* Implement azure token refresh
Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278
* Update CHANGELOG.md
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Set CreatedAt to Now() on token refresh
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Allow complex structure for groups in group claim.
* Remove unused constant
* Update variable name
* Fix linting
* Use helper method
* Log error if not possible to append group value
* Add missing import
* Use own logger
* Fix imports
* Remove Dockerfile for testing
* Add Changelog entry
* Use formatGroup helper method and update tests
* Return string instead of string array
* Remove groups variable
* Return error in format method.
* Reorder imports
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* simplify github actions workflow
no more GOPATH, update Go to 1.15.x
* add script to install golangci-lint
* drop support for Go 1.14
* check docker build in ci
* update alpine linux to 3.12
* update CHANGELOG
* fix golangci-lint installation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* update go-redis/redis to v8
testify, ginko and gomega have also been updated.
* update changelog
* Update pkg/sessions/redis/redis_store_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* ci: migrate to Github Actions
* ci: optimize on feedback
* ci: run gocov in correct dir
* ci: running after-build script always
* ci: giving test script execute permission
* ci: correct error handling on test script
* ci: more verbose test script
* ci: configure CC_TEST_REPORTER_ID env
* ci: check existence of CC_TEST_REPORT_ID variable, skip if unset
* ci: check existence of CC_TEST_REPORT_ID variable, skip if unset
* update changelog
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499.
* Centralize Ticket management of persistent stores
persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.
* Shift to persistence.Manager wrapping a persistence.Store
* Break up the Redis client builder logic
* Move error messages to Store from Manager
* Convert ticket to private for Manager use only
* Add persistence Manager & ticket tests
* Make a custom MockStore that handles time FastForwards
* Strip X-Forwarded auth headers from whitelisted paths
For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).
Only x-Forwarded headers stripped, left the Authorization header
untouched.
* Strip authorization header if it would be set
* Improve TestStripAuthHeaders test table
* Improve --skip-auth-strip-headers flag documentation
