* Add support for preferred username.
* Add missing TOC entries.
* Add note about preferred_username support.
* Adjust tests.
* Check on not implemented error for GetPreferredUsername() call.
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.
When matching this with downstream databases, it's sometimes preferred to use
the email address as the known identifier.
However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.
This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.
Defaults to Off.
Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add nsswitch.conf to Docker image
Created nsswitch.conf to use locally defined translations before DNS. Copied to /etc/nsswitch.conf in the image.
* Add new line
* Updated Changelog
Co-authored-by: Dan Bond <danbond@protonmail.com>
* OIDC Token Refresh works without id_tokens
Addresses https://github.com/pusher/oauth2_proxy/issues/318
Refactoring the OIDC provider so that the refresh process works when there are
no id_tokens present in the response. Added unit tests to the oidc_test.go to prove
the redeem and refresh still work.
The expiry time of the session is now taken from the outh token expiry and not
the id_token (preventing stale access_tokens in sessions).
* Refactoring the to use a KeySetStub in the oidc_test.go. This allows the
elimination of the slightly contrived function passing elements used
previously. (This change is being applied to address the bug #318)
* Changes as per the PR comments and preparing for 5.x release
* Fixup changelog
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Extend the redis session store to support redis cluster
* rename function newRedisClient to newRedisCmdable
* update docs about redis cluster as session store
* update autocomplete script with redis cluster options
* add check about conflict between option redis-use-sentinel and redis-use-cluster
* update change log
* Update docs/configuration/sessions.md
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/sessions/redis/redis_store.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* add the dropped option back
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix login page fragment handling after soft reload on Firefox.
* Add comments.
* Move changelog entry to correct place.
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Felix Fontein <felix@fontein.de>
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.
Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.
See: https://www.owasp.org/index.php/SameSite
