1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-24 08:52:25 +02:00
Commit Graph

405 Commits

Author SHA1 Message Date
Jeeva Kandasamy
6e54ac2745
Update LinkedIn provider validate URL (#1444)
* update LinkedIn validate URL

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>

* update changelog

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>

* update failed unit test

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>
2021-11-19 21:36:33 +00:00
Jeeva Kandasamy
7ed4e3c830
Fix docker container multi arch build issue by passing GOARCH details to make build (#1445)
* pass GOARCH details to make process

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>

* update changelog

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>
2021-11-12 21:42:46 +00:00
Stephan Aßmus
2c668a52d4
Let authentication fail when session validation fails (fixes #1396) (#1433)
* Error page for session validation failure

* Fix existing tests

* Add test-case for session validation failure

* Simplify test

* Add changelog entry for PR

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-11-12 18:36:29 +00:00
Joel Speed
976dc35805
Update CHANGELOG for v7.2.0 release 2021-10-22 18:11:26 +01:00
Hiroyuki Wada
7eb3a4fbd5 Improve TLS handling for Redis to support non-standalone mode with TLS 2021-10-19 20:04:49 +09:00
Maciej Strzelecki
b49e62f9b2
Initalize TLS.Config when connecting to Redis with TLS (#1296)
* init TLS.Config when connecting to Redis with TLS

* don't overwrite TLS config if it exists

* add tests for Redis with TLS

* remove hardcoded certs

* add GenerateCert func

* use GenerateCert util func

* fix issue reported by go fmt

* limit return statements in GenerateCert
2021-10-19 09:17:42 +01:00
Joel Speed
2ce93b6b31
Improve build times by sharing cache and allowing platform selection 2021-10-18 18:19:40 +01:00
Joel Speed
d8deaa124b
Improve error message when no cookie is found 2021-10-13 19:08:11 +01:00
Luka Zakrajšek
d3e036d619 Add force-json-errors flag 2021-10-05 11:24:47 +02:00
David Emanuel Buchmann
fd5e23e1c5
linkedidn: Update provider to v2 (#1315)
* linkedin: Update provider to v2

* changelog: Add change
2021-10-04 15:58:25 +01:00
Matt Lilley
3957183fd5
Use the httputil.NewSingleHostReverseProxy instead of yhat/wsutil for … (#1348)
* Use the httputil.NewSingleHostReverseProxy instad of yhat/wsutil for websocket proxying. This correctly handles 404 responses with keep-alive by terminating the tunnel rather than keeping it alive

* Tidy up dependencies - yhat/wsutil is no longer required

* Update changelog to include reference to 1348

Co-authored-by: Matt Lilley <matt.lilley@securitease.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-10-03 15:38:40 +01:00
Jan Rotter
826ebc230a Add changelog entry 2021-09-26 23:47:28 +02:00
Nick Meves
11c2177f18 Use nickname claim as User for GitLab
Previously this was only done in the `EnrichSession` stage
which would've missed Bearer usages & `RefreshSession`
would've overriden the User to the Subject.
2021-09-25 16:49:25 -07:00
Ryan Hartje
05a4e77c4c
Multiarch builds (#1147)
* extract email from id_token for azure provider (#914)

* extract email from id_token for azure provider

this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api

* fixed typo

* refactor GetEmailAddress to EnrichSessionState

* make getting email from idtoken best effort and fall back to previous behavior when it's absent

* refactor to use jwt package to extract claims

* fix lint

* refactor unit tests to use test table
refactor the get email logic from profile api

* addressing feedback

* added oidc verifier to azure provider and extract email from id_token if present

* fix lint and codeclimate

* refactor to use oidc verifier to verify id_token if oidc is configured

* fixed UT

* addressed comments

* minor refactor

* addressed feedback

* extract email from id_token first and fallback to access token

* fallback to access token as well when id_token doesn't have email claim

* address feedbacks

* updated change log!

* switch to docker buildx for multiarch builds

* add setup docker buildx action

* update docker push to push the multiarch image

* make multiarch image have parity with currently produced images by adding linux/armv6

* triaging issue with arm v6

* incorporating feedback

* fixing rebase disaster

* reset Makefile to blessed state

Co-authored-by: Weinong Wang <weinong@outlook.com>
2021-09-21 14:17:59 +01:00
Fabian Stelzer
d51556515e
Introduce ProxyRawPath flag
Setting this flag will configure the upstream proxy to pass encoded urls
as-is.
2021-09-17 12:37:56 +00:00
Hedi Harzallah
ccbb98acd9
fix(1356): test if session variable is null (#1357)
* fix(1356): test if session variable is null

* fix(1356): adding changelog

Co-authored-by: Hedi Harzallah <hharzalla@talend.com>
2021-09-09 12:12:29 +01:00
Miks Kalnins
54d44ccb8f
Allow specifying URL as input for custom sign in logo (#1330)
* Allow specifying URL as input for custom logos

* Fix typo

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

* Only allow HTTPS URLs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nicholas.meves@gmail.com>
2021-09-05 09:23:22 -07:00
Philippe
7cf3065111
Changing user field type to text (#1337)
* Changing user field type to text

* Updated changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-08-29 12:39:02 +01:00
Jordie
42c16efa38
Fixed .CustomLogin </form> tag placement for login page (#1317)
* Fixed .CustomLogin </form> tag placement for login page

* Update changelog (gh-1317)
2021-08-11 15:57:40 +01:00
Peter Braun
e6223383e5 update keycloak oidc provider and add unit tests 2021-08-02 11:39:50 +02:00
JVecsei
8967873659
Updated dependency versions which include CVE fixes (#1276)
* switched to github.com/golang-jwt/jwt and updated golang.org/x/crypto to include CVE fixes

* added #1276 to changelog

Co-authored-by: Joshua Vécsei <git@vecsei.me>
2021-07-29 17:45:41 +01:00
Nick Meves
0b4bc36554
Upgrade go-oidc to v3 (#1264) 2021-07-17 09:55:05 -07:00
Moraru Costel
7a83d18f23
Extend email-domain validation with sub-domain capability (#1233)
* Extend email-domain validation with sub-domain capability

* Adding the CHANGELOG entry

* Fixing lint erros

* Fixing lint erros

* Renamed the emailDomains to allowedDomains, plus tests

* Bringing together all basic test-cases

* Fixing unit tests

* Add unit tests to validate additional vulnerability concerns
2021-06-29 19:37:03 +01:00
Joel Speed
9ce962be08
Add changelog entry for new rewrite target feature 2021-06-23 12:21:40 +01:00
Nick Meves
ff914d7e17 Use ErrNotImplemented in default refresh implementation 2021-06-22 17:04:42 -07:00
Joel Speed
d8b91efcc7
Add changelog for app redirection split 2021-06-19 11:26:04 +01:00
Joel Speed
a8c9b2903d
Use gorilla mux for OAuth Proxy routing 2021-06-19 11:17:16 +01:00
Anders Kiel Hovgaard
c00d36159e
Update Alpine image version to 3.14 (#1244)
* Update Alpine image version to 3.14.

* Update changelog.
2021-06-18 13:12:11 +01:00
Sami Racho
a14c0c2121 Added ADFS Provider 2021-06-13 10:19:56 +02:00
Rishi Kambil
41cd418a5d
Fix - Refresh Session not working for multiple cookies (#1209) (#1227)
* Fix - Refresh Session not working for multiple cookies (#1209)

* added comments for flattenheaders fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Updated Changelog.md

Co-authored-by: Rishi Kambil <rishi.kambil@lntinfotech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-06-09 10:22:33 +01:00
Kevin Kreitner
f648c54d87
Add redis lock feature (#1063)
* Add sensible logging flag to default setup for logger

* Add Redis lock

* Fix default value flag for sensitive logging

* Split RefreshSessionIfNeeded in two methods and use Redis lock

* Small adjustments to doc and code

* Remove sensible logging

* Fix method names in ticket.go

* Revert "Fix method names in ticket.go"

This reverts commit 408ba1a1a5.

* Fix methods name in ticket.go

* Remove block in Redis client get

* Increase lock time to 1 second

* Perform retries, if session store is locked

* Reverse if condition, because it should return if session does not have to be refreshed

* Update go.sum

* Update MockStore

* Return error if loading session fails

* Fix and update tests

* Change validSession to session in docs and strings

* Change validSession to session in docs and strings

* Fix docs

* Fix wrong field name

* Fix linting

* Fix imports for linting

* Revert changes except from locking functionality

* Add lock feature on session state

* Update from master

* Remove errors package, because it is not used

* Only pass context instead of request to lock

* Use lock key

* By default use NoOpLock

* Remove debug output

* Update ticket_test.go

* Map internal error to sessions error

* Add ErrLockNotObtained

* Enable lock peek for all redis clients

* Use lock key prefix consistent

* Fix imports

* Use exists method for peek lock

* Fix imports

* Fix imports

* Fix imports

* Remove own Dockerfile

* Fix imports

* Fix tests for ticket and session store

* Fix session store test

* Update pkg/apis/sessions/interfaces.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Do not wrap lock method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Use errors package for lock constants

* Use better naming for initLock function

* Add comments

* Add session store lock test

* Fix tests

* Fix tests

* Fix tests

* Fix tests

* Add cookies after saving session

* Add mock lock

* Fix imports for mock_lock.go

* Store mock lock for key

* Apply elapsed time on mock lock

* Check if lock is initially applied

* Reuse existing lock

* Test all lock methods

* Update CHANGELOG.md

* Use redis client methods in redis.lock for release an refresh

* Use lock key suffix instead of prefix for lock key

* Add comments for Lock interface

* Update comment for Lock interface

* Update CHANGELOG.md

* Change LockSuffix to const

* Check lock on already loaded session

* Use global var for loadedSession in lock tests

* Use lock instance for refreshing and releasing of lock

* Update possible error type for Refresh

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-06-02 19:08:19 +01:00
Tarvi Pillessaar
818938add2
Fix URI fragment handling
Fixes #1205
2021-05-24 10:17:46 +03:00
Joel Speed
a0e2f785f3
Add alternative ways to generate cookie secrets to docs 2021-05-23 20:12:08 +01:00
Joel Speed
befcdd9d04
Add pagewriter to upstream proxy 2021-05-10 11:14:05 +01:00
Itay Brandes
095e1db801 fix: SHOW_DEBUG_ON_ERROR environment variable not working
(Fixes #1178)
2021-05-04 19:17:30 +03:00
Nick Meves
2dd4a9647a
Update Changelog for release v7.1.3 2021-04-28 09:41:18 -07:00
Nick Meves
544ba2a21c
Fix Metrics cfg option naming typo 2021-04-23 13:24:28 -07:00
Nick Meves
7eeaea0b3f
Support nonce checks in OIDC Provider (#967)
* Set and verify a nonce with OIDC

* Create a CSRF object to manage nonces & cookies

* Add missing generic cookie unit tests

* Add config flag to control OIDC SkipNonce

* Send hashed nonces in authentication requests

* Encrypt the CSRF cookie

* Add clarity to naming & add more helper methods

* Make CSRF an interface and keep underlying nonces private

* Add ReverseProxy scope to cookie tests

* Align to new 1.16 SameSite cookie default

* Perform SecretBytes conversion on CSRF cookie crypto

* Make state encoding signatures consistent

* Mock time in CSRF struct via Clock

* Improve InsecureSkipNonce docstring
2021-04-21 10:33:27 +01:00
Nick Meves
d3423408c7
Add a clock package for better time mocking (#1136)
* Add a clock package for better time mocking

* Make Clock a struct so it doesn't need initialization

* Test clock package

* Use atomic for live time tests

* Refer to same clock.Mock throughout methods
2021-04-18 18:25:57 +01:00
yanasega
42475c28f7
Multiple providers in alpha config (#947)
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* fixed typo

* removed weird : file

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* auto generates alpha_config.md

* rebase (mainly service alpha options related conflicts)

* removed :

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* "cntd. rebase"

* ran make generate again

* last conflicts

* removed duplicate client id validation

* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0

* fixed TestGoogleGroupOptions test

* ran make generate

* moved CHANGLOG line to 7.1.1

* moved changelog comment to 7.1.2 (additional rebase)

Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2021-04-03 17:06:30 +01:00
Joel Speed
fbe5743dd4
Update Changelog for release v7.1.2 2021-04-01 19:07:22 +01:00
Oliver
7ebeecb128
Fix metrics server (#1141)
* fix MetricsSecureAddress cfg tag

* add metrics* flags to docs

* update CHANGELOG
2021-04-01 13:58:13 +01:00
Joel Speed
c0654e3d9f
Remove unused fields from OAuthProxy 2021-03-29 18:26:48 +01:00
Joel Speed
8c91adcaf0
Rewrite OpenRedirect tests in ginkgo 2021-03-29 18:09:58 +01:00
Joel Speed
46c3296330
Prepare for release v7.1.1 2021-03-28 19:25:46 +01:00
Joel Speed
17009d8363
Metrics server should be constructed with secure bind address for TLS 2021-03-26 09:58:39 +00:00
Joel Speed
b0949a4efb
Update changelog for v7.1.0 release 2021-03-25 17:21:08 +00:00
Frédéric Collonval
5788bebfee
Add example local environment with traefik (#1091)
* Add example with traefik and keycloak

* Switch to dex

* Remove unneeded change in keycloak settings

* Taken into account review comments

* Add changelog entry

Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-03-22 13:55:25 +00:00
Joel Speed
64f0a9f580
Reinstate preferEmailToUser behaviour for basic auth sessions 2021-03-22 13:13:26 +00:00
Joel Speed
025ef3eca4
Fix upstream proxy appending ? to requests 2021-03-22 13:07:36 +00:00