Mike Bland
e241fe86d3
Switch from 18F/hmacauth to mbland/hmacauth
...
Since I'm no longer with 18F, I've re-released hmacauth under the ISC
license as opposed to the previous CC0 license. There have been no
changes to the hmacauth code itself, and all tests still pass.
2017-11-07 07:55:24 -05:00
Jehiah Czebotar
bfda078caa
Merge pull request #376 from reedloden/make-cookie-domain-optional
...
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
2017-10-23 14:14:45 -04:00
Alan Braithwaite
b640a69d63
oauthproxy: fix #284 -skip-provider-button for /sign_in route
2017-06-21 15:05:36 -07:00
Reed Loden
b6bd878f27
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
...
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 ).
There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.
Fixes #352 .
2017-04-24 13:03:40 -07:00
idntfy
1e7d2a08a3
#369 : Optionally allow skipping authentication for preflight requests
2017-04-07 15:01:47 +03:00
Sjoerd Mulder
90a22b2f39
Use X-Auth-Request-Redirect request header in sign-in page
...
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
2017-03-29 21:28:55 +05:30
Lukasz Siudut
829b442302
add --set-xauthrequest flag for use in Nginx auth_request mode
...
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
2017-03-29 21:28:55 +05:30
Jehiah Czebotar
c5fc7baa86
gofmt
2017-03-29 09:36:38 -04:00
Colin Arnott
55085d9697
csrf protection; always set state
2017-03-29 09:31:10 -04:00
Jehiah Czebotar
6c690b699b
Merge pull request #339 from omazhary/issue-205
...
Allow to pass user headers only
2017-03-28 21:42:29 -04:00
Jehiah Czebotar
107b4811b4
Merge pull request #346 from bdwyertech/patch-1
...
Oversize Cookie Alert
2017-03-28 21:40:11 -04:00
Colin Arnott
289a6ccf46
add check for //.* to prevent open redirect during oauth
2017-03-28 21:12:33 -04:00
Guillaume Bienkowski
562cc2e466
[signout] Implement logout endpoint
2017-03-21 17:40:47 +01:00
Brian Dwyer
3379e05fec
Oversize Cookie Alert
...
Cookies cannot be larger than 4kb
2017-02-23 18:48:34 -05:00
Omar Elazhary
24f91a0b60
Allow to pass user headers only (issue #205 )
...
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
to control whether X-Forwarded-User and X-Forwarded-Email
headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
X-Forwarded-User is needed but HTTP BASIC auth fails
(password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility
[1] http://docs.grafana.org/installation/configuration/#authproxy
2017-01-24 11:11:58 +01:00
Jehiah Czebotar
cdebfd6436
base64 cookie support
2016-06-20 07:45:43 -04:00
Jehiah Czebotar
57f82ed71e
Custom footer text (optional)
...
Closes #256 and #166
2016-06-18 23:54:32 -04:00
Jehiah Czebotar
168cff9d4b
Merge pull request #161 from rahdjoudj/master
...
adding option to skip provider button sign_in page
2016-06-18 23:31:39 -04:00
Pranay Kanwar
f957a1e435
Validate state param while redirecting
2016-01-19 13:14:16 +05:30
Mike Bland
e4626c1360
Sign Upstream requests with HMAC. closes #147
2015-11-15 22:09:30 -05:00
Reda Ahdjoudj
35547a40cb
adding option to skip provider button sign_in page
2015-11-11 11:42:35 +11:00
Mike Bland
462f6d03d2
Extract Authenticate for Proxy, AuthenticateOnly
2015-11-09 10:32:16 -05:00
Mike Bland
e61fc9e7a6
Add /auth endpoint to support Nginx's auth_request
...
Closes #152 .
2015-11-09 10:31:41 -05:00
Brandon Philips
6db18804f3
*: rename Oauth to OAuth
...
Be consistent with Go capitalization styling and use a single way of
spelling this across the tree.
2015-11-09 00:57:01 +01:00
Brandon Philips
1ff2fce25b
oauthproxy: rename Uri to URI
...
Be consistent with Go coding style for acroynyms.
2015-11-09 00:50:42 +01:00
Brandon Philips
51a2e4e48c
*: rename Url to URL everywhere
...
Go coding style says that acronyms should be all lower or all upper. Fix
Url to URL.
2015-11-09 00:47:44 +01:00
John Boxall
a653c3eeeb
Pass ProxyPrefix
into the error template.
...
The default `error.html` uses `ProxyPrefix` but it isn't supplied in the context, causing it to error.
2015-10-03 15:59:47 -07:00
Jeppe Toustrup
ffeccfe552
Add support for serving static files from a directory
...
The path should be provided as a file:// url with the full operating system path.
An alias to where the directory is available as can be specified by appending
a fragment (ie. "#/static/") at the end of the URL.
2015-09-24 15:37:45 +02:00
Justin Burnham
3fd8f911c2
google: Support restricting access to a specific group(s)
2015-09-09 02:10:32 -07:00
Justin Burnham
7dd5d299e1
Add support for setting the basic auth password.
...
For tools that don't like empty passwords, this change allows
one to set a shared secret password for all users.
2015-07-24 09:17:43 +00:00
mattk42
6cd3e72e09
Check email validity on all requests rather than only on login/refresh
2015-07-14 08:40:59 -06:00
Jehiah Czebotar
d49c3e167f
SessionState refactoring; improve token renewal and cookie refresh
...
* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
2015-07-02 23:09:11 -04:00
Jehiah Czebotar
8d50b372e4
immediately redeem refresh token for provider==Google
2015-06-23 13:56:14 -04:00
Jehiah Czebotar
e9b5631eed
cookie refresh: validation fixes, interval changes
...
* refresh now calculated as duration from cookie set
2015-06-23 07:51:00 -04:00
Jehiah Czebotar
d78aa13464
v2.0 & cleanup changes
...
* bump version to 2.0
* remove --cookie-https-only option
* add windows build to dist.sh
* rename --cookie-key to --cookie-name
2015-06-12 13:07:26 -04:00
Jehiah Czebotar
f5b2b20f67
support TLS directly
2015-06-07 23:14:48 -04:00
Jehiah Czebotar
f5db2e1ff7
More complete HTTP error logging
2015-06-07 21:03:53 -04:00
Jehiah Czebotar
56d19b1c84
disable email validation; rename email-domain argument
...
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
2015-06-06 14:37:54 -04:00
tonymeng
c5ccd43767
Enable specific oauth2proxy path; change cookie name to _oauth2proxy
2015-06-06 14:21:42 -04:00
Jehiah Czebotar
b96a078839
Project Rename -> oauth2_proxy
2015-05-21 02:55:04 -04:00
Jehiah Czebotar
37b38dd2f4
Github provider
2015-05-21 02:21:19 -04:00
Mike Bland
8471f972e1
Move ValidateToken() to Provider
2015-05-21 02:06:23 -04:00
Jehiah Czebotar
9047920e90
Merge pull request #88 from 18F/auto-refresh
...
Auto refresh auth token
2015-05-11 22:24:50 -04:00
Mike Bland
5b07d9fcef
Provide a robots.txt that denies all crawlers
2015-05-10 15:15:52 -04:00
Mike Bland
37f287bef4
Calculate cookie expiration from encoded timestamp
...
Found out the hard way that _incoming_ cookies do _not_ have their expiration
timestamps encoded. To perform auto-refresh based on expiration time, we have
to recalculate it from the time encoded in the cookie value.
2015-05-10 00:11:26 -04:00
Mike Bland
8ec967ac32
Check cookie_secret size when cookie_refresh set
2015-05-09 17:37:33 -04:00
Mike Bland
84190ab19a
Validate user during cookie refresh
2015-05-09 16:54:27 -04:00
Mike Bland
610341a068
Make ProcessCookie() fail when cookie parse fails
2015-05-09 16:54:27 -04:00
Mike Bland
bd4eae8fec
Store access token when cookie-refresh is set
...
cookie-refresh now no longer requires pass-access-token in order to work.
2015-05-09 16:54:27 -04:00
Mike Bland
b6e07d51b2
Validate access_token when auto-refreshing cookie
2015-05-09 15:09:31 -04:00
Mike Bland
25372567ac
ValidateToken() to check access_token validity
2015-05-09 13:17:37 -04:00
Mike Bland
72857018ee
Introduce validate-url
flag/config
2015-05-08 17:13:35 -04:00
Mike Bland
8e2d83600c
Implement cookie auto-refresh
...
The intention is to refresh the cookie whenever the user accesses an
authenticated service with less than `cookie-refresh` time to go before the
cookie expires.
2015-05-08 14:05:09 -04:00
Mike Bland
f554f99abd
Ensure all errors are logged in ProcessCookie()
2015-05-08 14:05:09 -04:00
Mike Bland
beed9fb9a2
Extract MakeCookie()
2015-05-08 14:05:09 -04:00
Mike Bland
1bd90cefe7
Extract ProcessCookie() from ServeHTTP()
2015-05-08 12:41:22 -04:00
Mike Bland
9887ac3be5
Refactor cookie building and parsing
...
Extracts buildCookieValue() and parseCookieValue() from OauthProxy.ServeHTTP()
and adds tests for both.
2015-04-07 05:53:41 -04:00
Mike Bland
cf79fd9e4c
Refactor pass_access_token+cookie_secret check
...
Moves the check from NewOauthProxy() to Options.Validate() and adds a test.
2015-04-07 05:53:40 -04:00
Mike Bland
5f747bb768
Redirect to / when /oauth2/sign_in accessed
...
Without this change, clicking the sign-in button on /oauth2/sign_in will
always redirect back to /oauth2/sign_in, essentially creating an infinite
loop.
2015-04-06 22:10:03 -04:00
Mike Bland
ad3c9a886f
Pass the access token to the upstream client
...
This is accomplished by encoding the access_token in the auth cookie and
unpacking it as the X-Forwarded-Access-Token header for upstream requests.
2015-04-03 15:32:01 -04:00
Mike Bland
666e6ad436
Add ProviderName field; use in sign_in template
2015-03-31 12:59:07 -04:00
Mike Bland
d9a945ebc3
Integrate Provider into Options and OauthProxy
2015-03-31 09:34:50 -04:00
Mike Bland
45286af4a4
s/18F/bitly/ in import path
2015-03-30 11:42:37 -04:00
Mike Bland
9d8f932797
Extract api package
...
This is the first step towards genericizing the google_auth_proxy to support
OAuth2 providers other than Google as discussed in #65 . The `api` package will
enable multiple providers to use the same `api.Request()` implementation.
2015-03-30 10:23:30 -04:00
Jehiah Czebotar
16f2c981f3
fix upstream request path
2015-03-21 15:29:07 -04:00
Jehiah Czebotar
b9b5e817fc
improve request logging (closer to Apache Common Log)
2015-03-19 22:34:01 -04:00
Jehiah Czebotar
07c74f55c6
improve handling of cookie domains
2015-03-19 16:18:02 -04:00
Jehiah Czebotar
de04e0c519
rename cookie secure flag
2015-03-19 14:08:17 -04:00
Jehiah Czebotar
ebae065b11
make redirect_uri optional
2015-03-19 14:03:05 -04:00
Jehiah Czebotar
71ae70834d
pass raw unencoded request URI upstream
2015-03-19 13:18:49 -04:00
Jehiah Czebotar
2b2324e410
support (optional) custom templates
2015-03-17 18:11:58 -04:00
Jehiah Czebotar
263e16eeea
add --proxy-host-header option
2015-03-17 15:53:01 -04:00
John Boxall
24ef555547
Requests are proxied to the Host specified by the target.
2015-03-17 15:04:27 -04:00
John Boxall
20a152261c
Adds failing test for using upstream Host header.
2015-03-17 15:04:27 -04:00
Jehiah Czebotar
601ae6f4ec
Merge pull request #60 from tomtaylor/gofmt-fixes
...
Run gofmt over source
2015-01-19 12:48:57 -05:00
Tom Taylor
5201f26ffc
Run gofmt over source.
2015-01-19 16:10:37 +00:00
Tom Taylor
132e3d91d6
Add flag to enable/disable cookie's HttpOnly flag.
2015-01-19 16:00:49 +00:00
vishnu chilamakuru
c4d25d271f
Adding Support for multi white listed urls with regex url match.
2015-01-12 14:48:41 +05:30
drew
69804e588a
Allow hiding custom login UI even if an htpasswd file is provided.
2014-12-09 14:38:57 -06:00
Jehiah Czebotar
1f515eba3c
options bug fixes; set https cookies on by default
2014-11-09 22:21:46 -05:00
Jehiah Czebotar
a49eadadeb
template updates to display version
2014-11-09 22:01:50 -05:00
Jehiah Czebotar
9060feb436
better environment parsing
2014-11-09 21:12:36 -05:00
Jehiah Czebotar
d4fe9a4f57
Add config file support
2014-11-09 20:33:12 -05:00
Jehiah Czebotar
bc26835076
always set httponly (there is no good reason not to); simplify httponly and expire flags
2014-11-08 14:32:35 -05:00
Igor Dolgiy
6cdf05e7f2
Added cookie settings
2014-11-08 13:35:45 -05:00
Jehiah Czebotar
23a89b06de
Merge pull request #22 from dbrgn/empty_upstream_path
...
Handle upstreams without a trailing slash
2014-11-08 19:17:44 +01:00
Roger Hu
ec9c11ed28
Pass in the original email address too as X-Forwarded-Email.
2014-11-08 07:33:14 -08:00
Jason Swank
1e29aa1c12
Make /ping endpoint respond with "OK"
2014-10-14 17:05:59 -04:00
Jason Swank
8702ad2e52
Add /ping endpoint
2014-10-14 16:22:38 -04:00
Jehiah Czebotar
98fb800de4
update to new scopes
2014-08-07 20:49:28 +00:00
Danilo Bargen
b3bbc3ca20
Handle upstreams without a trailing slash
2014-07-08 15:06:41 +02:00
Danilo Bargen
cfe186d6cb
Fixed wrong error message
2014-07-08 14:07:07 +02:00
Sean O'Connor
11ce460209
Updated redirect arg handling to only happen when needed.
2013-10-24 17:40:29 +00:00
Sean O'Connor
d2b1815d43
After authentication, redirect to original URI.
2013-10-23 20:29:39 +00:00
Jehiah Czebotar
c97de52200
handle sign in directly (if using htpasswd)
2012-12-26 18:26:03 +00:00
Jehiah Czebotar
4367e47a46
don't promote htpasswd auth; auth directly
2012-12-26 16:55:20 +00:00
Jehiah Czebotar
c459806ab0
promote basic auth to cookie
2012-12-26 10:35:02 -05:00
Jehiah Czebotar
42f539109e
testing
2012-12-17 13:38:33 -05:00
Jehiah Czebotar
42359333b2
cleanup error handling
2012-12-17 13:15:23 -05:00
Jehiah Czebotar
fb636396a3
initial code import
2012-12-10 20:59:23 -05:00