23e545a639
Add option for custom logos on the sign in page 2021-02-19 13:23:55 +00:00
Praveen Chinthala
76269a13b7
Support Traefik ForwardAuth without a 401 handler (#1023)
* GH-1015 Adds support for Traefik to OauthStart on '/oauth2/auth' endpoint

* Fix incorrect reference to signout path and point to signin path

- remove commented out alternative solutions and debug log statements

* Remove skip provider button check as SignIn method already does this

* Updated traefik example to match existing file configuration reference, updated tests

* Update doc and refactor nested conditional statements

* Revert code changes as static upstream provides the same functionality

- Add doc on using static upstream with Traefik ForwardAuth middleware

* update changelog

* Move the doc changes to 7.0.x versioned docs

* Re-add traefik docs update in the main docs overview.md

* add missing oauth2-proxy routing

Co-authored-by: Praveen Chinthala <PraveenChinthala@hollandandbarrett.com>
2021-02-15 19:31:08 +00:00
Sean Jones
a7c8a233ba
Add Prometheus metrics endpoint
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.

Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy

Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
2021-02-15 13:45:26 +00:00
Joel Speed
9e8c2af86b
Update docs for new show-debug-on-error option 2021-02-13 10:48:03 +00:00
Joel Speed
e87a51f0e5
Prepare for release v7.0.1 2021-02-10 18:25:39 +00:00
Aleksander Stelmaczonek
7def4bf360
[DOC] Fix broken link to cookie secret generation (#1024)
* [DOC] Fix broken link

* Update auth.md

* Update auth.md

* Update auth.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-02-10 17:55:42 +00:00
Aleksander Stelmaczonek
0f859215f0
[DOC] Add header to cookie secret paragraph (#1025)
* [DOC] Add header to cookie secret paragraph

* Update overview.md

* Update overview.md

* Update overview.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-02-08 12:58:38 +00:00
Joel Speed
d1a249262f
Create v7.0.x versioned docs
Created within: yarn run docusaurus docs:version 7.0.x
2021-02-01 18:05:47 +00:00
Joel Speed
a909d33355
Update CHANGELOG for release v7.0.0 2021-02-01 18:05:44 +00:00
Wilfried OLLIVIER
8087de7a03
Add Gitlab version warning/constaint in documentation (#1004) 2021-01-20 19:57:22 +00:00
Joel Speed
5c64e236fb
Generate reference page in configuration 2021-01-18 09:57:44 +00:00
Joel Speed
e50e6ed373
Add Security Policy 2021-01-16 19:47:47 +00:00
İlteriş Eroğlu
1d74a51cd7
Use X-Forwarded-{Proto,Host,Uri} on redirect as last resort (#957) 2021-01-01 15:23:11 -08:00
Nick Meves
f07a5630f1
Update Keycloak documentation 2020-12-24 14:04:19 -08:00
Nick Meves
eb56f24d6d
Deprecate UserIDClaim in config and docs 2020-12-21 16:52:17 -08:00
Kirill Müller
4fda907830
Fix and enhance OIDC example (#934)
* Fix and enhance OIDC example

* Restructure

* Indent

* Add full stop.

* Add link

* Add minimalistic README

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-12-19 15:48:33 +00:00
Mathieu Lecarme
d67d6e3152
Add authorization support for Gitlab projects (#630)
* Add support for gitlab projets

* Add group membership in state

* Use prefixed allowed groups everywhere

* Fix: remove unused function

* Fix: rename func that add data to session

* Simplify projects and groups session funcs

* Add project access level for gitlab projects

* Fix: default access level

* Add per project access level

* Add user email when missing access level

* Fix: harmonize errors

* Update docs and flags description for gitlab project

* Add test with both projects and groups

* Fix: log error message

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fix: make doc a markdown link

* Add notes about read_api scope for projects

* Fix: Verifier override in Gitlab Provider

This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct

* Fix: ensure data in session before using it

* Update providers/gitlab.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Rename gitlab project initializer

* Improve return value readbility

* Use splitN

* Handle space delimiters in set project scope

* Reword comment for AddProjects

* Fix: typo

* Rework error handling in addProjectsToSession

* Reduce branching complexity in addProjectsToSession

* Fix: line returns

* Better comment for addProjectsToSession

* Fix: enrich session comment

* Fix: email domains is handled before provider mechanism

* Add archived project unit test

* Fix: emails handling in gitlab provider

Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-12-05 10:57:33 -08:00
Joel Speed
c8a70c6243
Add version dropdown to docs header 2020-11-08 19:37:46 +00:00
Joel Speed
6c483e5674
Set up docs for version 6.1.x 2020-11-08 19:37:43 +00:00
Nick Meves
14fd934b32
Flip --skip-auth-strip-headers to true by default 2020-11-07 11:43:45 -08:00
Joel Speed
899c743afc
Migrate existing documentation to Docusaurus 2020-11-05 15:36:27 +00:00
Halvard Mørstad
8abc4e6d87
Updated Gitlab docs (#859) 2020-10-21 09:36:17 -07:00
Jakub Holy
8b44ddd547
config: clarify skip-jwt-bearer-tokens needs (#851)
i.e. that the token must have a recognized `aud` field.
2020-10-19 19:14:50 +01:00
Philippe Pepiot
420a34f814
Document set_xauthrequest with pass_access_token (#829)
* Document set_xauthrequest with pass_access_token

Document feature implemented in https://github.com/oauth2-proxy/oauth2-proxy/pull/68

The feature is already decribed in in the nginx example but not clearly
on each respective parameters documentation.

* Update docs/configuration/configuration.md

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-10-14 09:17:55 -07:00
Nick Meves
183cb124a4
Support HTTP method based allowlists 2020-10-07 10:13:40 -07:00
Jakub Holy
3d203a1a03
Home: Add a brief description of the behavior (#794)
* Home: Add a brief description of the behavior

I could not find this information anywhere and think it is quite important for understanding how to use and configure the proxy for different use cases.

(Especially the Ajax part is not mentioned anywhere else I believe.)

I tried to keep it general enough so that it won't need updating often yet useful enough to have good value :)

* Update docs/0_index.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-05 10:34:42 +01:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
blz-ea
4a04ff4529
docs: fix Keycloak provider documentation 2020-09-22 20:13:00 -04:00
Stefan Sedich
9d59519a96
Add support to ensure user belongs in required groups when using the OIDC provider 2020-09-21 10:43:54 -07:00
Lennart Jern
e14d6ab791 Document bcrypt encryption for htpasswd
Remove mention of (insecure) SHA option for encryption.
2020-09-11 13:32:00 +03:00
Aurélien LAJOIE
0eb0024e87 Doc: cookie-secret is a mandatory field for cookie session 2020-09-04 16:20:41 +02:00
Joel Speed
1337f56188
Prepare CHANGELOG for v6.1.1 release 2020-08-31 17:01:52 +01:00
Tomoyuki KOYAMA
bd5fab478d
fix docs: command line options (#744) 2020-08-29 09:26:24 +01:00
Joel Speed
43bf36425d
Prepare changelog for v6.1.0 release 2020-08-27 15:08:46 +01:00
Nick Meves
51a9062044
Support Password & SentinelPassword in Redis session store 2020-08-11 12:22:05 -07:00
Phil Taprogge
d69fd6af22
Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
Ryan Schmidt
6e31eb28d5
Fix typos and other minor edits 2020-08-04 01:29:00 -05:00
devopsix
895403cb9b
Document what provider have support for --cookie-refresh. (#543)
Co-authored-by: Dirk Weinhardt <dirk.weinhardt@etl.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-15 00:05:13 +01:00
Nick Meves
abeb0236d8
Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
Nick Meves
bb5977095f
Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
mkontani
dd36138965
docs: Fix required ruby-version (#675)
* fix required ruby-version

Signed-off-by: mkontani <itoama@live.jp>

* add a changelog entry

Signed-off-by: mkontani <itoama@live.jp>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-12 16:09:34 +01:00
Isabelle COWAN-BERGMAN
64ae31b5a0
Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
Jonathan Herlin
416c8b0a5c
Make example args a codeblock
Making this a code block aligns with the rest of the examples and makes it easier to read
2020-07-06 12:04:16 +02:00
k-wall
b0375e85fa
Fix #635: Support specifying alternative provider TLS trust source(s) (#645)
* Fix #635: Support specifying alternative provider TLS trust source(s)

* Update pkg/apis/options/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/validation/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address review comments

* upd CHANGELOG.md

* refactor test to assert textual subjects + add openssl gen cmd

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-03 16:09:17 +01:00
Joel Speed
25154ede41
Update changelog ready for release v6.0.0 2020-06-27 12:10:27 +01:00
İlteriş Eroğlu
1b6c54cae1
Change how gitlab-group is parsed on options (#639)
* Changed how gitlab-group is parsed, from string to []string

See #637

* Point out that gitlab-group can be a list

See #637

* Reflect to the []string change on pkg/apis/options/options.go

See #637

* Move cfg option gitlab_group to gitlab_groups

See #637

* Renamed Group to Groups

See #637

* Reflect the change on gitlab.go as well

See #637

* Added #639

* Added the author of #639 to the CHANGELOG

* Add the gitlab_groups env change to CHANGELOG.md

See #639

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-26 23:26:07 +01:00
Evgeni Gordeev
43f214ce8b
Add Keycloak local testing environment (#604)
* Adding one more example - keycloak - alongside with dex IDP.

* don't expose keycloak and proxy ports to the host

* specify email-domain list option in documentation

* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390

* get rid of the scripts - use static file for keycloak startup

* changelog entry

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-14 14:06:12 +01:00
Christopher Kohnert
2c851fcd4f
Allow a health/ping request to be identified by User-Agent (#567)
* Add an option to allow health checks based on User-Agent.

* Formatting fix

* Rename field and avoid unnecessary interface.

* Skip the redirect fix so it can be put into a different PR.

* Add CHANGELOG entry

* Adding a couple tests for the PingUserAgent option.
2020-06-12 14:56:31 +01:00
Yoshiki Nakagawa
d8d43bb51b
Support new option "github-user" (#421)
* feat(github): support new option "github-user"

* feat(github): rename github-user to github-users

* feat(github): update docs for github-users option

* feat(github): remove unneeded code

* feat(github): remove logging

* feat(github-user): use github-user as flagset options

* feat(github-user): remove optionns.go

* feat(github-user): add github-user flagset

* feat(github): improve readability in the docs

* feat(github-user): refactored SetUsers method

* Update flag description

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-01 20:02:07 +01:00