1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
Commit Graph

79 Commits

Author SHA1 Message Date
Koen van Zuijlen
a6e8ec81e8
Workload identity support (#2126)
* WIP: support for workload identity

* WIP: bugfixes to support WI

* Added support for Workload Identity

* Added missing flag

* Refactoring and typo

* Updated CHANGELOG.md

* Updated docs

* Updated changelog

* Improved readability and fixed codeclimate issues

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fixed if statement

* Apply suggestions from code review

Co-authored-by: Jan Larwig <jan@larwig.com>

* Cleanup

* Removed target principal

* Removed references to target principal

* Added docs

* Fixed header anchor linking

* Update auth.md

* Updated generated code

* Improved code

* Fixed tests

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Jan Larwig <jan@larwig.com>
2023-09-04 10:34:54 +01:00
t-katsumura
d107d885e4
Session-Cookie Support (#1713)
* Create session cookie when cookie-expire set 0

* Fix format

* add test

* fix lint error

* fix test code

* fix conflicted test case

* update test case of cookie expiration

* update tests of csrf cookies

* update docs

* Update docs/docs/configuration/overview.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

---------

Co-authored-by: tanuki884 <morkazuk@fsi.co.jp>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-08-16 12:23:02 +01:00
Muhammad Arham
1e21a56f99
Update go-redis/redis to v9. (#1847)
* Update go-redis/redis to v9.
- And updated redislock, testify, ginko and gomega have also been updated.
- Renamed the option `IdleTimeout` to `ConnMaxIdleTime` because of 517938a6b0/CHANGELOG.md

* Update CHANGELOG.md

* Dropping dot import of the types since they created aliases now

* fixing some error messages to make tests happy

* updating more error messages that were changed to make tests happy

* reverting error messages

Co-authored-by: Muhammad Arham <marham@i2cinc.com>
2022-10-24 16:41:06 +01:00
Andrew Hamade
7fe6384f38
Fix Linting Errors (#1835)
* initial commit: add groups to azure

Signed-off-by: andrewphamade@gmail.com <andrewphamade@gmail.com>

* fix deprecations and linting errors

Signed-off-by: Andrew Hamade <andrewphamade@gmail.com>

* remove groups testing from azure provider

Signed-off-by: Andrew Hamade <andrewphamade@gmail.com>

* fix test error

Signed-off-by: Andrew Hamade <andrewphamade@gmail.com>

* verify-generate

Signed-off-by: Andrew Hamade <andrewphamade@gmail.com>

Signed-off-by: andrewphamade@gmail.com <andrewphamade@gmail.com>
Signed-off-by: Andrew Hamade <andrewphamade@gmail.com>
2022-10-21 11:57:51 +01:00
Segfault16
965fab422d
Add API route config (#1760)
* Add API route config

In addition to requests with Accept header `application/json` return 401 instead of 302 to login page on requests matching API paths regex.

* Update changelog

* Refactor

* Remove unnecessary comment

* Reorder checks

* Lint Api -> API

Co-authored-by: Sebastian Halder <sebastian.halder@boehringer-ingelheim.com>
2022-09-11 16:09:32 +01:00
Braunson
ce750e9b30
PKCE Support (#1541)
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.

Signed-off-by: Valentin Pichard <github@w3st.fr>

* Fix provider data initialisation

* PKCE Support

Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.

- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them

Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server.  Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2

oauth2-proxy will always use S256 unless the user explicitly forces `plain`.

Fixes #1361

* Address PR comments by moving pkce generation

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Encrypt CodeVerifier in CSRF Token instead of Session

- Update Dex for PKCE support
- Expose HTTPBin for further use cases

* Correct the tests

* Move code challenges into extra params

* Correct typo in code challenge method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Correct the extra space in docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address changelog and new line nits

* Add generated docs

Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
2022-03-13 10:08:33 +00:00
Joel Speed
82710a7ac1
Fix other packages that rely on verifiers 2022-02-19 15:37:58 +00:00
Joel Speed
979c3e8cbc
Move internal OIDC package to providers package 2022-02-19 15:37:53 +00:00
Joel Speed
2e15f57b70
Remove provider configuration from validation package 2022-02-16 10:38:06 +00:00
Kevin Schu
25371ea4af
improved audience handling to support client credentials access tokens without aud claims (#1204)
* implementation draft

* add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options

* refactor configs, added logging and add additional claim verification

* simplify logic by just having one configuration similar to oidc-email-claim

* added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers

* refactored verification to reduce complexity

* refactored verification to reduce complexity

* added docs

* adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options

* extend unit tests and ensure that audience is set with the value of aud claim configuration

* revert filemodes and update docs

* update docs

* remove unneccesary logging, refactor audience existence check and added additional unit tests

* fix linting issues after rebase on origin/main

* cleanup: use new imports for migrated libraries after rebase on origin/main

* adapt mock in keycloak_oidc_test.go

* allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation

* fixed formatting issue

* do not pass the whole options struct to minimize complexity and dependency to the configuration structure

* added changelog entry

* update docs

Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com>
Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 16:12:22 +00:00
Nick Meves
c84a5a418f Adjust GitLab options configuration 2021-09-25 16:48:48 -07:00
Fabian Stelzer
88f32aeaa1
rename Upstreams to UpstreamConfig and its Configs member to Upstreams then 2021-09-17 12:37:57 +00:00
Fabian Stelzer
12ab4ef529
Make the Upstreams mux configurable
This commit changes Upstreams from []Upstream to a struct{}
moving the previous []Upstream into .Configs and adjusts all uses of it.
2021-09-17 12:31:18 +00:00
Nick Meves
ab54de38cc Extract roles from Keycloak Access Tokens 2021-07-30 09:46:13 +02:00
Nick Meves
4c0beb373f Add keycloak-oidc provider based on OIDCProvider 2021-07-30 09:46:13 +02:00
JVecsei
8967873659
Updated dependency versions which include CVE fixes (#1276)
* switched to github.com/golang-jwt/jwt and updated golang.org/x/crypto to include CVE fixes

* added #1276 to changelog

Co-authored-by: Joshua Vécsei <git@vecsei.me>
2021-07-29 17:45:41 +01:00
Nick Meves
0b4bc36554
Upgrade go-oidc to v3 (#1264) 2021-07-17 09:55:05 -07:00
Sami Racho
a14c0c2121 Added ADFS Provider 2021-06-13 10:19:56 +02:00
Nick Meves
7eeaea0b3f
Support nonce checks in OIDC Provider (#967)
* Set and verify a nonce with OIDC

* Create a CSRF object to manage nonces & cookies

* Add missing generic cookie unit tests

* Add config flag to control OIDC SkipNonce

* Send hashed nonces in authentication requests

* Encrypt the CSRF cookie

* Add clarity to naming & add more helper methods

* Make CSRF an interface and keep underlying nonces private

* Add ReverseProxy scope to cookie tests

* Align to new 1.16 SameSite cookie default

* Perform SecretBytes conversion on CSRF cookie crypto

* Make state encoding signatures consistent

* Mock time in CSRF struct via Clock

* Improve InsecureSkipNonce docstring
2021-04-21 10:33:27 +01:00
yanasega
42475c28f7
Multiple providers in alpha config (#947)
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* fixed typo

* removed weird : file

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* auto generates alpha_config.md

* rebase (mainly service alpha options related conflicts)

* removed :

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* "cntd. rebase"

* ran make generate again

* last conflicts

* removed duplicate client id validation

* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0

* fixed TestGoogleGroupOptions test

* ran make generate

* moved CHANGLOG line to 7.1.1

* moved changelog comment to 7.1.2 (additional rebase)

Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2021-04-03 17:06:30 +01:00
Nick Meves
4d9de06b1d
Deprecate GAP-Signature and add a warning on usage (#1103) 2021-03-14 09:47:44 -07:00
Joel Speed
9dbd5f5afd
Ensure redirect URI always has a scheme 2021-03-14 10:16:29 +00:00
Joel Speed
9cea4ea89b
Update golangci-lint version in CI workflow 2021-02-17 20:25:37 +00:00
Joel Speed
b6cca79cb9
Ensure errors in tests are logged to the GinkgoWriter 2021-02-10 19:50:04 +00:00
Nick Meves
3369799853
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-24 14:04:19 -08:00
Nick Meves
d2ffef2c7e
Use global OIDC fields for Gitlab 2020-12-21 16:54:12 -08:00
Nick Meves
eb56f24d6d
Deprecate UserIDClaim in config and docs 2020-12-21 16:52:17 -08:00
Nick Meves
74ac4274c6
Move generic OIDC functionality to be available to all providers 2020-12-21 16:52:04 -08:00
Nick Meves
a1877434b2
Refactor OIDC to EnrichSession 2020-12-21 16:51:52 -08:00
TAGAMI Yukihiro
a5466bb96d
Fix typo and missing InjectResponseHeaders validation (#952) 2020-12-12 10:05:01 -08:00
Mathieu Lecarme
d67d6e3152
Add authorization support for Gitlab projects (#630)
* Add support for gitlab projets

* Add group membership in state

* Use prefixed allowed groups everywhere

* Fix: remove unused function

* Fix: rename func that add data to session

* Simplify projects and groups session funcs

* Add project access level for gitlab projects

* Fix: default access level

* Add per project access level

* Add user email when missing access level

* Fix: harmonize errors

* Update docs and flags description for gitlab project

* Add test with both projects and groups

* Fix: log error message

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fix: make doc a markdown link

* Add notes about read_api scope for projects

* Fix: Verifier override in Gitlab Provider

This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct

* Fix: ensure data in session before using it

* Update providers/gitlab.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Rename gitlab project initializer

* Improve return value readbility

* Use splitN

* Handle space delimiters in set project scope

* Reword comment for AddProjects

* Fix: typo

* Rework error handling in addProjectsToSession

* Reduce branching complexity in addProjectsToSession

* Fix: line returns

* Better comment for addProjectsToSession

* Fix: enrich session comment

* Fix: email domains is handled before provider mechanism

* Add archived project unit test

* Fix: emails handling in gitlab provider

Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-12-05 10:57:33 -08:00
Joel Speed
5b003a5657
SecretSource.Value should be plain text in memory 2020-12-01 08:56:46 +00:00
Nick Meves
22f60e9b63
Generalize and extend default CreateSessionFromToken 2020-11-28 10:25:12 -08:00
Joel Speed
aed43a54da
Add DefaultUpstreamFlushInterval to replace magic time.Second value 2020-11-19 10:39:21 +00:00
Joel Speed
b6d6f31ac1
Introduce Duration so that marshalling works for duration strings 2020-11-19 10:35:29 +00:00
Nick Meves
b92fd4b0bb
Streamline Google to use default Authorize 2020-11-12 11:18:58 -08:00
Nick Meves
eb58ea2ed9
Move AllowedGroups to DefaultProvider for default Authorize usage 2020-11-12 11:18:15 -08:00
Arcadiy Ivanov
45ae87e4b7
Logs provider name on startup
If invalid provider is specified, stop and error out

fixes #895
2020-11-12 10:39:35 -05:00
Joel Speed
8d1bbf33b1
Add tests for headers validation 2020-11-07 17:17:06 +00:00
Joel Speed
1dac1419b3
Add tests for SecretSource validation 2020-11-07 17:17:02 +00:00
Joel Speed
8059a812cd
Integrate new header injectors with OAuth2 Proxy 2020-11-07 17:16:58 +00:00
Joel Speed
d26c65ba8d
Add validation for Headers struct 2020-11-07 17:16:54 +00:00
Nick Meves
4a54c9421c
Remove EmailDomain verification from GitLab provider
This is handled globally
2020-10-20 10:01:53 -07:00
Nick Meves
b7b7ade7c4
Improve AllowedRoute test table formatting 2020-10-07 10:13:41 -07:00
Nick Meves
fa4ba5e7ea
Convert allowlist validation test to Ginkgo 2020-10-07 10:13:41 -07:00
Nick Meves
183cb124a4
Support HTTP method based allowlists 2020-10-07 10:13:40 -07:00
Mitsuo Heijo
fcb83c48f4
Update go-redis/redis to v8 (#801)
* update go-redis/redis to v8

testify, ginko and gomega have also been updated.

* update changelog

* Update pkg/sessions/redis/redis_store_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-07 11:49:27 +01:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Nick Meves
6db1aeb9c6
Validate Redis session store health on startup 2020-09-24 10:41:43 -07:00
Stefan Sedich
9d59519a96
Add support to ensure user belongs in required groups when using the OIDC provider 2020-09-21 10:43:54 -07:00