1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
Commit Graph

1614 Commits

Author SHA1 Message Date
Nick Meves
a53198725e Use upn as EmailClaim throughout ADFSProvider
By only overriding in the EnrichSession, any Refresh calls
would've overriden it with the `email` claim.
2021-12-01 19:06:02 -08:00
Joel Speed
1b335a056d
Merge pull request #1447 from oauth2-proxy/docker-fixes
Fix docker build/push issues found during last release
2021-11-24 17:31:20 +00:00
Joel Speed
ceb015ee22
Update changelog for docker fixes 2021-11-24 17:20:25 +00:00
Joel Speed
8dea8134eb
Drop old makefiles in favour of buildx 2021-11-24 17:20:23 +00:00
Joel Speed
60b6dd850a
Fix docker build and push for all platforms 2021-11-24 17:20:22 +00:00
Jeeva Kandasamy
6e54ac2745
Update LinkedIn provider validate URL (#1444)
* update LinkedIn validate URL

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>

* update changelog

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>

* update failed unit test

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>
2021-11-19 21:36:33 +00:00
Jack Henschel
0693856bc3
Explicitly state precedence of config sources in docs (#1439)
I was recently looking into the order in which oauth2-proxy evaluates it configuration options from the various sources.
I think this will also be helpful for other users.
Since oauth2-proxy is using viper, the order of configuration sources is as follows [1]:
> Viper uses the following precedence order. Each item takes precedence over the item below it:
>
>    explicit call to Set
>    flag
>    env
>    config
>    key/value store
>    default

[1] https://github.com/spf13/viper/blob/master/README.md#why-viper

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-11-15 09:24:04 +00:00
Jeeva Kandasamy
7ed4e3c830
Fix docker container multi arch build issue by passing GOARCH details to make build (#1445)
* pass GOARCH details to make process

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>

* update changelog

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>
2021-11-12 21:42:46 +00:00
Stephan Aßmus
2c668a52d4
Let authentication fail when session validation fails (fixes #1396) (#1433)
* Error page for session validation failure

* Fix existing tests

* Add test-case for session validation failure

* Simplify test

* Add changelog entry for PR

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-11-12 18:36:29 +00:00
Joel Speed
9caf8c7040
Merge pull request #1419 from jangaraj/patch-1
Keycloak OIDC config improvement
2021-11-12 18:25:04 +00:00
Jan Garaj
1e761bf8fd
Keycloak OIDC config improvement 2021-10-25 10:01:35 +01:00
Joel Speed
6c379f74db
Merge pull request #1412 from oauth2-proxy/release-7.2.0
Release 7.2.0
2021-10-22 18:19:35 +01:00
Joel Speed
4ee3f13c46
Create versioned docs for release v7.2.x
Created with: yarn run docusaurus docs:version 7.2.x
2021-10-22 18:11:28 +01:00
Joel Speed
976dc35805
Update CHANGELOG for v7.2.0 release 2021-10-22 18:11:26 +01:00
Joel Speed
d82c268696
Merge pull request #1403 from openstandia/fix-redis-tls
Improve TLS handling for Redis to support non-standalone mode with TLS
2021-10-19 13:30:53 +01:00
Hiroyuki Wada
7eb3a4fbd5 Improve TLS handling for Redis to support non-standalone mode with TLS 2021-10-19 20:04:49 +09:00
Maciej Strzelecki
b49e62f9b2
Initalize TLS.Config when connecting to Redis with TLS (#1296)
* init TLS.Config when connecting to Redis with TLS

* don't overwrite TLS config if it exists

* add tests for Redis with TLS

* remove hardcoded certs

* add GenerateCert func

* use GenerateCert util func

* fix issue reported by go fmt

* limit return statements in GenerateCert
2021-10-19 09:17:42 +01:00
Adam Stephens
ea261ca014
fix arg typo in traefik example (#1410)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-10-18 19:01:40 +01:00
Joel Speed
543a71efad
Merge pull request #1411 from oauth2-proxy/fix-exclude-logging-doc
Fix exclude-logging-path documentation
2021-10-18 18:42:18 +01:00
Joel Speed
bdab6feb0c
Fix exclude-logging-path documentation 2021-10-18 18:36:56 +01:00
Joel Speed
85c02821bf
Merge pull request #1391 from oauth2-proxy/docker-buildx-selection
Improve build times by sharing cache and allowing platform selection
2021-10-18 18:36:19 +01:00
Joel Speed
2ce93b6b31
Improve build times by sharing cache and allowing platform selection 2021-10-18 18:19:40 +01:00
Joel Speed
9d8093f470
Merge pull request #1404 from oauth2-proxy/improve-no-auth-error
Improve error message when no cookie is found
2021-10-18 18:16:40 +01:00
Joel Speed
d8deaa124b
Improve error message when no cookie is found 2021-10-13 19:08:11 +01:00
Joel Speed
6cc7da8993
Merge pull request #1375 from bancek/feature-force-json-errors
Add --force-json-errors flag
2021-10-13 17:09:08 +01:00
Luka Zakrajšek
d3e036d619 Add force-json-errors flag 2021-10-05 11:24:47 +02:00
David Emanuel Buchmann
fd5e23e1c5
linkedidn: Update provider to v2 (#1315)
* linkedin: Update provider to v2

* changelog: Add change
2021-10-04 15:58:25 +01:00
Matt Lilley
3957183fd5
Use the httputil.NewSingleHostReverseProxy instead of yhat/wsutil for … (#1348)
* Use the httputil.NewSingleHostReverseProxy instad of yhat/wsutil for websocket proxying. This correctly handles 404 responses with keep-alive by terminating the tunnel rather than keeping it alive

* Tidy up dependencies - yhat/wsutil is no longer required

* Update changelog to include reference to 1348

Co-authored-by: Matt Lilley <matt.lilley@securitease.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-10-03 15:38:40 +01:00
Joel Speed
a87c27b6bf
Merge pull request #1379 from janrotter/fix-htpasswd-user-group
Store groups from the htpasswd-user-group in the session during the manual sign in process
2021-09-28 11:09:29 +01:00
Joel Speed
b0ab60b0b8
Merge branch 'master' into fix-htpasswd-user-group 2021-09-28 10:18:09 +01:00
Joel Speed
044b022608
Merge pull request #1381 from matt-cote/keycloak-provider-documentation
Fix formatting of Keycloak provider documentation
2021-09-28 10:15:03 +01:00
Matt Cote
6ced2e5ad4
Fix formatting of Keycloak provider documentation 2021-09-27 14:37:19 -04:00
Jan Rotter
826ebc230a Add changelog entry 2021-09-26 23:47:28 +02:00
Jan Rotter
81cfd24962 Store the group membership in the session
This change puts the groups from the htpasswd-user-group in the
session during the manual sign in process. This fixes the issue
with being unable to properly authenticate using the manual
sign in form when certain group membership is required (e.g. when
the --gitlab-group option is used).
2021-09-26 23:07:10 +02:00
Jan Rotter
e25158dda6 Add a test for htpasswd-user-groups in the session
The groups configured in the `htpasswd-user-group` are not
stored in the session, resulting in unauthorized errors when
group membership is required. Please see:
https://gist.github.com/janrotter/b3d806a59292f07fe83bc52c061226e0
for instructions on reproducing the issue.
2021-09-26 23:07:10 +02:00
Nick Meves
f6b2848e9a
Merge pull request #1239 from oauth2-proxy/gitlab-oidc
Make GitLab Provider based on OIDC Provider
2021-09-25 17:11:43 -07:00
Nick Meves
e4a8c98e1b Preserve Nickname around refreshes 2021-09-25 16:49:30 -07:00
Nick Meves
95f9de5979 Preserve projects after RefreshSession
RefreshSession will override session.Groups with the new
`groups` claims. We need to preserve all `project:` prefixed
groups and reattach them post refresh.
2021-09-25 16:49:30 -07:00
Nick Meves
11c2177f18 Use nickname claim as User for GitLab
Previously this was only done in the `EnrichSession` stage
which would've missed Bearer usages & `RefreshSession`
would've overriden the User to the Subject.
2021-09-25 16:49:25 -07:00
Nick Meves
c84a5a418f Adjust GitLab options configuration 2021-09-25 16:48:48 -07:00
Nick Meves
3092941c57 Use OIDC as base of Gitlab provider 2021-09-25 16:48:48 -07:00
Ryan Hartje
05a4e77c4c
Multiarch builds (#1147)
* extract email from id_token for azure provider (#914)

* extract email from id_token for azure provider

this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api

* fixed typo

* refactor GetEmailAddress to EnrichSessionState

* make getting email from idtoken best effort and fall back to previous behavior when it's absent

* refactor to use jwt package to extract claims

* fix lint

* refactor unit tests to use test table
refactor the get email logic from profile api

* addressing feedback

* added oidc verifier to azure provider and extract email from id_token if present

* fix lint and codeclimate

* refactor to use oidc verifier to verify id_token if oidc is configured

* fixed UT

* addressed comments

* minor refactor

* addressed feedback

* extract email from id_token first and fallback to access token

* fallback to access token as well when id_token doesn't have email claim

* address feedbacks

* updated change log!

* switch to docker buildx for multiarch builds

* add setup docker buildx action

* update docker push to push the multiarch image

* make multiarch image have parity with currently produced images by adding linux/armv6

* triaging issue with arm v6

* incorporating feedback

* fixing rebase disaster

* reset Makefile to blessed state

Co-authored-by: Weinong Wang <weinong@outlook.com>
2021-09-21 14:17:59 +01:00
Joel Speed
ee7c405bd8
Merge pull request #997 from FStelzer/issue844
Use the raw url path when proxying upstream requests
2021-09-17 13:45:39 +01:00
Fabian Stelzer
88f32aeaa1
rename Upstreams to UpstreamConfig and its Configs member to Upstreams then 2021-09-17 12:37:57 +00:00
Fabian Stelzer
fe9159572c
add docs for new Upstream mux config 2021-09-17 12:37:57 +00:00
Fabian Stelzer
662fa72e8c
Add ProxyRawPath tests
Refactor proxy_test to set mux/upstream options for each test
individually and add tests for encoded urls with ProxyRawPath set and
unset.
2021-09-17 12:37:56 +00:00
Fabian Stelzer
d51556515e
Introduce ProxyRawPath flag
Setting this flag will configure the upstream proxy to pass encoded urls
as-is.
2021-09-17 12:37:56 +00:00
Fabian Stelzer
733b3fe642
Determine line count for yaml load test dynamically
Adding a new option to the yaml alpha config will result in failed tests
unless you manually increment the line count. This commit computes this
dynamically.
2021-09-17 12:31:18 +00:00
Fabian Stelzer
12ab4ef529
Make the Upstreams mux configurable
This commit changes Upstreams from []Upstream to a struct{}
moving the previous []Upstream into .Configs and adjusts all uses of it.
2021-09-17 12:31:18 +00:00
Fabian Stelzer
ae72beb24e
Enable UseEncodedPath() for frontend mux
This allows urls with encoded characters (e.g.: /%2F/) to pass to the
upstream mux instead of triggering a HTTP 301 from the frontend.
Otherwise a /%2F/test/ will result in a HTTP 301 -> /test/
2021-09-17 12:31:18 +00:00