remove color output in tests for better readability in github actions
bugfix: remove google as default provider for alpha options
fix conversion flow for toml to yaml
revert ginkgo color deactivation
revert claim- and secret source back to pointers
regenerate alpha config
Signed-off-by: Jan Larwig <jan@larwig.com>
* add new docs version 7.13.x
* update to release version v7.13.0
* doc: add release notes v7.13.0
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Add check for constraints to the proxy endpoint
* Add tests for allowed_groups query string
* Add this feature to the changelog
* Apply suggestions from code review
Co-authored-by: Jan Larwig <jan@larwig.com>
* Use explicit key names in TestProxyAllowedGroups
* Document the query parameters on proxy endpoint
* Comment was copied from the AuthOnly handler but on closer inspection is not relevant here
replacing comment with one more relevant
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* docs: clarify ingress-nginx integration and remove Lua block example for oauth2-proxy
This PR revises the integration guide for oauth2-proxy with ingress-nginx in Kubernetes:
Recommends the minimal configuration: just auth-url and auth-signin annotations.
Removes the Lua block example, as it did not work in practice despite following nginx documentation and extensive testing.
Clearly states that the official ingress-nginx external auth example is the recommended approach for most users.
Notes that advanced Lua/cookie handling is only needed for rare, advanced scenarios.
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: update 3 latest docs versions
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: SourceHut documentation
- Add it to sidebar and provider index
- Fix broken link
This fixes an oversight in #2359, where I had not fully understood how
the documentation works.
Signed-off-by: Conrad Hoffmann <ch@bitfehler.net>
* fix: doc build instructions in docs/README.md
---------
Signed-off-by: Conrad Hoffmann <ch@bitfehler.net>
* bugfix: Gitaa team membership
Gitea doesn't properly fill in all the fields like GitHub,
so implement a series of fallbacks.
Signed-off-by: magic_rb <magic_rb@redalder.org>
* add changelog, documentation and fix groups list
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: magic_rb <magic_rb@redalder.org>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Add sensible logging flag to default setup for logger
* Fix default value flag for sensitive logging
* Remove sensitive logging changes
* Add Cidaas provider
* Update CHANGELOG.md
* Add required groups scope to defaults
* Fix tests
* Remove if block with protected resource
* Fix linting
* Adjust provider sorting, fixes
* Directly handle error return
Co-authored-by: Jan Larwig <jan@larwig.com>
* Use less deep nesting
Co-authored-by: Jan Larwig <jan@larwig.com>
* Directly handle returned error
Co-authored-by: Jan Larwig <jan@larwig.com>
* Pass provider options to Cidaas provider
Co-authored-by: Jan Larwig <jan@larwig.com>
* Add import for provider options
* Fix tests
* Fix linting
* Add Cidaas doc page
* Add Cidaas provider doc page to overview
* Fix link in docs
* Fix link in docs
* Add link to Cidaas
* fix provider order in docs and changelog position
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Teko012 <112829523+Teko012@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Kevin Kreitner <kevinkreitner@gmail.com>
* add new docs version 7.11.x
* update to release version v7.11.0
* add changelog entry for v7.11.0
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: Allow use more possible google admin-sdk api scopes.
* reduce cognitive complexity
Signed-off-by: Bob Du <i@bobdu.cc>
* remove unnecessary else block / indentation
Signed-off-by: Jan Larwig <jan@larwig.com>
* add changelog entry
Signed-off-by: Jan Larwig <jan@larwig.com>
* slight formatting and error message rephrasing
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Bob Du <i@bobdu.cc>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Change Dex port in local-environment from 4190 to 5556
Port 4190 is blocked by standards-compliant browsers (e.g. Firefox), as per https://fetch.spec.whatwg.org/#port-blocking.
Port 5556 is used by Dex in its example config files: 745e1114f3/examples/config-dev.yaml (L50)
* Fix upstream in local-environment/oauth2-proxy.cfg
http://httpbin.localtest.me:8080 is only exposed to the host, not to httpbin Docker network.
Causes Bad Gateway before.
* Do not expose unauthenticated httpbin service in local-environment
This defeats the point of having oauth2-proxy.
It has already been misleading by causing the bug fixed in cafc6af48fc38f6fe4395fb0c7e2638bc84e6091.
It serves as a bad example: users might accidentally expose the service they're trying to protect in the first place.
* Remove unnecessary httpbin.localtest.me alias from local-environment
* Allow setting maximum number of csrf cookies, deleting the oldest if necessary
* Add a test for multiple CSRF cookies to remove the old cookie
* Add docs/changelog
* If limit is <=0 do not clear
Signed-off-by: test <bert@transtrend.com>
* Better docs
Co-authored-by: Jan Larwig <jan@larwig.com>
* direct check of option value
Co-authored-by: Jan Larwig <jan@larwig.com>
* direct use of option value
Co-authored-by: Jan Larwig <jan@larwig.com>
* sort based on clock compare vs time compare
Co-authored-by: Jan Larwig <jan@larwig.com>
* clock.Clock does not implement Compare, fix csrf cookie extraction after rename
Signed-off-by: Bert Helderman <bert@transtrend.com>
* Linter fix
* add method signature documentation and slight formatting
Signed-off-by: Jan Larwig <jan@larwig.com>
* fix: test case for csrf cookie limit and flag
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Bert Helderman <bert@transtrend.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: test <bert@transtrend.com>
Co-authored-by: bh-tt <71650427+bh-tt@users.noreply.github.com>
* fix for github teams
* Update github.go
* added errorhandling
* Update github.md
* refactored GitHub provider
refactored hasOrg, hasOrgAndTeams and hasTeam into hasAccess to stay within function limit
* reverted Refactoring
* refactored github.go
- joined hasOrgAndTeamAccess into checkRestrictions
* refactored github.go
- reduced number of returns of function checkRestrictions to 4
* updated GitHub provider to accept legacy team ids
* GoFmt and golangci-lint
Formatted with GoFmt and followed recommendations of GoLint
* added Tests
added Tests for checkRestrictions.
* refactored in maintainer feedback
* Removed code, documentation and tests for legacy ids
* add changelog and update docs
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* docs: clear up multiple-providers is unimplemented
Currently this configuration option is held up by #926. So users don't
assume this solution will work for them, and later find the feature is
not yet implemented -- own the shortcoming clearly.
* doc: add note about missing multi provider implementation to versioned docs
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* add new docs version 7.9.x
* update to release version v7.9.0
* doc: add changelog summary
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Update Go version in devcontainer
* Add option to change response mode in authorization request
* Fix option name
* Update docs and changelog
* Rename config value to underscore
* Add unit tests for added parameter
* Move change to upcoming release
* Generate alpha config
---------
Co-authored-by: Michael Cornel <michael@stieler.it>
* Update gitlab.md with correct url for creating an application
* docs: fix gitlab docs url for oauth2 integration
---------
Co-authored-by: Jan Larwig <jan@larwig.com>
* update to release version v7.8.2
* docs: release letter
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Microsoft Entra ID Provider
* fix typo in function name
* documentation tweaks
* documentation and comment tweak
* docs tweaks
* final tweaks
* refactor: drop flag for skipping graph groups
* update legacy / deprecated provider page and sort provider overview
* reformat
* move entra-id provider into switch (treat like every other provider
* fix test case and reformat
* fix sidebar configuration
* apply review suggestions
* add pagination for graph api
* fix: do not error when groups unable to retrieve
* doc: number of groups fix
* restore master packages
* docs: tiny docs tweak
* address review comments
* fix codegen
---------
Co-authored-by: tuunit <jan@larwig.com>
The original example only protected the root (`/`) path, leaving other routes unsecured.
* docs: add syntax highlighting for nginx config
* docs: fix headings in `configuration/integration` page
* docs: fix redirect in caddy configuraion example
* new readme structure
* add adopters file
* add microsoft sponsorship
* add reference to adopter file
* add gopher slack invite link
* slightly rephrase nightly image section
* add sponsor request for action
* better formatting for contributor wall
* add longer wait time for stale PRs and issues and allow for exemption through bug and high-priority labels
* apply review suggestion
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
When using sockets to pass data between e.g. nginx and oauth2-proxy it's
simpler to use sockets. Systemd can even facilitate this and pass the
actual socket directly.
This also means that only the socket runs with the same group as nginx
while the service runs with DynamicUser.
Does not support TLS yet.
nginx
```
server {
location /oauth2/ {
proxy_pass http://unix:/run/oauth2-proxy/oauth2.sock;
}
```
oauth2-proxy.socket
```
[Socket]
ListenStream=%t/oauth2.sock
SocketGroup=www-data
SocketMode=0660
```
Start oauth2-proxy with the parameter `--http-address=fd:3`.
Signed-off-by: Josef Johansson <josef@oderland.se>
