1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-24 08:52:25 +02:00
Commit Graph

810 Commits

Author SHA1 Message Date
Joel Speed
ac10bc04ed
Merge pull request #272 from pusher/fix-links
Fix permalinks for configuration and sessions
2019-10-03 17:19:37 +01:00
Joel Speed
b515b90b34
Fix permalinks for configuration and sessions 2019-10-03 11:10:06 +01:00
Joel Speed
49f1320be6
Merge pull request #269 from YenTheFirst/escape-k8s-auth-signin
Escape original request URI in sample kubernetes ingress configuration
2019-10-02 09:33:54 +01:00
T S
513af9b714 Escape original request URI in sample kubernetes ingress configuration
The current sample configuration for kubernetes ingress demonstrates
using the `auth-signin` annotation to redirect a user to oauth2_proxy's
signin page. It constructs the link to do so by directly concatenating
`$request_uri` as the `rd` parameter, so the sign-in page knows where to
send the user after signin is complete.

However, this does not work correctly if the original request URI
contains multiple query parameters separated by an ampersand, as that
ampersand is interpereted as separating query parameters of the
`/oauth2/start` URI. For example:

If the user requests a URL:
  https://example.com/foo?q1=v1&q2=v2
they may be redirected to the signin url
  https://example.com/oauth2/start?rd=https://example.com/foo?q1=v1&q2=v2
and after completing signin, oauth2_proxy will redirect them to
  https://example.com/foo?q1=v1

nginx-ingress added an $escaped_request_uri variable about a year ago,
to help resolve this kind of issue
(https://github.com/kubernetes/ingress-nginx/pull/2811)
2019-10-01 12:28:00 -07:00
Joel Speed
721d28bd4f
Merge pull request #248 from VidAngel/support-x-auth-request-redirect
More fully support X-Auth-Request-Redirect header
2019-09-30 17:53:26 +01:00
Joel Speed
ac0d010371
Merge branch 'master' into support-x-auth-request-redirect 2019-09-30 17:21:05 +01:00
Joel Speed
44cdcc79c3
Merge pull request #227 from Ofinka/keycloak-provider
Add keycloak provider
2019-09-25 21:39:11 +01:00
Dan Bond
a122ac60e4
Fix CHANGELOG errors 2019-09-25 13:33:58 -07:00
Dan Bond
85a1ed5135
Merge branch 'master' into keycloak-provider 2019-09-25 13:21:46 -07:00
Ian Hunter
8098094fc2 Merge branch 'master' of github.com:pusher/oauth2_proxy into support-x-auth-request-redirect 2019-09-19 11:27:27 -05:00
Ian Hunter
18a77e6618 Reflect #248 PR in CHANGELOG.md 2019-09-19 11:26:18 -05:00
Nelson Menezes
82a3d5afdc Add clarification about plural env vars (#252) 2019-08-27 09:15:33 -07:00
Joel Speed
6683e35008
Merge pull request #250 from pusher/dependabot/bundler/docs/nokogiri-1.10.4
Bump nokogiri from 1.10.1 to 1.10.4 in /docs
2019-08-21 11:09:48 +01:00
dependabot[bot]
b83b7565f3
Bump nokogiri from 1.10.1 to 1.10.4 in /docs
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.1 to 1.10.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.1...v1.10.4)

Signed-off-by: dependabot[bot] <support@github.com>
2019-08-21 10:05:52 +00:00
Ian Hunter
a209a52df1 More fully support X-Auth-Request-Redirect header
Docs showed that the X-Auth-Request-Redirect header can specify a redirect URI, but only the rd POST parameter was being honored
This fixes that.
2019-08-17 15:50:44 -05:00
Henry Jenkins
71dfd44149
Merge branch 'master' into keycloak-provider 2019-08-17 08:10:37 +01:00
Joel Speed
d00c14a2a7
Merge pull request #247 from pusher/release-v4.0.0
Update changelog for v4.0.0 release
2019-08-16 15:19:32 +01:00
Joel Speed
44ea6920a7
Update changelog for v4.0.0 release 2019-08-16 15:06:53 +01:00
aledeganopix4d
fa6c4792a1 Add Bitbucket provider. (#201)
Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
2019-08-16 14:53:22 +01:00
Joel Speed
a165928458
Merge pull request #226 from continusec/makeheadersettingdeterministic
Made setting of proxied headers deterministic based on configuration alone
2019-08-16 14:41:14 +01:00
Adam Eijdenberg
d5d4878a29 Made setting of proxied headers deterministic based on configuration
alone

Previously some headers that are normally set by the proxy (and may be
replied upstream for authorization decisiions) were not being set
depending on values in the users sesssion.

This change ensure that if a given header is sometimes set, it will
always be either set or removed.

It might be worth considerating always deleting these headers if we
didn't add them.
2019-08-16 11:44:43 +10:00
Joel Speed
c4559ea372
Merge pull request #241 from thought-machine/fix-docs-links
Fix links in docs
2019-08-15 12:07:37 +01:00
Henry Jenkins
a65d38d181
Merge branch 'master' into fix-docs-links 2019-08-14 12:04:23 +01:00
Henry Jenkins
57851f6850
Merge pull request #239 from bradym/docFormat
Docs only:  format Command Line Options using a table
2019-08-14 12:03:03 +01:00
Joel Speed
7e3ad6b215
Merge branch 'master' into docFormat 2019-08-14 11:12:54 +01:00
Henry Jenkins
c941f3ce0d
Merge branch 'master' into fix-docs-links 2019-08-13 21:23:45 +01:00
Henry Jenkins
9240538939
Merge pull request #244 from ferhatelmas/typo-fix
Fix some typos
2019-08-13 21:23:18 +01:00
Brady Mitchell
272fb96024 add back nginx-auth-request <a name 2019-08-13 09:12:48 -07:00
Brady Mitchell
bc5fc5a513 remove unnecessary <a> tags 2019-08-13 09:01:38 -07:00
Dan Bond
49e124eb87
Merge branch 'master' into typo-fix 2019-08-13 16:25:23 +01:00
Dan Bond
6453e78db3
Merge branch 'master' into docFormat 2019-08-13 16:22:18 +01:00
Joel Speed
b167744b0a
Merge pull request #145 from rtluckie/feature/add_oidc_userinfo_support
Add OIDC support for UserInfo Endpoint Email Verification
2019-08-13 15:35:51 +01:00
ferhat elmas
fb52bdb90c Fix some typos 2019-08-13 12:42:23 +02:00
Ryan Luckie
c457eeb711
Merge branch 'master' into feature/add_oidc_userinfo_support 2019-08-12 17:32:29 -05:00
Brady Mitchell
9938bb95d9
Merge branch 'master' into docFormat 2019-08-11 17:23:33 -07:00
Brady Mitchell
4b985992d8 add missing header border 2019-08-11 17:21:32 -07:00
Henry Jenkins
8b61559b8d Fix links in docs
- Fixed a bunch of references to the repo, which were 404ing
- Fixed a couple of things that 301/302ed
- Fixed some in page references
2019-08-11 16:07:03 +01:00
Henry Jenkins
e1b70dc9f0
Merge pull request #240 from vitaliytv/patch-1
[docs] Fix link to oauth2_proxy.cfg
2019-08-11 15:20:58 +01:00
Vitalii Tverdokhlib
9e37de53e3
docs: fix path to oauth2_proxy.cfg 2019-08-11 14:55:19 +03:00
Brady Mitchell
18156713e3 indent content in ordered list, fixes 165 2019-08-10 21:46:13 -07:00
Brady Mitchell
14c25c1d8a use a table for command line options 2019-08-10 21:45:18 -07:00
Joel Speed
a91cce7ab9
Merge pull request #238 from thought-machine/fix-typo
Fix typos in changelog
2019-08-07 19:36:03 +01:00
hjenkins
02dfa87f11 Fix typos in changelog 2019-08-07 18:00:37 +01:00
jansinger
7134d22bcc New flag "-ssl-upstream-insecure-skip-validation" (#234)
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.

* Fix tests for modified NewReverseProxy method.

* Added change to the changelog.

* Remove duplicate entries from changelog.
2019-08-07 17:48:53 +01:00
mikesiegel
d85660248c Adding docs for how to configure Okta for the OIDC provider (#235)
* Adding documentation for Okta OIDC provider.

* additional clean up.

* Clearer heading

* Forgot a word.

* updated documentation based on ReillyProcentive review.

* Per steakunderscore review: removed defaults. Removed extra hardening steps (expiration, https only etc) not directly related to setting up Okta w/ OIDC
2019-08-07 11:57:18 +01:00
Henry Jenkins
64672c34eb
Merge pull request #236 from thought-machine/slack
Adds reference to slack channel in readme
2019-08-06 12:47:10 +01:00
Dan Bond
c3eac4f6d4
Merge branch 'master' into slack 2019-08-06 12:23:45 +01:00
Alexander Overvoorde
4de49983fb Rework GitLab provider (#231)
* Initial version of OIDC based GitLab provider

* Add support for email domain check to GitLab provider

* Add gitlab.com as default issuer for GitLab provider

* Update documentation for GitLab provider

* Update unit tests for new GitLab provider implementation

* Update CHANGELOG for GitLab provider

* Rename GitLab test access token as response to linter
2019-08-06 12:20:54 +01:00
hjenkins
5f9a65f6b1 Adds reference to slack channel in readme 2019-08-06 12:16:03 +01:00
Justin Palpant
7d910c0ae8 Check Google group membership with hasMember and get. (#224)
* Check Google group membership with hasMember and get.

This PR is an enhancement built on
https://github.com/pusher/oauth2_proxy/pull/160. That PR reduces the
number of calls to the Google Admin API and simplifies the code by
using the hasMember method. It also supports checking membership in
nested groups.

However, the above message doesn't handle members who are not a part
of the domain. The hasMember API returns a 400 for that case. As a
fallback, when the API returns a 400, this change will try using the
`get` API which works as expected for members who aren't a part of the
domain. Supporting members who belong to the Google group but aren't
part of the domain is a requested feature from
https://github.com/pusher/oauth2_proxy/issues/95.

https://developers.google.com/admin-sdk/directory/v1/reference/members/get

Note that nested members who are not a part of the domain will not be
correctly detected with this change.

* Update CHANGELOG.

* Fix incorrect JSON and stop escaping strings.

* Add comments for each scenario.
2019-08-06 10:38:24 +01:00