1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-15 00:15:00 +02:00
Commit Graph

157 Commits

Author SHA1 Message Date
9e8c2af86b Update docs for new show-debug-on-error option 2021-02-13 10:48:03 +00:00
e87a51f0e5 Prepare for release v7.0.1 2021-02-10 18:25:39 +00:00
7def4bf360 [DOC] Fix broken link to cookie secret generation (#1024)
* [DOC] Fix broken link

* Update auth.md

* Update auth.md

* Update auth.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-02-10 17:55:42 +00:00
0f859215f0 [DOC] Add header to cookie secret paragraph (#1025)
* [DOC] Add header to cookie secret paragraph

* Update overview.md

* Update overview.md

* Update overview.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-02-08 12:58:38 +00:00
d1a249262f Create v7.0.x versioned docs
Created within: yarn run docusaurus docs:version 7.0.x
2021-02-01 18:05:47 +00:00
a909d33355 Update CHANGELOG for release v7.0.0 2021-02-01 18:05:44 +00:00
8087de7a03 Add Gitlab version warning/constaint in documentation (#1004) 2021-01-20 19:57:22 +00:00
5c64e236fb Generate reference page in configuration 2021-01-18 09:57:44 +00:00
e50e6ed373 Add Security Policy 2021-01-16 19:47:47 +00:00
1d74a51cd7 Use X-Forwarded-{Proto,Host,Uri} on redirect as last resort (#957) 2021-01-01 15:23:11 -08:00
f07a5630f1 Update Keycloak documentation 2020-12-24 14:04:19 -08:00
eb56f24d6d Deprecate UserIDClaim in config and docs 2020-12-21 16:52:17 -08:00
4fda907830 Fix and enhance OIDC example (#934)
* Fix and enhance OIDC example

* Restructure

* Indent

* Add full stop.

* Add link

* Add minimalistic README

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-12-19 15:48:33 +00:00
d67d6e3152 Add authorization support for Gitlab projects (#630)
* Add support for gitlab projets

* Add group membership in state

* Use prefixed allowed groups everywhere

* Fix: remove unused function

* Fix: rename func that add data to session

* Simplify projects and groups session funcs

* Add project access level for gitlab projects

* Fix: default access level

* Add per project access level

* Add user email when missing access level

* Fix: harmonize errors

* Update docs and flags description for gitlab project

* Add test with both projects and groups

* Fix: log error message

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fix: make doc a markdown link

* Add notes about read_api scope for projects

* Fix: Verifier override in Gitlab Provider

This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct

* Fix: ensure data in session before using it

* Update providers/gitlab.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Rename gitlab project initializer

* Improve return value readbility

* Use splitN

* Handle space delimiters in set project scope

* Reword comment for AddProjects

* Fix: typo

* Rework error handling in addProjectsToSession

* Reduce branching complexity in addProjectsToSession

* Fix: line returns

* Better comment for addProjectsToSession

* Fix: enrich session comment

* Fix: email domains is handled before provider mechanism

* Add archived project unit test

* Fix: emails handling in gitlab provider

Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-12-05 10:57:33 -08:00
c8a70c6243 Add version dropdown to docs header 2020-11-08 19:37:46 +00:00
6c483e5674 Set up docs for version 6.1.x 2020-11-08 19:37:43 +00:00
14fd934b32 Flip --skip-auth-strip-headers to true by default 2020-11-07 11:43:45 -08:00
899c743afc Migrate existing documentation to Docusaurus 2020-11-05 15:36:27 +00:00
8abc4e6d87 Updated Gitlab docs (#859) 2020-10-21 09:36:17 -07:00
8b44ddd547 config: clarify skip-jwt-bearer-tokens needs (#851)
i.e. that the token must have a recognized `aud` field.
2020-10-19 19:14:50 +01:00
420a34f814 Document set_xauthrequest with pass_access_token (#829)
* Document set_xauthrequest with pass_access_token

Document feature implemented in https://github.com/oauth2-proxy/oauth2-proxy/pull/68

The feature is already decribed in in the nginx example but not clearly
on each respective parameters documentation.

* Update docs/configuration/configuration.md

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-10-14 09:17:55 -07:00
183cb124a4 Support HTTP method based allowlists 2020-10-07 10:13:40 -07:00
3d203a1a03 Home: Add a brief description of the behavior (#794)
* Home: Add a brief description of the behavior

I could not find this information anywhere and think it is quite important for understanding how to use and configure the proxy for different use cases.

(Especially the Ajax part is not mentioned anywhere else I believe.)

I tried to keep it general enough so that it won't need updating often yet useful enough to have good value :)

* Update docs/0_index.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-05 10:34:42 +01:00
3fa42edb73 Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
4a04ff4529 docs: fix Keycloak provider documentation 2020-09-22 20:13:00 -04:00
9d59519a96 Add support to ensure user belongs in required groups when using the OIDC provider 2020-09-21 10:43:54 -07:00
e14d6ab791 Document bcrypt encryption for htpasswd
Remove mention of (insecure) SHA option for encryption.
2020-09-11 13:32:00 +03:00
0eb0024e87 Doc: cookie-secret is a mandatory field for cookie session 2020-09-04 16:20:41 +02:00
1337f56188 Prepare CHANGELOG for v6.1.1 release 2020-08-31 17:01:52 +01:00
bd5fab478d fix docs: command line options (#744) 2020-08-29 09:26:24 +01:00
43bf36425d Prepare changelog for v6.1.0 release 2020-08-27 15:08:46 +01:00
51a9062044 Support Password & SentinelPassword in Redis session store 2020-08-11 12:22:05 -07:00
d69fd6af22 Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
6e31eb28d5 Fix typos and other minor edits 2020-08-04 01:29:00 -05:00
895403cb9b Document what provider have support for --cookie-refresh. (#543)
Co-authored-by: Dirk Weinhardt <dirk.weinhardt@etl.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-15 00:05:13 +01:00
abeb0236d8 Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
bb5977095f Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
dd36138965 docs: Fix required ruby-version (#675)
* fix required ruby-version

Signed-off-by: mkontani <itoama@live.jp>

* add a changelog entry

Signed-off-by: mkontani <itoama@live.jp>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-12 16:09:34 +01:00
64ae31b5a0 Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
416c8b0a5c Make example args a codeblock
Making this a code block aligns with the rest of the examples and makes it easier to read
2020-07-06 12:04:16 +02:00
b0375e85fa Fix #635: Support specifying alternative provider TLS trust source(s) (#645)
* Fix #635: Support specifying alternative provider TLS trust source(s)

* Update pkg/apis/options/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/validation/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address review comments

* upd CHANGELOG.md

* refactor test to assert textual subjects + add openssl gen cmd

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-03 16:09:17 +01:00
25154ede41 Update changelog ready for release v6.0.0 2020-06-27 12:10:27 +01:00
1b6c54cae1 Change how gitlab-group is parsed on options (#639)
* Changed how gitlab-group is parsed, from string to []string

See #637

* Point out that gitlab-group can be a list

See #637

* Reflect to the []string change on pkg/apis/options/options.go

See #637

* Move cfg option gitlab_group to gitlab_groups

See #637

* Renamed Group to Groups

See #637

* Reflect the change on gitlab.go as well

See #637

* Added #639

* Added the author of #639 to the CHANGELOG

* Add the gitlab_groups env change to CHANGELOG.md

See #639

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-26 23:26:07 +01:00
43f214ce8b Add Keycloak local testing environment (#604)
* Adding one more example - keycloak - alongside with dex IDP.

* don't expose keycloak and proxy ports to the host

* specify email-domain list option in documentation

* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390

* get rid of the scripts - use static file for keycloak startup

* changelog entry

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-14 14:06:12 +01:00
2c851fcd4f Allow a health/ping request to be identified by User-Agent (#567)
* Add an option to allow health checks based on User-Agent.

* Formatting fix

* Rename field and avoid unnecessary interface.

* Skip the redirect fix so it can be put into a different PR.

* Add CHANGELOG entry

* Adding a couple tests for the PingUserAgent option.
2020-06-12 14:56:31 +01:00
d8d43bb51b Support new option "github-user" (#421)
* feat(github): support new option "github-user"

* feat(github): rename github-user to github-users

* feat(github): update docs for github-users option

* feat(github): remove unneeded code

* feat(github): remove logging

* feat(github-user): use github-user as flagset options

* feat(github-user): remove optionns.go

* feat(github-user): add github-user flagset

* feat(github): improve readability in the docs

* feat(github-user): refactored SetUsers method

* Update flag description

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-01 20:02:07 +01:00
d1bab0e22e Bump activesupport from 6.0.2.1 to 6.0.3.1 in /docs
Bumps [activesupport](https://github.com/rails/rails) from 6.0.2.1 to 6.0.3.1.
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v6.0.3.1/activesupport/CHANGELOG.md)
- [Commits](https://github.com/rails/rails/compare/v6.0.2.1...v6.0.3.1)

Signed-off-by: dependabot[bot] <support@github.com>
2020-05-27 08:55:47 +00:00
de0c92af06 fix small typo in docs (#570)
Co-authored-by: Amnay Mokhtari <amnay.mokhtari@adevinta.com>
2020-05-21 21:24:25 +01:00
111d17efde Implements --real-client-ip-header option. (#503)
* Implements -real-client-ip-header option.

* The -real-client-ip-header determines what HTTP header is used for
  determining the "real client IP" of the remote client.
* The -real-client-ip-header option supports the following headers:
  X-Forwarded-For X-ProxyUser-IP and X-Real-IP (default).
* Introduces new realClientIPParser interface to allow for multiple
  polymorphic classes to decide how to determine the real client IP.
* TODO: implement the more standard, but more complex `Forwarded` HTTP
  header.

* Corrected order of expected/actual in test cases

* Improved error message in getRemoteIP

* Add tests for getRemoteIP and getClientString

* Add comment explaining splitting of header

* Update documentation on -real-client-ip-header w/o -reverse-proxy

* Add PR number in changelog.

* Fix typo repeated word: "it"

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update extended configuration language

* Simplify the language around dependance on -reverse-proxy

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Added completions

* Reorder real client IP header options

* Update CHANGELOG.md

* Apply suggestions from code review

Co-authored-by: Isabelle COWAN-BERGMAN <Izzette@users.noreply.github.com>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-12 18:41:25 +01:00
7cf685140b Restrict access using Github collaborators (#497)
* Allow access based on Github repository
2020-05-11 18:02:40 +01:00