1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-15 00:15:00 +02:00
Commit Graph

218 Commits

Author SHA1 Message Date
4344610f80 Create versioned docs for release v7.3.x
Created with: yarn run docusaurus docs:version 7.3.x
2022-05-29 15:43:02 +01:00
95e1a4973e Update CHANGELOG for v7.3.0 release 2022-05-29 15:36:50 +01:00
01da2ac352 Update KeyCloak Auth Provider oidc_issuer_url (#1661)
The correct URL for the oidc-issuer-url in KeyCloak v18.0 is: https://<keycloak host>/realms/<your realm>. 
Using the old URL causes oauth2-proxy to crash on startup.

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-05-29 10:20:42 +01:00
167acf7f09 Add redirect instructions for gitlab on sub-dir (#1616)
* Add redirect instructions for gitlab on sub-dir

* include redirect instructions in unversioned docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-05-29 10:17:30 +01:00
c6a98369a0 Add description on ipv6 address (#1635)
* add docs on ipv6

* add tests for ipv6 address

* add tests for ipv6 address

* remove Print function for debugging

* Updated changelog
2022-05-23 10:17:29 +01:00
7a27cb04df Implement configurable timeout for upstream connections
Signed-off-by: Jack Henschel <jack.henschel@cern.ch>
2022-05-18 11:41:17 +01:00
b794248176 Add allowed_emails option to the auth endpoint query string (#1595)
* Add allowed_emails option to the auth endpoint query string

* Don't return true from checkAllowedEmailsOrDomains only because domains field was empty

* Fix checkAllowedEmailsOrDomains logic

* Added tests for allowed_emails query parameter

* Updated CHANGELOG

* Remove checkAllowedEmailsOrDomains

Co-authored-by: Nick Meves <nicholas.meves@gmail.com>
2022-04-23 18:11:38 -07:00
ce750e9b30 PKCE Support (#1541)
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.

Signed-off-by: Valentin Pichard <github@w3st.fr>

* Fix provider data initialisation

* PKCE Support

Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.

- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them

Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server.  Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2

oauth2-proxy will always use S256 unless the user explicitly forces `plain`.

Fixes #1361

* Address PR comments by moving pkce generation

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Encrypt CodeVerifier in CSRF Token instead of Session

- Update Dex for PKCE support
- Expose HTTPBin for further use cases

* Correct the tests

* Move code challenges into extra params

* Correct typo in code challenge method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Correct the extra space in docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address changelog and new line nits

* Add generated docs

Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
2022-03-13 10:08:33 +00:00
b999c41a5a docs/7.1.x/configuration: Use 32 bytes to generate secret 2022-02-20 14:41:46 +01:00
4ed564901e docs/versioned_docs: Backport fix entropy for bash secret (#1511) 2022-02-20 14:38:11 +01:00
db71dd8c55 docs/configuration: Fix entropy for bash secret
Filtering `/dev/urandom` for alphanumeric characters resulted in loss of
input entropy to base64. Fixing this using a procedure with these steps:

  * Read 32 bytes from `/dev/urandom` (`dd`)
  * Base64-encode (`base64`)
  * Strip newlines (`tr -d`)
  * URL-Escape (`tr`)
  * Append a final newline (`echo`)

This output should be equivalent to output generated using Python and
OpenSSL variants mentioned in the changed document file.

Newlines are stripped as `base64` wraps its output and the option to
disable this (`-w 0`) is not available in all implementations.

Fixes: #1511
2022-02-20 14:38:11 +01:00
3ac51f5e2f Update Docusaurus to 2.0.0-beta.15 2022-02-19 18:40:13 +00:00
54ff3b96a7 Added provider flags to the list of those options superseded by alpha config. 2022-02-19 17:05:54 +00:00
63727103db Support for passing through URL query parameters from /oauth2/start to the ID provider's login URL.
You must explicitly configure oauth2-proxy (alpha config only) with which parameters are allowed to pass through, and optionally provide an allow-list of valid values and/or regular expressions for each one.  Note that this mechanism subsumes the functionality of the "prompt", "approval_prompt" and "acr_values" legacy configuration options, which must be converted to the equivalent YAML when running in alpha config mode.
2022-02-19 16:11:09 +00:00
263a5df820 Merge pull request #1286 from instadeepai/allowed_email_domains-on-auth_request-endpoint
Add allowed_email_domains on auth_request endpoint
2022-02-17 17:10:43 +00:00
d162b018a8 Move provider initialisation into providers package 2022-02-16 10:38:05 +00:00
dc5d2a5cd7 Fix table (#1556)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-02-15 16:39:16 +00:00
25371ea4af improved audience handling to support client credentials access tokens without aud claims (#1204)
* implementation draft

* add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options

* refactor configs, added logging and add additional claim verification

* simplify logic by just having one configuration similar to oidc-email-claim

* added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers

* refactored verification to reduce complexity

* refactored verification to reduce complexity

* added docs

* adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options

* extend unit tests and ensure that audience is set with the value of aud claim configuration

* revert filemodes and update docs

* update docs

* remove unneccesary logging, refactor audience existence check and added additional unit tests

* fix linting issues after rebase on origin/main

* cleanup: use new imports for migrated libraries after rebase on origin/main

* adapt mock in keycloak_oidc_test.go

* allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation

* fixed formatting issue

* do not pass the whole options struct to minimize complexity and dependency to the configuration structure

* added changelog entry

* update docs

Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com>
Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 16:12:22 +00:00
2b4c8a9846 Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.
Signed-off-by: Valentin Pichard <github@w3st.fr>
2022-02-14 18:03:20 +01:00
590b7a612e Fix broken link 2022-02-11 10:28:30 +01:00
e03cf87dd8 Add option to specify the tls-min-version for the server 2022-02-09 20:19:01 +01:00
4f5efd4074 Update auth.md (#1518) 2022-01-18 13:54:52 +00:00
92c4ca9c58 Update auth.md (#1519) 2022-01-18 13:54:35 +00:00
0e10fb8967 Remove the information about Microsoft Azure AD in the provider documentation (#1477)
* Remove the information about `Microsoft Azure AD`

* Put `proxy_buffer_size` in a code tag

* Update `CHANGELOG.md`

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-12-23 17:24:31 +00:00
5515918436 Prepare changelog for release v7.2.1 2021-12-18 12:59:55 +00:00
0693856bc3 Explicitly state precedence of config sources in docs (#1439)
I was recently looking into the order in which oauth2-proxy evaluates it configuration options from the various sources.
I think this will also be helpful for other users.
Since oauth2-proxy is using viper, the order of configuration sources is as follows [1]:
> Viper uses the following precedence order. Each item takes precedence over the item below it:
>
>    explicit call to Set
>    flag
>    env
>    config
>    key/value store
>    default

[1] https://github.com/spf13/viper/blob/master/README.md#why-viper

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-11-15 09:24:04 +00:00
1e761bf8fd Keycloak OIDC config improvement 2021-10-25 10:01:35 +01:00
4ee3f13c46 Create versioned docs for release v7.2.x
Created with: yarn run docusaurus docs:version 7.2.x
2021-10-22 18:11:28 +01:00
976dc35805 Update CHANGELOG for v7.2.0 release 2021-10-22 18:11:26 +01:00
ea261ca014 fix arg typo in traefik example (#1410)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-10-18 19:01:40 +01:00
bdab6feb0c Fix exclude-logging-path documentation 2021-10-18 18:36:56 +01:00
d3e036d619 Add force-json-errors flag 2021-10-05 11:24:47 +02:00
6ced2e5ad4 Fix formatting of Keycloak provider documentation 2021-09-27 14:37:19 -04:00
88f32aeaa1 rename Upstreams to UpstreamConfig and its Configs member to Upstreams then 2021-09-17 12:37:57 +00:00
fe9159572c add docs for new Upstream mux config 2021-09-17 12:37:57 +00:00
54d44ccb8f Allow specifying URL as input for custom sign in logo (#1330)
* Allow specifying URL as input for custom logos

* Fix typo

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

* Only allow HTTPS URLs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nicholas.meves@gmail.com>
2021-09-05 09:23:22 -07:00
e6223383e5 update keycloak oidc provider and add unit tests 2021-08-02 11:39:50 +02:00
777556c97e Fix typo s/commmon/common/ 2021-07-08 21:29:43 +09:00
6c62b25bf1 Allow request paths to be rewritten before proxying to upstream server 2021-06-23 12:20:46 +01:00
1c151b4b27 Simplify sha256sum checking example
The previous code didn't consider other languages and hid the output of failures. For example

```
$ LANG=es_ES.UTF-8 sha256sum -c sha256sum.txt
oauth2-proxy-v7.1.3.linux-amd64/oauth2-proxy: La suma coincide
```
2021-06-21 10:44:27 -04:00
a14c0c2121 Added ADFS Provider 2021-06-13 10:19:56 +02:00
381ac91752 Provide a link to the Helm chart for oauth2-proxy (#1217)
* Update installation.md

Provide a link to the Helm chart for oauth2-proxy

* also document in latest versioned docs
2021-06-09 15:03:51 +01:00
cfd82daaf0 Some typos (#1222)
* Some typos

* Also corrected the typo's in the src code

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-06-02 19:41:30 +01:00
a0e2f785f3 Add alternative ways to generate cookie secrets to docs 2021-05-23 20:12:08 +01:00
2dd4a9647a Update Changelog for release v7.1.3 2021-04-28 09:41:18 -07:00
f9de0e840c add oidc issuer to Azure auth provider doc (#1135)
* add oidc issuer to Azure auth provider doc

* updated versioned doc
2021-04-27 18:59:02 +01:00
7eeaea0b3f Support nonce checks in OIDC Provider (#967)
* Set and verify a nonce with OIDC

* Create a CSRF object to manage nonces & cookies

* Add missing generic cookie unit tests

* Add config flag to control OIDC SkipNonce

* Send hashed nonces in authentication requests

* Encrypt the CSRF cookie

* Add clarity to naming & add more helper methods

* Make CSRF an interface and keep underlying nonces private

* Add ReverseProxy scope to cookie tests

* Align to new 1.16 SameSite cookie default

* Perform SecretBytes conversion on CSRF cookie crypto

* Make state encoding signatures consistent

* Mock time in CSRF struct via Clock

* Improve InsecureSkipNonce docstring
2021-04-21 10:33:27 +01:00
42475c28f7 Multiple providers in alpha config (#947)
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* fixed typo

* removed weird : file

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* auto generates alpha_config.md

* rebase (mainly service alpha options related conflicts)

* removed :

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* "cntd. rebase"

* ran make generate again

* last conflicts

* removed duplicate client id validation

* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0

* fixed TestGoogleGroupOptions test

* ran make generate

* moved CHANGLOG line to 7.1.1

* moved changelog comment to 7.1.2 (additional rebase)

Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2021-04-03 17:06:30 +01:00
fbe5743dd4 Update Changelog for release v7.1.2 2021-04-01 19:07:22 +01:00
7ebeecb128 Fix metrics server (#1141)
* fix MetricsSecureAddress cfg tag

* add metrics* flags to docs

* update CHANGELOG
2021-04-01 13:58:13 +01:00