1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-12-12 11:15:02 +02:00
Commit Graph

112 Commits

Author SHA1 Message Date
D. Spindel
51f4d88028
Add option to prefer an Email address to a Username (#401)
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.

When matching this with downstream databases, it's sometimes preferred to use
the email address as the  known identifier.

However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.

This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.

Defaults to Off.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-29 17:38:32 +00:00
Nir Aizik
edd6ad6ae5
Add client-secret-file to main FlagSet (#399) 2020-02-17 14:21:04 +00:00
Yan Yao
18d20364a8
Extension of Redis Session Store to Support Redis Cluster (#363)
* Extend the redis session store to support redis cluster

* rename function newRedisClient to newRedisCmdable

* update docs about redis cluster as session store

* update autocomplete script with redis cluster options

* add check about conflict between option redis-use-sentinel and redis-use-cluster

* update change log

* Update docs/configuration/sessions.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/sessions/redis/redis_store.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* add the dropped option back

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 17:59:12 +00:00
Martin Campbell
d9362d3bb9 Add reverse proxy setting (#331)
* Add reverse proxy setting (#321)
2020-01-24 17:54:13 +00:00
Paul Groudas
5d0827a028 Add configuration for cookie 'SameSite' value.
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.

Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.

See: https://www.owasp.org/index.php/SameSite
2020-01-06 12:21:52 -05:00
Felix Fontein
11205c7399 Allow to change provider's name (#296)
* Allow to change provider's name.

* Add changelog entry.

* Linting.

* provider-name -> provider-display-name.

* Add flag in main.go.

* Update CHANGELOG.md
2019-11-25 17:20:37 +00:00
Christian Groschupp
6d74a42e57
Merge branch 'master' into feat/static-upstream 2019-11-19 12:23:42 +01:00
Łukasz Leszczuk
d7a51e4aab
Update main.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
2019-11-12 11:34:14 +01:00
Lukasz Leszczuk
3f7ed36e46 Add support for Redis with custom CA. 2019-11-08 10:47:18 +01:00
Christian Groschupp
9e4a7ee84e
Merge branch 'master' into feat/static-upstream 2019-11-01 17:34:27 +01:00
Josh Michielsen
fe9efba0c5
Documentation change
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
2019-10-22 14:19:39 +01:00
Josh Michielsen
aae91b0ad6 Add new handler to redirect to HTTPS if flag is set
Signed-off-by: Josh Michielsen <github@mickey.dev>
2019-10-17 16:30:48 +01:00
Josh Michielsen
e24e4ef880 Add force-https option and flag
Signed-off-by: Josh Michielsen <github@mickey.dev>
2019-10-17 16:30:18 +01:00
Christian Groschupp
1295f87b33
Add static upstream 2019-10-10 10:14:00 +02:00
Henry Jenkins
71dfd44149
Merge branch 'master' into keycloak-provider 2019-08-17 08:10:37 +01:00
aledeganopix4d
fa6c4792a1 Add Bitbucket provider. (#201)
Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
2019-08-16 14:53:22 +01:00
ferhat elmas
fb52bdb90c Fix some typos 2019-08-13 12:42:23 +02:00
jansinger
7134d22bcc New flag "-ssl-upstream-insecure-skip-validation" (#234)
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.

* Fix tests for modified NewReverseProxy method.

* Added change to the changelog.

* Remove duplicate entries from changelog.
2019-08-07 17:48:53 +01:00
Alexander Overvoorde
4de49983fb Rework GitLab provider (#231)
* Initial version of OIDC based GitLab provider

* Add support for email domain check to GitLab provider

* Add gitlab.com as default issuer for GitLab provider

* Update documentation for GitLab provider

* Update unit tests for new GitLab provider implementation

* Update CHANGELOG for GitLab provider

* Rename GitLab test access token as response to linter
2019-08-06 12:20:54 +01:00
Karel Pokorny
583ec18fa2 Add keycloak provider 2019-07-28 15:54:39 +02:00
Karl Skewes
f00a474d91 Correct tls cert flag name per 186 2019-07-16 11:39:06 +12:00
Karl Skewes
289dfce28a logger.go ExcludedPaths changed to slice of paths.
- `logger.go` convert slice of paths to map for quicker lookup
- `options.go` combines csv paths and pingpath into slice
2019-07-16 10:04:09 +12:00
Karl Skewes
4e10cc76e0 Add silence ping logging flag using ExcludePath
- Add `ping-path` option to enable switching on and passing to `logger.go`
  Default remains unchanged at: `"/ping"`
- Add note in configuration.md about silence flag taking precedence

Potential tests:
- `options.go` sets `logger.SetExcludePath` based on silence flag?
- Changing `PingPath` reflected in router?
2019-07-16 09:46:53 +12:00
Karl Skewes
c4f20fff3d Add exclude logging path option
Useful for excluding /ping endpoint to reduce log volume.
This is somewhat more verbose than a simple bool to disable logging of
the `/ping` endpoint.

Perhaps better to add `-silence-ping-logging` bool flag to `options.go` and
pass in the `/ping` endpoint as part of `logger` declaration in `options.go`.

Could be extended into a slice of paths similar to go-gin's `SkipPaths`:
https://github.com/gin-gonic/gin/blob/master/logger.go#L46
2019-07-16 09:43:47 +12:00
Karl Skewes
ec97000169 Add silence ping logging flag
Add ability to silence logging of requests to /ping endpoint, reducing
log clutter

Pros:
- Don't have to change all handlers to set/not set silent ping logging
- Don't have to duplicate `loggingHandler` (this could be preferable yet)

Cons:
- Leaking oauth2proxy logic into `package logger`
- Defining default pingPath in two locations

Alternative:
- Add generic exclude path to `logger.go` and pass in `/ping`.
2019-07-16 09:42:24 +12:00
Joel Speed
630db3769b
Merge branch 'master' into refactor 2019-07-15 11:30:43 +01:00
Daryl Finlay
9823971b7d Make insecure-oidc-allow-unverified-email configuration usage consistent 2019-07-11 15:58:31 +01:00
Daryl Finlay
018a25be04 Create option to skip verified email check in OIDC provider 2019-07-11 15:29:48 +01:00
Henry Jenkins
924eab6355 Adds banner flag
This is to override what's displayed on the main page.
2019-06-25 16:41:51 +01:00
Brian Van Klaveren
79acef9036 Clarify skip-jwt-bearer-tokens default and add env tags 2019-06-17 12:52:13 -07:00
Brian Van Klaveren
8083501da6 Support JWT Bearer Token and Pass through 2019-06-17 12:51:35 -07:00
Joel Speed
fb9616160e
Move logger to pkg/logger 2019-06-15 11:33:58 +02:00
Brian Van Klaveren
ae0258a203 Documentation updates around Redis and Redis Sentinel use 2019-06-05 00:11:42 -07:00
Joel Speed
518c1d3e8e Add Redis sentinel compatibility
(cherry picked from commit ff36b61f8cee4ecf0b91a90b5e1b651b526bb6b6)
2019-06-05 00:11:42 -07:00
Brian Van Klaveren
fc06e2dbef Update documentation and changelog for redis store 2019-06-05 00:11:42 -07:00
Joel Speed
5095c3647d Add redis-connection-url flag 2019-06-05 00:10:51 -07:00
Joel Speed
1048584075
Add session-store-type flag 2019-05-18 13:10:10 +02:00
Mister Wil
8a17ef8d71
Fixing accidental variable name change. 2019-04-23 09:29:01 -07:00
Mister Wil
88c518885c
Merge branch 'master' into enhanced_logging 2019-04-16 06:53:45 -07:00
timothy-spencer
1ae62a3343
added jwt-key-file option, update docs 2019-04-15 09:49:05 -07:00
MisterWil
d77119be55 Merging changes 2019-04-12 09:26:44 -07:00
MisterWil
37c415b889 Self code review changes 2019-04-12 08:59:46 -07:00
MisterWil
8ec025f536 Auth and standard logging with file rolling 2019-04-12 08:59:46 -07:00
Costel Moraru
071d17b521 Expose -cookie-path as configuration parameter 2019-04-10 00:36:35 +03:00
timothy-spencer
6bb32c8059
It's not really mine 2019-03-26 08:59:03 -07:00
timothy-spencer
2679579f44
updated documentation to reflect GKE ingress support too 2019-03-25 11:44:17 -07:00
timothy-spencer
3476daf322
added an option to enable GCP healthcheck endpoints 2019-03-20 14:29:44 -07:00
Tim Spencer
8cc5fbf859 add login.gov provider (#55)
* first stab at login.gov provider

* fixing bugs now that I think I understand things better

* fixing up dependencies

* remove some debug stuff

* Fixing all dependencies to point at my fork

* forgot to hit save on the github rehome here

* adding options for setting keys and so on, use JWT workflow instead of PKCE

* forgot comma

* was too aggressive with search/replace

* need JWTKey to be byte array

* removed custom refresh stuff

* do our own custom jwt claim and store it in the normal session store

* golang json types are strange

* I have much to learn about golang

* fix time and signing key

* add http lib

* fixed claims up since we don't need custom claims

* add libs

* forgot ioutil

* forgot ioutil

* moved back to pusher location

* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov

* update dependencies

* do JWTs properly

* finished oidc flow, fixed up tests to work better

* updated comments, added test that we set expiresOn properly

* got confused with header and post vs get

* clean up debug and test dir

* add login.gov to README, remove references to my repo

* forgot to remove un-needed code

* can use sample_key* instead of generating your own

* updated changelog

* apparently golint wants comments like this

* linter wants non-standard libs in a separate grouping

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback

* github doesn't seem to do gofmt when merging.  :-)

* update CODEOWNERS

* check the nonce

* validate the JWT fully

* forgot to add pubjwk-url to README

* unexport the struct

* fix up the err masking that travis found

* update nonce comment by request of @JoelSpeed

* argh.  Thought I'd formatted the merge properly, but apparently not.

* fixed test to not fail if the query time was greater than zero
2019-03-20 13:44:51 +00:00
Adam Szalkowski
c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
Marcel D. Juhnke
8816a2a972 Add -skip-oidc-discovery option (#41)
* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added --skip-oidc-discovery option

* added --skip-oidc-discovery option

* add simple test for skip-oidc-discovery option

* revert Dockerfile to pusher upstream

* revert Dockerfile to pusher upstream

* remove karrieretutor b2c option leftover

* remove karrieretutor b2c option leftover

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* replace fake http client with NewProvider() from go-oidc

* remove OIDC UserInfo URL option (not required)

* add info about -skip-oidc-discovery to README

* add note to changelog

* Update outdated comment
2019-03-04 13:54:22 +00:00