1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-17 00:17:40 +02:00
Commit Graph

992 Commits

Author SHA1 Message Date
dd05e7ff0b Add new linters (#486)
* add new linters and fix issues

* fix deprecated warnings

* simplify return

* update CHANGELOG

* fix staticcheck issues

* remove a deprecated linter, minor fixes of variable initialization
2020-04-14 09:36:44 +01:00
4341ab4420 Merge pull request #483 from oauth2-proxy/split-warning
Warn users when session cookies are split
2020-04-12 12:36:37 +01:00
fcd52e042e Warn users when session cookies are split 2020-04-12 12:01:38 +01:00
a659b9558e Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
7f72a22227 feature: switch Azure AD graph API to Microsoft Graph API (#440)
* feature: switch Azure AD graph API to Microsoft Graph API

* Update CHANGELOG

* Expand Breaking Changes notice

* Update CHANGELOG.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* fix: use constant http method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 11:53:30 +01:00
b0b87563dc Add set basic auth param (#413)
* addint redirect capability to sign_out

* updating changelog

* Add a new param to set the Authorization header to up-stream systems as Basic user:password

* Resolving code review

* mutual exclusiv changes for Basic and Bearer Authorization header

* Fixed the merge mixup and comment error

* Updated changelog and fixed typo

* Adding the new entry in changelog

Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
2020-04-10 14:41:28 +01:00
7efc162aaa Prevent browser caching during auth flow (#453)
* Prevent browser caching during auth flow

* simplify no-cache logic, add tests and update changelog

* checking noCacheHeaders does not exists in response headers from upstream

* remove unnecessary codes

* add no-cache headers in SignInPage and OAuthStart for proxy mode

https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222
2020-04-09 15:39:07 +01:00
7c3efe4f42 Update okta doc (#481)
* updated Okta docs and added localhost example

* add changelog entry

* added pull request # to changelog

Co-authored-by: tbox <tbox@redhat.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-08 21:28:00 +01:00
f9f98cb3a7 print full error message when non-api error (#474)
when type asserting fails here, err is reassigned with nil and the
default block of the switch prints out <nil> in the error message. This
makes debugging a configuration or access token issue difficult

The particular error this surfaces is:

Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

Signed-off-by: Josh Bielick <jbielick@gmail.com>
2020-04-06 09:27:24 +01:00
c7bfbdecef Implement graceful shutdown and propagate request context (#468)
* feature: Implement graceful shutdown

Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.

Added handling of Unix signals to http server.

Upgrade go-redis/redis to v7.

* Update dependencies

- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert

* add doc for  wrapper interface

* Update CHANGELOG.md

* fix: upgrade fsnotify to v1.4.9

* fix: remove unnessary logging

* fix: wait until  all connections have been closed

* refactor: move chan to main for testing

* add assert to check if stop chan is empty

* add an idiomatic for sync.WaitGroup with timeout
2020-04-04 16:12:38 +01:00
bdc686103e Allow html in banner message (#462)
* allow html in banner message

* Fix changelog (move under new version)
2020-04-04 15:01:11 +01:00
3f7837b955 Add logging in case of invalid redirects (#471)
* Add logging in case of invalid redirects

* update changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-02 09:51:38 +01:00
eb31850470 clarify the nginx auth_request_set/set problem with proxy_pass (#454)
* clarify the nginx auth_request_set/set problem with proxy_pass

* reworded/extended as result of review
2020-04-01 20:06:33 +01:00
c02d560bf4 Merge pull request #432 from oauth2-proxy/update-deps
Update ruby dependencies for documentation
2020-03-29 17:41:58 +01:00
8641bc4738 Update docs deps 2020-03-29 17:34:17 +01:00
c0fb7e81fc Merge pull request #464 from oauth2-proxy/migration
Migrate to oauth2-proxy/oauth2-proxy
2020-03-29 16:32:39 +01:00
f832eb1446 Update changelog and readme to reflect migration 2020-03-29 16:24:41 +01:00
802754caad Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
4cdedc8f50 Merge pull request #463 from pusher/release-5.1.0
Update Changelog for Release 5.1.0
v5.1.0
2020-03-29 13:41:30 +01:00
9dcd8255bf Update CHANGELOG for v5.1.0 release 2020-03-29 13:19:38 +01:00
8d69d55de4 Update Go and GolangCI-Lint 2020-03-29 13:17:54 +01:00
362cdf7713 Fix http.Cookie SameSite is not copied. (#450)
* fix: http.Cookie SameSite is not copied.

* Update CHANGELOG.md
2020-03-17 18:48:52 +00:00
3108f765a5 Fix #381, expose acr_values to all providers (#445) 2020-03-17 17:57:33 +00:00
4eef21cf3d Bitbucket Auth Provider docs (#447)
* Bitbucket Auth Provider docs

* Typo fixed
2020-03-16 11:39:12 +00:00
4d7349f9c6 Update CHANGELOG.md (#446)
Fix PR link for #435
2020-03-16 10:14:38 +00:00
81b9a63e51 Support Go 1.14 (#419)
* Upgrade base image tags and golangci-lint

* Upgrade golang and golangci-lint in travis-ci

* fix:  tests, pointed out by golangci-lint and format files

* Upgrade dependencies

* update changelog

* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418

* Separate tests using go version build tags

* Update CHANGELOG

* Revert "Separate tests using go version build tags"

This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.

* fix test to support go1.14 and go1.13

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-14 10:14:15 +00:00
400aea3653 Document how to use the sign_out endpoint (#443)
Fixes #441

+ a minor link fix
2020-03-14 10:07:23 +00:00
fad6fff16d Cleaned up source to make golangci-lint pass (#418)
* cleaned up source to make golangci-lint pass

* providers/azure_test.go: use build in POST constant

* options_test.go: do not export unnecessary variables

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-14 09:58:29 +00:00
b1c81e2abe Support prompt in addition to auth-prompt (#444)
Fix #380
2020-03-14 09:53:43 +00:00
0fc4131c72 configuration.md: clarify CLI -> config options (#442)
Clarify how to rename CLI options to be able to set them in the config file. I have just spent an hour trying to find out why `whitelist_domain="..."` does not work :-)

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-13 20:21:15 +00:00
8d0149ccf8 Fix issue with group validation called on every request (#435)
* Revert group validation on every request

* Fix syntax

* Remove unit tests associated with reverted change

* Update CHANGELOG
2020-03-13 20:10:38 +00:00
e3fb25efe6 Merge pull request #434 from jordancrawfordnz/pass-user-headers-prefer-email
Support the PreferEmailToUser option on PassUserHeaders
2020-03-08 15:31:34 +00:00
4cd43ef397 Support the PreferEmailToUser option on PassUserHeaders
Previously in #401, an option was added to support forwarding the email
address as the username to the upstream service when the PassBasicAuth
option is used.

The PassBasicAuth option is not appropriate for all users, with PassUserHeaders
allowing very similar functionality without specifying a basic auth headers.

The PreferEmailToUser option has been expanded to support the PassUserHeaders
option.
2020-03-04 11:47:13 +13:00
666d4c3db1 Merge pull request #430 from pusher/stale-action
Add GitHub Action to tidy stale issues
2020-03-02 10:34:51 +00:00
d94cf45ea8 Update .github/workflows/stale.yml
Co-Authored-By: Theo Barber-Bany <theo.barberbany@pusher.com>
2020-03-02 10:09:58 +00:00
8ee8bd8bc2 Update .github/workflows/stale.yml
Co-Authored-By: Theo Barber-Bany <theo.barberbany@pusher.com>
2020-03-02 10:09:52 +00:00
85891a2261 Add GitHub Action to tidy stale issues 2020-03-01 15:59:52 +00:00
d934309b44 Add preferred_username support (OIDC provider) (#420)
* Add support for preferred username.

* Add missing TOC entries.

* Add note about preferred_username support.

* Adjust tests.

* Check on not implemented error for GetPreferredUsername() call.

Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-01 15:02:51 +00:00
ume
0bca3564b5 Fix to work with python 3 (#427)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-29 18:13:49 +00:00
51f4d88028 Add option to prefer an Email address to a Username (#401)
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.

When matching this with downstream databases, it's sometimes preferred to use
the email address as the  known identifier.

However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.

This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.

Defaults to Off.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-29 17:38:32 +00:00
0c7400a924 Bump nokogiri from 1.10.4 to 1.10.8 in /docs (#422)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.4 to 1.10.8.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.4...v1.10.8)

Signed-off-by: dependabot[bot] <support@github.com>
2020-02-28 18:26:40 +00:00
907de4e141 Use OAuthProxy.GetRedirect in /sign_in, honoring the 'rd' query parameter (#405)
* Use OAuthProxy.GetRedirect in /sign_in, honoring the 'rd' query parameter

* CHANGELOG.md - Add a changelog entry for #405
2020-02-28 09:59:27 +00:00
4f553bcfc8 Add nsswitch.conf to Docker image (#400)
* Add nsswitch.conf to Docker image

Created nsswitch.conf to use locally defined translations before DNS. Copied to /etc/nsswitch.conf in the image.

* Add new line

* Updated Changelog

Co-authored-by: Dan Bond <danbond@protonmail.com>
2020-02-23 18:16:18 +00:00
bd79b976da Docs: Fix link to sessions.md (#403) 2020-02-19 13:20:07 +00:00
edd6ad6ae5 Add client-secret-file to main FlagSet (#399) 2020-02-17 14:21:04 +00:00
2033ce81c3 Implement ValidateSessionState for GitHubProvider (#385)
Refactors the setting of the Authorization header into getGitHubHeader.

Refs #382

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-15 15:11:14 +00:00
7a6204c8fd Fix #384 - link to sessions.md (#391)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-15 14:41:35 +00:00
f2661c47ba Support for client secret file. (#355)
* added ClientSecretFile in ProviderData

* add documentation notes on client secret file

* added Changelog entry for Client Secret File PR

* fixing configuration.md

* addressing PR issue of ClientSecret property naming

* Update providers/provider_data.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* corrected changelog entry

* fixed typo in GetClientSecret

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-15 13:44:39 +00:00
3a843f815d GitHub Provider - Fallback to secondary verified email (#372)
* Fallback to secondary verified email

* Add change to changelog
2020-02-15 13:36:28 +00:00
10adb5c516 Support optional id_tokens in refresh responses (#335)
* OIDC Token Refresh works without id_tokens

Addresses https://github.com/pusher/oauth2_proxy/issues/318

Refactoring the OIDC provider so that the refresh process works when there are
no id_tokens present in the response. Added unit tests to the oidc_test.go to prove
the redeem and refresh still work.

The expiry time of the session is now taken from the outh token expiry and not
the id_token (preventing stale access_tokens in sessions).

* Refactoring the to use a KeySetStub in the oidc_test.go. This allows the
elimination of the slightly contrived function passing elements used
previously. (This change is being applied to address the bug #318)

* Changes as per the PR comments and preparing for 5.x release

* Fixup changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 18:09:30 +00:00